Identity federation standards identify two operational roles in the identity and access management (IAM) and federated networks: the identity provider (IdP) and the service provider (SP). The IdP authenticates the user and provides the SP with the identity information that it requires to grant access to the services and resources that the user needs to do their job.
Identity federation allows both providers to define a trust relationship where the SP provides access to resources using identity information provided by the IdP.
When a user requests access to a resource:
The SP sends the user to the IdP for authentication.
The IdP prompts the user for authentication and verifies the user identity with user information such as usernames, passwords, biometric information, or passwords.
After the user has been authenticated by the IdP, a trusted authentication token (containing the information used to authenticate the user) is sent to the SP.
The SP checks for the verified user information and grants the user access to a resource.
An IdP is a federation partner, organization, or business responsible for managing a user's digital identity and provides identity authentication and verification services, also known as identity as a service (IDaaS). It can manage and verify various identity information, such as usernames, passwords, or biometric information, to vouch for the identity of a user to a relying application or SP.
When the federation protocol is OpenID Connect (OIDC), an IdP is also called an OpenID Provider (OP).
When a user requests access to a resource, the SP sends the user to the IdP for authentication. The IdP authenticates and checks the identity of the user against the identity information managed by the IdP. After the IdP validates the user's identity, it issues an authentication token that includes the user's information to verify the identity of the user to the SP.
An IdP securely manages your user identity information and authorizes users to access your organization's resources from a central location. When an IdP is used to oversee the management and verification of user identities, it frees the SP from this responsibility.
An SP is a federation partner, organization, or business that offers individuals or enterprises access to application resources, such as software as a service (SaaS) applications, for work-related or personal purposes. Some federation protocols use different terms for the service provider role, such as relying party (RP) or consumer.
The role of the SP is to consume the trusted authentication token assertion sent by the IdP. SPs don't authenticate users, and they rely on the IdP to verify the identity of a user. After the SP receives the token, it checks for the verified user information and then creates an application session for the user.
The SP offers a service for an enterprise or individual wanting to simplify client access to its services and resources, freeing the organization from the responsibility of providing access to these services.
Related Resources
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo