What is an Identity Provider

28 Dec What is an Identity Provider

… And what can it do for you?

In my series of looking at fundamental things in Identity and Access Management I thought it would be a high time to explain what an Identity Provider (IdP) is. An IdP is an essential piece of technology to any organization that has deployed more than a single online application, or has more than a few hundred users, or wishes to let their visitors use their existing identities making registration and eventual transactions easier and thus increasing revenue.

I have to start this with an analogy. Imagine a Saturday morning and you’ve just finished your breakfast with you family. Your wife looks at you with a smiling face and says “Honey – Remember, today you promised to take me to IKEA so that we can finally start furbishing your home office room”. Now if you are a guy like me, you can picture the rest of the weekend being spent with JASKA office set slowly assembling it piece-by-piece. Gruesome, laborious and on quite many occasions frustrating. But at the same time you are excited because you get your home office set up, and you can finally work from home and be more efficient (unless you have twin daughters running around the house like I had when they were younger).

The IKEA assembling phase is equivalent to creating an authentication solution for your application in-house. Except you don’t go for the JASKA set (top-of-the-line), but the most basic and most simple setup – SITTA (Swedish, means to sit) and BORD (Swedish, means a desk) that are fairly simple to assemble, ugly, not really sturdy, and make longer working periods than 30 minutes excruciating. Would you want that to your customers?

An Identity Provider is piece of technology that is equivalent to an Italian or Finnish designed, handmade, indestructible, beautiful and functional furniture. You do not have worry about spending weeks on getting the authentication deployed properly for your applications. You can integrate 3^rd party identities through simple configuration. You can protect your resources properly with appropriate authentication – capturing visitors and letting them register easily with e.g. social identities, but requiring stronger authentication for confidential resources.

How?

Your applications are built on top of application servers such as Sharepoint, Life-Ray, JBoss, EpiServer, Apache Tomcat etc. Most, if not all, have a built-in ability to accept standards based identity information from external source – you do not have to build the identity and authentication logistics to each of your application separately. These standards include SAML, WS-Federation, OpenID, OpenID Connect, OAuth etc. This means that the application can safely rely on external information about the identity of the user.

A proper Identity Provider can connect to all of these applications by supporting these standards. It can serve as the assembly point of identities that the applications require, and instead of the IKEA way of assembly, the identity provider does this automatically according to the policies. Through centralized authorization control the IdP can provide the applications the spy-movie type of information “need to know basis” – which corresponds to the idea “Privacy By Design” and e.g. with the new European regulation; General Data Protection Regulation or GDPR.

This same Identity Provider can also link to external identity sources throught the same standard protocols, and more. This allows the applications to leverage social identities, 3^rd party strong identities such as bank IDs, government eIDs, mobile network operator issued identities as part of their authentication options, making registration much more fluent, smoother and quicker. The high (cart) abandonment rate of 60+% can be easily reduced by allowing the visitors use something that they already have. The return rate will improve for the same reason.

On top of authentication the Identity Provider will offer another advantage – Single Sign-On (SSO). If all of your applications are connected to the Identity Provider your users can enjoy seamless transition from one application to another. They do not have to login again as long as they don’t try to access resources that e.g. social media based identities shouldn’t. If this happens, the identity provider triggers a so called step-up authentication process and invokes a flow that verifies the user identity with stronger authentication.

Why?

Additional complexities will create overhead, risk and a negative customer experiences

Do you like assembling IKEA furniture? If you’re like me and among the 99,999% of the population on earth – you dislike it. So why would you like to do that when deploying online services? Not only will it be more difficult in the beginning to develop authentication and identity management functions to each of your application separately, bit it will also create a huge burden for your IT organization in the future. If you use an external consultancy to help build these separate silos you can imagine a situation where you have a 15 pieces of IKEA furniture assembled in a wrong way and the instructions are lost, no spare parts are available as the Blue&Yellow company has stopped manufacturing this particular set.

For your applications and for your company the identity provider can be helpful in many ways. It reduces complexities in your online service environment, allows applications to use appropriate authentication methods, delivers authorization information for the services that can then determine what the user is actually allowed to do, helps in conversion and retention, improves customer experience and satisfaction. A proper Identity and Access Management solution for external users will increase your revenue and the core component of that solution is an identity provider.

Contact us now to hear more.

By Petteri Ihalainen