These are commonly used terms in the technology space. Understanding their definition and how they work is important to appreciate how systems are accessed.

My previous article, Authentication and Authorization, covered how you accessed a given system. If you aren’t familiar with these terms, it may be a good refresher!

Identity Providers (IdP)

An everyday example of an IdP is the state which issues your driver’s license. Business trust the state to verify your identity before issuing the license and therefore accept the license as proof of your identity.

Today, applications serving your requests, or webpages, may not be the system which authenticated you. In these cases, the applications delegate the authentication to an Identity Provider (IdP).

Consider a website which uses your Google account to authenticate. In this case, this website is delegating the authentication to Google to validate your login credentials. Google is the IdP.

Facebook is another example of an IdP.

There are a couple of key points to appreciate in the Google example:

• The website you are accessing trusts Google Authentication Without going into a lot of technical details, the website had to enroll into Google’s authentication platform and exchange some secrets to establish this trust.

• The website never sees your authentication credentials Google simply authenticates use with your password and/or MFA device and returns a token back to the website.

• The website is still responsible for Authorization Google returns a token which simply says “Hey, we validated this is Nicki”. It is up to the website to decide what actions I can take, what information I can access, etc.

Federated Identity

Federated Identity is the idea that an application trusts external Identity Provider (IdP) to authenticate a person (or system)

The above example of using Google to login to a system is an example of Federated Identity.

Without Identity Federation, you would need to have a separate credential for every single application (or website) you accessed. Each one may have their own password requirements, etc., and users will need many different passwords. Over time, managing all these passwords would make the user experience unpleasant.

Summary

Identity Providers (IdP) and Identity Federation are key parts of modern applications. They are critical elements in making applications more accessible.

However, there are downsides to this model. If your Authentication is compromised, it is possible for hackers to access many systems on your behalf.

Buyer beware!