In short, Identity Brokers allow Service Providers to offer a selection of Identity Providers (authentication methods) to their customers via a single integration. An Identity Broker is an intermediary proxy service that connects multiple Service Providers (SPs) with multiple Identity Providers (IdPs). It offers a one-stop shop for SPs to integrate several authentication methods to their service(s).

The main benefit of using an Identity Broker is that SPs only need to integrate and manage a single integration and contract to be able to leverage numerous authentication methods for their users.

Without an Identity Broker, the SP needs to do this several times over, which would be complex and time-consuming. So complex and time-consuming, in fact, that many SPs simply wouldn’t attempt it – meaning they are far more limited in what authentication methods they will offer. However, offering more authentication methods is a huge customer experience and security win, as it makes it more likely for a user to be able to re-use an identity they have already created, without having to create another set of login credentials.

Within Europe, particularly in the Nordics, banks are the predominant IdPs. For example, Swedish banking customers can log into several third-party services with their BankID. And in some countries like Estonia, governments are very progressive in issuing digital identities. In some countries, it is the telcos and, in others – like Finland, it is a mix of these. Identity Brokering services solve the complexity involved in the usage of these different eIDs.

Reusable Identity

Examples of strong identities available in Europe

Regulatory context for European Identity Brokers

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation aimed at harmonising the cross-border authentication of citizens and increasing transparency. The EU achieves this by requiring member states to create a common framework that recognises eIDs from other member states, and ensures their authenticity and security. For transparency, eIDAS aims to provide an easily accessible list of trusted services that may be used within the centralised signing framework.

Typically, Identity Brokers offer strong customer authentication methods, where the identity has been pre-verified to a standard of Know Your Customer (KYC). Thus, the traditional username and password, or social media IdPs (such as Google, Facebook, LinkedIn, Twitter etc.) might not be included in the concept.

As an example, in Finland, there is a law that requires private sector SPs to use the Finnish Trust Network (FTN, ”Luottamusverkosto”) service to provide strong authentication methods (including bank and telco IDs). The FTN consists of IdPs and IdP Proxy operators (Identity Brokers). For public sector services, there is an identity broker service called Suomi.fi.

Components of the Finnish Trust Network

Components of the Finnish Trust Network

Example of an Identity Broker

Generally speaking, Finland is quite a unique country in the sense that it has 13 commercial IdPs and one governmental IdP through which you can get a strong digital identity. The 13 commercial IdPs include 10 banks and 3 mobile operators. The government IdP provides an eID that citizens can utilise with their ID cards. SPs can reach all these different IdPs via an Identity Brokering service.

For example, in Finland, the Telia Identification Broker Service (TIBS) is one such service from incumbent Telco, Telia Company. TIBS is an identity proxy service that does not store users’ SSN (Social Security Number) or other identity attributes. It only relays the necessary information between the eID vendors (IdPs) and the online services (SPs).

It solves several issues related to applying a strong digital identity, with several benefits such as:

  • Only one commercial contract – saving costs compared to setting up several contracts with each IdP
  • Only one technical integration – less complicated and saves time for developers
  • Solves lifecycle management issues when there are changes in the different IdP APIs at different times – much simpler to manage, as there’s no need for a separate IdP level project to fix issues related to changes
  • SP can reach almost the whole Finnish population with one contract

Provided by Identity Broker Service

Typical authentication method selection dialogue for strong identities provided by identity broker service.

How to leverage Identity Brokering for your organisation

Reliable, trustworthy, strong customer authentication is required not only by regulation, but also as a customer experience and security driver for all sectors of business and government services – including B2B, B2C, G2B, G2C etc. A good example of this is physical shops which increasingly require an online presence. This increases the need for robust authentication services where not only the citizens of that particular country, but also customers from different countries, can access the online service and purchase products.

For this purpose, service providers need to be able to integrate seamlessly with different Identity Broker services. For this, the best option is to use an advanced Customer Identity and Access Management (CIAM) system, such as Ubisecure’s Identity Platform, that allows communication between the different IdPs and your services.

Identity brokering services can also be built on a CIAM system. In the above example, Telia Company hosts its Identity Broker service on Ubisecure’s Identity Platform – European built and focused CIAM software. This allows Telia to buy ID transactions from all the legal eID vendors in Finland and combine them into one service. Find out more about why and how Telia Company built its identity brokering service in this case study.

For operators providing identity proxy services such as FTN and others, Ubisecure’s Identity Platform offers an ideal platform to federate all the required IdPs to offer strong digital identities and authentication methods.

To take advantage of the numerous opportunities that identity brokering offers, either by integrating an existing service, or by becoming an identity broker, get in touch with Ubisecure.