Skip to main content

Skillber v1.0 is here!

Learn more

Identity Providers

Checking access...

The Identity Provider (IdP) is the central authentication authority in modern IAM architecture. The IdP authenticates users, issues tokens, and manages sessions. Choosing and deploying an IdP is one of the most consequential infrastructure decisions in an identity program.

IdP Deployments

IdPTypeProtocol SupportDeployment ModelKey Strength
OktaCloud IdPSAML, OIDC, SCIM, LDAP, RADIUSSaaSLargest integration network, workflow engine
Azure AD / Entra IDCloud IdPSAML, OIDC, WS-Fed, KerberosSaaSDeep Microsoft integration, conditional access
Ping IdentityIdP + DirectorySAML, OIDC, LDAP, SCIM, WS-Fed, RADIUSSaaS + On-premMulti-protocol support, enterprise directory
KeycloakOpen Source IdPSAML, OIDC, LDAPSelf-hostedOpen source, customisable, community — Lab Deployment Guide
ForgeRockIdP + IGSAML, OIDC, LDAP, RADIUSSelf-hosted + SaaSFull IAM platform, IoT support
OneLoginCloud IdPSAML, OIDC, SCIM, LDAPSaaSSimplicity, ease of setup
Amazon CognitoCloud IdPOIDC, SAMLAWS SaaSAWS integration, cost-effective for B2C
Auth0Cloud IdPOIDC, SAML, WS-FedSaaSDeveloper experience, extensibility

IdP Architecture Components

┌──────────────────────────────────────────────────────────────┐
│ IDENTITY PROVIDER │
│ │
│ ┌────────────┐ ┌────────────┐ ┌──────────────────┐ │
│ │Auth Service│ │Token Svc │ │User Store / Dir │ │
│ ├────────────┤ ├────────────┤ ├──────────────────┤ │
│ │MFA Engine │ │Session Mgt │ │Policy Provider │ │
│ ├────────────┤ ├────────────┤ ├──────────────────┤ │
│ │Auth Flows │ │Token Store │ │Attribute Store │ │
│ │(SAML/OIDC) │ │(Sessions) │ │(Directory/LDAP) │ │
│ └────────────┘ └────────────┘ └──────────────────┘ │
│ │ │
│ ┌────────────────┴────────────────────────────────────┐ │
│ │ Integration Layer │ │
│ │ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ │ │
│ │ │REST │ │SCIM │ │LDAP │ │SAML │ │OIDC │ │ │
│ │ │API │ │Prov. │ │Lookup│ │IdP │ │RP │ │ │
│ │ └──────┘ └──────┘ └──────┘ └──────┘ └──────┘ │ │
│ └────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────┘

SAML 2.0 IdP Architecture

Flow Infrastructure

ComponentFunctionDeployment Consideration
IdP endpointReceives SAML AuthnRequest, initiates authenticationHigh-availability URL, TLS termination
Assertion Consumer Service (ACS)SP endpoint that receives SAML assertionsURL must be registered with SP, TLS protected
Metadata endpointPublishes IdP metadata (certificate, endpoints)Publicly accessible, signed metadata
Single Logout (SLO)Terminates session across all SPsComplex timing, SP compatibility issues
Certificate storeHolds signing and encryption certificatesHSM-backed, rotation policy, key management

Token Handling

Token TypePurposeLifetimeSecurity Considerations
SAML assertionAuthentication and attribute statementShort (5-30 minutes)Signed, optionally encrypted; replay protection via NotBefore/NotOnOrAfter
SAML session cookieIdP-initiated session persistenceHours to daysHttpOnly, Secure, SameSite attributes
OIDC ID tokenUser identity informationShort (1-60 minutes)JWT format, signed with RS256/ES256
OIDC access tokenAPI authorisationMinutes to hoursBearer token, opaque or JWT format
OIDC refresh tokenObtain new access tokens without user interactionHours to daysSecure storage, rotation on use, single-use
Session token (IdP)Authenticated session at the IdPHours to daysServer-side, tied to user agent fingerprint

Session Management

IdP Session Architecture

User Browser ──> IdP Auth ──> IdP Session Created ──> SP Token Issued
┌──────────────────────────────────┘
v
User Access App ──> SP Checks Token ──> Valid
│ │
Token Expires ┌─────────────────────┘
│ │
v v
User Re-auth IdP Session Valid?
│ │
│ Yes ──┴── No
│ │ │
v v v
Re-authenticate Silent Re-login
(if IdP sess. Token
expired) Refresh

