An IdP (Identity Provider) is a trusted third-party company that creates and manages a person or organisation’s user identity and associated identity attributes. With the user’s consent, IdPs offer authentication services to third party service providers (such as websites, apps, or other digital services) by federating the identity and authenticating an end-user to the service provider using the identity the IdP manages, but without sharing actual login details.
This is commonly referred to as BYOI, or Bring Your Own Identity.
IdPs manage identities of varying verification strength and with varying identity attributes, and may include:
- Social networks – e.g. Facebook, Google, LinkedIn, VK, Twitter
- Banks – e.g. Swedish Bank ID, Norway Bank ID, Danish NemID, Canadian Verified.me
- Mobile network operators – e.g. GSMA Mobile Connect
- Governments – e.g. regional eID & eIDAS
- Digital Identity Providers – e.g. Yoti, GlobalID, Verimi, ID4me
For example, you’ve probably seen a ‘Sign up with Facebook’ option when registering for a service, in which case Facebook is the identity provider, more accurately the social identity provider. With the user’s consent, Facebook asserts to the service provider that you have a Facebook social identity and provides the attributes you approve to the service for a social registration, so you don’t need to create another identity for the new service.
As a service provider, the alternative to using an IdP is to require users to create a new digital identity for your service, asking them to input their personal data and create a new set of account credentials.
Now let’s look at why you would use an IdP, why you might use more than one identity provider, and how to connect an identity provider to your service (made much simpler via a Customer IAM solution).
The customer experience benefits of using a federated identity provider
Give your customers the freedom to choose which identity to use for registration, authentication and access that best suits their usability, security and privacy needs.
Building in the ability for customers to use an existing digital identity to sign into your service makes it very easy for new customers to simply click to register, reducing form filling and abandonment, and password fatigue. Keep in mind that 45% of users give up if the registration process is too hard, so anything you can do to facilitate registration will see a significant impact to your customer conversion rate.
You can make this user experience benefit more inclusive by integrating multiple identity providers, giving users options for signing up to your service. Using the above example, some of your customers may not have Facebook, but would take advantage of ‘Sign up with Google’ and vice versa.
Further, an IdP can facilitate progressive profiling – enriching customer data without customers needing to repeat data entry between the linked services. They simply tick to give permission to the identity provider to provide your service with the information, saving them time and effort inputting the details again.
The security benefits of using an IdP
How many applications do you have an account with – 50? 100? And if you sign into each of those apps with a different password, are you sure that all of those passwords are strong and unique? Even if you are, it’s likely that the majority of your service’s users are not.
Password fatigue leads to credentials being reused across multiple sites, which presents a significant security risk to your systems. If hackers get hold of a set of credentials, they often try the same username/password combination across multiple sites, leading to unauthorised access to your system. It’s worth noting here that 80% of data breaches are caused by stolen, weak or default passwords.
Using an identity provider reduces the burden and risk of you trying to mitigate these risks in house, with no need to store and protect credentials yourself for users that opt to ‘Sign up with X’.
Identity providers can offer you strong authentication for your service, meaning the use of credentials that are particularly secure. Take the Swedish Bank ID for example. A bank already carries out rigorous Know Your Customer (KYC) processes before issuing customers with login credentials, so if customers can sign up to your service with their Bank ID you can be confident that they are who they say they are.
Multi-factor authentication (MFA)
MFA requires customers to present more than one piece of identifying information or form factor. It is far harder for hackers to gain access to a service if they would have to replicate two factors over a single factor in order to do so. For example, you may sign in to a service using your Facebook credentials but then have to further authenticate with a mobile phone authenticator app or your fingerprint.
In this way, combinations of identity providers can help to make your service extremely secure and mitigate against data breaches. Customers now expect to see MFA in all kinds of services, and identity providers will ensure that it is as frictionless as possible.
Step-up authentication & SSO Identity Providers
If you have several applications, Single Sign-On (SSO) is a common best-practice solution to allow your customers to seamlessly move between those applications using their SSO identity provider without entering separate login credentials each time. But what happens if you have one application that requires stronger assurance of an identity that the others?
This example shows you how to leverage identity providers for step-up authentication. A customer signs into your service using Facebook and that is secure enough for a subset of your apps. Then when they SSO to an app that needs that higher level of assurance – perhaps an area that stores personal data – you ask them to further authenticate with their BankID.
This situational MFA with identity providers represents the gold standard in balancing security and customer experience.
How to integrate an identity provider
Customer Identity and Access Management (CIAM) will enable you to connect identity providers to your service and anchor users to their existing digital identities. Ubisecure CIAM supports authentication protocols like OpenID Connect, OAuth 2.0 and SAML, which are already accepted by most application servers (such as Sharepoint, Wildfly, Tomcat etc.), making it easy for your application to accept identity information based on these protocols from third parties.
- OpenID provider– OpenID Connect (OIDC) is an identity layer on top of OAuth. For OIDC implementations, an identity provider is a type of OAuth 2.0 authorization server.
- SAML identity provider– Security Assertion Markup Language (SAML) is an open standard that allows identity providers to securely pass authorization credentials to approved service providers.
Ubisecure supports a wide range of identity providers, ranging from social to fully verified bank IDs.
- Social identities – service providers use existing social identities to create low-friction accounts during registration. Accounts may be enriched with additional attributes during use by the customer.
- Enterprise identities – organisations maintain employee user accounts and may choose to federate the identities for registration and authentication to vendors or service providers.
- Bank ID, Government eID – these verified identities are much more prominent in Europe and are backed up by the customer or citizen’s strong (real-world) identity. Organisations involved in verifying identities such as banks, mobile providers, and Government bodies proof their customers and federate the identities to help service providers (and consumers) avoid fraud and identity theft. Consumers and citizens assert their verified identity as a means of registration, authentication and to authorise to certain services.
The wide BYOI support available through Ubisecure CIAM customers flexibility to support digital identities most appropriate for the business requirement:
When BYOI is implemented correctly, third party identity providers become an integral component of an effective identity management system.
Take your next steps with BYOI
Get started quickly with IDaaS
Identity-as-a-Service (IDaaS) is a SaaS solution that allows enterprises to deploy CIAM capabilities like BYOI quickly. IDaaS supports OIDC and SAML identity providers, into your service with just simple configuration. Find out more about IDaaS or start your 30 day free IDaaS Trial.