Use cases for federation and IdP
Usage of Identity Providers
In any case, strong authentication through using SecMaker's products will continue users to "don't talk to strangers". The main purpose of an Identity Prover (IdP) is to perform authentications as a service to federated applications such as Relying Party (RP) applications and web applications that need users to be identified.
A Relying Party trusts the authentication ticket from the Identity Provider and could for example be a web based order processing system, or a time reporting tool. When the applications are in federation with the Identity Provider they rely on trust with each other.
Usage of Identity Providers in the enterprise and private
Mainly there are two types of Identity Providers, the ones for corporate use and the ones better suited for private and social use. The enterprise type are mainly those who are used along with other system components in Identity and Access Management systems (IAM) but also well suited for personal use when it comes to online shopping and content that requires subscriptions.
As SAML is a language providing a good level of security and control it is better suited for corporations making their SSO logins more secure.
Example of a very common and familiar Identity Provider used in enterprise environments is Microsoft ADFS. As well we find Shibboleth Identity Provider which is an open source Java application built according to SAML specification.
Popular social networks applications offers often Identity Provider services, among those are Instagram, Google, Amazon and Facebook.
Identity Providers as part of enterprise access control systems
Within a corporation, there are a number of different resources involved in identity and access control. A user logs in, preferrably with a Multi Factor Authentication (MFA) solution such as SecMaker's products with PKI. These products are using a unique certificate issued by the Certificate Authority (CA) which is one top level component in terms of trust in a PKI-environment. The main component in any identity management infrastructure is the Identity Provider. Working along is the Single Sign On (SSO).
As the Identity Provider is the brain of all resources in the identity management system and it does additional intelligent tasks after helping the RP out with the authentication. It asks additional controls of the user towards systems keeping for example user credentials, attributes or access permissions to trusted systems or resources.
If a user leaves the company, or for any reason does not need the account anymore it should be removed. A deactivation of the user on the Identity Provider of the company is sufficient. It will prevent the user from accessing all of the remote applications once had.
Identity Provider in the cloud
Historically, Identity Providers have been implemented on-premise, and Microsoft ADFS has been one of the most important and common ones.
For a cloud infrastructure, whereas many web applications reside, there are user access authentication needs that are different from an enterprise setup. Moving the Identity Provider to the cloud it will instead take part being a Software as a Service (SaaS). Being able to serve a lot of users to connect to IT resurces an Identity Provider residing in the cloud must support a large number of protocols, among these SAML is obvious.
The classic scenario a user connecting to a service, in this case in the cloud, is the following:
- User attempts to connect to the service provider residing in the cloud, the Relying Party (RP)
- The cloud passes the connect request on to the Identity Provider, also in the cloud, for authentication
- The user inputs his personal authentication data
- The authentication data is verified by the Identity Provider and an authentication token is generated using SAML.
- The SAML authentication token is sent to the service provider in the cloud which checks the validity of the token
- If successful, the user is granted access
Especially a cloud service need to know exactly how and where it can get and verify a user's identity. It has to be tracked somewhere as it determines whether the user can access the data wanted, perhaps restricted and sensitive. A cloud Identity Provider is designed to take extra strong measures to protect and secure the user data from being stolen by attackers.
Identity Providers are essential in cloud environments. For Single Sign On (SSO) purposes the SSO service providers are checking the user identies with the Identity Providers once the users are to log in. When the check has been done, the SSO can verify user identities with other applications connected to the cloud.
For Identity Providers residing in the cloud it is of vital importance it is separated from the SSO. If SSO and Identity would be one and the same it is much more vulnerable for so called "man in the middle attacks" in which a hacker falsifies a SAML assertion allowing the attacker to gain access to an application.
Internet of Things and Identity Providers
In an Internet of Things (IoT) ecosystem the general architecture of the identity management part is composed of an Identity Provider, a Relying Party (RP) and the user.
Identity Providers are of course not limited to veryfying not only human users. Once connected to a network or a system, computers, servers and other devices can be authenticated by an Identity Provider as any other entity. Instead of being known to the Identity Provider as a "user" your online refrigerator or television set will be registered as a "principal".
There are also IoT setups where authentication and identity provision is performed by the classical IdP used for social networks, such as Facebook, Amazon and Google. It is a convenient way of setting up and administrate identity federation of IoT-devices using these services when not necessarily MFA is required.
Do you want to know more?
Don't hesitate to contact us so we can answer your questions.