Session Management Best Practices

PracticeRationaleImplementation
Set appropriate session TTLBalance security and user experienceIdle session: 15-60 minutes; max session: 8-24 hours
Session bindingPrevent session hijackingBind session to IP, user-agent, device fingerprint
Single session enforcementLimit concurrent sessionsConfigure in IdP (e.g., Okta concurrent session limit)
Session revocationImmediate logout capabilitySupport admin-initiated session revocation
Remember me / persistent sessionsReduce authentication frequencyTrusted device with cryptographic token, conditional
Conditional session durationLonger for trusted devices, shorter for suspiciousSign-in risk, device compliance, location

IdP Brokering / Federation Hub

When to Use an IdP Broker

ScenarioBroker ArchitectureBenefit
Merger/AcquisitionBroker between multiple IdPsUsers authenticate at their home IdP, broker translates
Multi-cloudBroker between cloud and on-prem IdPsConsistent authentication experience
Partner federationBroker for B2B federated partnersManage hundreds of partner IdP connections
MigrationBroker during IdP migrationPhased migration with transparent user experience

Broker Architecture

┌────────────────────────────────────────────────────────────┐
│ IdP BROKER │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Internal │───>│ Broker │───>│ Cloud │ │
│ │ IdP (AD) │ │ Engine │ │ IdP │ │
│ └──────────┘ └────┬─────┘ └──────────┘ │
│ │ │
│ ┌───────────────┼───────────────┐ │
│ │ │ │ │
│ ┌────┴────┐ ┌──────┴──────┐ ┌────┴────┐ │
│ │ App │ │ SaaS │ │ Cloud │ │
│ │ On-prem│ │ App │ │ Console │ │
│ └─────────┘ └────────────┘ └─────────┘ │
└────────────────────────────────────────────────────────────┘

IdP High Availability

IdP HA Architecture

ComponentHA StrategyFailure Mode
IdP serviceActive-active across regionsFailover to secondary region via DNS routing
Token storeReplicated database (SQL/NoSQL)Automatic failover, read replicas
Session storeDistributed cache (Redis/Memcached)Replica promotion, cache warming
User store / directoryMulti-master replicationAutomatic DC failover
Certificate store / HSMHSM cluster with key replicationAutomatic HSM failover
Load balancerActive-passive (HAProxy/NLB)Automatic health check failover

IdP Availability Formula

IdP TypeTypical SLAAnnual DowntimeUser Impact of 1 Hour Downtime
Cloud IdP (Okta/Azure)99.99%52 minutesAll apps requiring SSO unavailable
Self-hosted (Keycloak)99.9% (with HA)8.76 hoursSame as above + no federated access
Self-hosted (single node)99%87.6 hoursComplete authentication failure

Caution

IdP downtime means ALL applications that rely on SSO authentication become unavailable. Users cannot access any federated application, including email, CRM, cloud infrastructure, and collaboration tools. IdP HA is not optional — it is a business-critical requirement that should be designed with multi-region active-active deployment, automatic failover, and regular DR testing.

IdP Deployment Patterns

PatternDescriptionWhen to Use
Cloud IdP as primaryCloud IdP is the authoritative identity sourceCloud-first, SaaS-heavy organisations
On-prem IdP with cloud federationOn-prem AD/LDAP federated to cloud IdPMature AD deployment, hybrid infrastructure
IdP brokeringCentral broker arbitrates between IdPsPost-M&A, multi-IdP environments
Custom IdP (Keycloak)Self-hosted, customised IdP — see the hands-on guides for full lab setup and SSO configurationCustom authentication flows, air-gapped environments
B2C IdP (Auth0/Cognito)Customer-facing authenticationConsumer applications, social login
Regional IdPSeparate IdP per regionData residency, compliance requirements

Key Takeaways

  • The Identity Provider (IdP) is the central authentication authority — an IdP outage means ALL SSO-authenticated applications become unavailable, making HA design business-critical
  • Major IdP options include Okta (integration network), Azure AD/Entra ID (Microsoft ecosystem), Ping Identity (multi-protocol), Keycloak (open source), Auth0 (developer-focused), and AWS Cognito (B2C)
  • IdP architecture components include authentication service, MFA engine, token service (issuing SAML assertions and OIDC tokens), session management, user store/directory, and integration layer (REST, SCIM, LDAP, SAML, OIDC)
  • Token handling requires careful lifetime management — SAML assertions (5-30 minutes), OIDC ID tokens (1-60 minutes), access tokens (minutes to hours), refresh tokens (hours to days), and session cookies (hours to days)
  • Session management best practices include appropriate TTL, session binding (IP, user-agent), single-session enforcement for sensitive apps, immediate revocation capability, and conditional session duration based on risk
  • IdP brokering (federation hub) is essential in M&A, multi-cloud, B2B partner federation, and migration scenarios — the broker mediates between multiple IdPs for a consistent user experience
  • IdP HA requires active-active multi-region deployment, replicated token/session stores, distributed caching, and automatic failover — cloud IdPs typically offer 99.99% SLA, self-hosted HA targets 99.9%, and single-node is unacceptable for production