The Identity Provider (IdP) is the central authentication authority in modern IAM architecture. The IdP authenticates users, issues tokens, and manages sessions. Choosing and deploying an IdP is one of the most consequential infrastructure decisions in an identity program.
IdP downtime means ALL applications that rely on SSO authentication become unavailable. Users cannot access any federated application, including email, CRM, cloud infrastructure, and collaboration tools. IdP HA is not optional — it is a business-critical requirement that should be designed with multi-region active-active deployment, automatic failover, and regular DR testing.
IdP Deployment Patterns
Pattern
Description
When to Use
Cloud IdP as primary
Cloud IdP is the authoritative identity source
Cloud-first, SaaS-heavy organisations
On-prem IdP with cloud federation
On-prem AD/LDAP federated to cloud IdP
Mature AD deployment, hybrid infrastructure
IdP brokering
Central broker arbitrates between IdPs
Post-M&A, multi-IdP environments
Custom IdP (Keycloak)
Self-hosted, customised IdP — see the hands-on guides for full lab setup and SSO configuration
The Identity Provider (IdP) is the central authentication authority — an IdP outage means ALL SSO-authenticated applications become unavailable, making HA design business-critical
Major IdP options include Okta (integration network), Azure AD/Entra ID (Microsoft ecosystem), Ping Identity (multi-protocol), Keycloak (open source), Auth0 (developer-focused), and AWS Cognito (B2C)
IdP architecture components include authentication service, MFA engine, token service (issuing SAML assertions and OIDC tokens), session management, user store/directory, and integration layer (REST, SCIM, LDAP, SAML, OIDC)
Token handling requires careful lifetime management — SAML assertions (5-30 minutes), OIDC ID tokens (1-60 minutes), access tokens (minutes to hours), refresh tokens (hours to days), and session cookies (hours to days)
Session management best practices include appropriate TTL, session binding (IP, user-agent), single-session enforcement for sensitive apps, immediate revocation capability, and conditional session duration based on risk
IdP brokering (federation hub) is essential in M&A, multi-cloud, B2B partner federation, and migration scenarios — the broker mediates between multiple IdPs for a consistent user experience
IdP HA requires active-active multi-region deployment, replicated token/session stores, distributed caching, and automatic failover — cloud IdPs typically offer 99.99% SLA, self-hosted HA targets 99.9%, and single-node is unacceptable for production