What are Identity Providers?
By Said El Hachemy
September 10, 2021
For every service that people use in their daily lives, being identified as a legitimate user is a must to have access to the service. To identify a user, businesses use a set of credentials such as username/password, email, phone number, PIN code, and others. However, most businesses leave the identification and authentication of their users to platforms that offer those specific services. These platforms provide users with credentials to identify them every time they access the service. In this article, we delve into the definition of Identity Providers (IdPs), the technologies used to manage users’ credentials, and how IdPs can control user privacy.
What is an Identity Provider?
As mentioned before, Identity Providers or IdPs are businesses that assign to each user a unique set of credentials. Examples of websites that offer IdP services are Google, Apple, Facebook, AWS, Okta, humanID, among many others. These businesses provide an identity to each of their users, or to the users of the business to whom they are offering their services. On top of that, they also offer secure authentication services. This type of IdP is called Social Identity Providers because they are mainly used for users on the internet who have no affiliation to any company in particular. In addition, some of these businesses allow users to keep the same, consistent identity across multiple websites and services.
Another type of IdPs are systems that help manage correspondence between users and their credentials. Some of these systems are often used in work-related environments to manage businesses’ employees, which is why they are called Enterprise Identity Providers. These systems also keep track of access to resources and help change user privileges. Among these systems are Active Directory (AD), Lightweight Directory Access Protocol (LDAP), Active Directory Federation Services (ADFS), and others.
Apart from these two types of IdPs, there exists a third one called Legal Identity Providers. Although it is not a commonly seen type, it concerns sensitive information about users’ banking credentials, such as Danish NemID, Dutch DigiD, etc.
How Do IdPs Work?
Upon entering their credentials, users’ information passes through three main steps :
- The authentication request: The device/user requests to be authenticated and granted access to a certain service. The IdP receives the request which contains the user’s credentials and passes to the next step.
- The authentication: The IdP checks whether a user’s credentials have a match in their database. To exchange user identity between the IdP and the services in question, the system mostly uses Security Assertion Markup Language (SAML) or the OpenID connect protocol.
- The authorization: In case of successful authentication, the user is granted access to the website or the requested resources. In work environments, each user, aside from the administrator, has limited privileges concerning granting and revoking privileges to other users, modifying employees’ credentials, etc.
Risks with Identity Providers
For enterprise-based IdPs, the biggest risk is the fact that the credentials are stored in the business’s server. Once a hacker gains access to the server, it’s only a matter of time before they cause a data leak. Hence, there is a need for IdPs or platforms that overcome that problem. For example, platforms that count on stored hashed credentials instead of stored raw credentials, such as humanID. Hashing essentially is transforming an input string into a string of random characters. The advantage of hashing is its irreversibility, which means that the input string cannot be deduced from the resulting string. Thus protecting user information even in case of a data leak. Another risk is the fact that relying on IdPs means sharing user data with a third party and leaving control over the data to that IdP.
An identity provider’s robustness is the capability to protect data from breaches, manage a large number of users without delays or errors, and keep track of the activities regarding resource access and use. Choosing a reliable and upright IdP is a major decision for any business.
Identity providers have become integrated into every service accessed through the internet, whether it be social media, health, education, banks, and more. As businesses know, the increasing numbers of users, management, and control over user credentials becomes more expensive and time-consuming. IdPs offer the possibility to mitigate that load off of businesses, which increases efficiency and security for those businesses. With the emergence of new IdPs and authentication platforms, there are always degrees of reliability and quality of service. Hence, there is a need for a choice that could satisfy all the needs, a choice that could manage, secure, and protect information confidentiality, such as humanID.