What is an Identity Provider?
An identity provider (IdP) is a service that manages a single identity across many networks, services, and applications. The days when office walls defined a company’s network perimeter are long gone. Resources are distributed across the internet and in the cloud. Requiring unique credentials to access each one is impractical. Identity Providers simplify access control by giving users seamless access across multiple resources with one login credential.
Yet, for all its importance, identity is only part of the access control equation — a distinction that gets lost in the hype. Twingate’s latest white paper, Identity Providers (IdPs) Critical Role in Zero Trust Adoption dives deep into identity and its importance to the future of secure access. Here, we want to focus on answering the question of what is an Identity Provider — and what it isn’t.
Identity is one element in the much broader system of Identity and Access Management (IAM). An IAM system determines two things: are the people, devices, or services using company resources who they claim to be, and may they use the resources they want to access.
We will start with that second part — deciding who or what should access which resources. Then we will shift to the first part, which is where IdPs help.
Authorization is the set of policies and rules an organization sets to manage access to its information resources. Administrators can define rules that answer questions such as:
- Which people or devices may access which resources?
- Under what circumstances do they get access?
- What level of access are they allowed to have?
- How long will that access last?
IAM best practices use the principle of least privilege to answer these questions. Users get as little access as possible while letting them get their work done. Least privileged access is context-sensitive. For example, financial analysts can access more sensitive resources at the office than at an airport.
To reduce the complexity of managing access policies for hundreds or thousands of users, companies apply another best practice called role-based access control. Administrators define least-privileged access permissions for the various roles people play in the organization. Users are then assigned to the role or roles appropriate for their work. When users’ roles change due to transfers or promotions, a simple settings change removes old permissions and grants new ones.
Least-privilege, role-based authorization limits access to resources, but it cannot fully protect those resources. These systems by themselves can’t tell when cybercriminals have stolen a user’s password, letting hackers access protected resources. Solving that problem is the job of an IAM system’s authentication system.
Authentication verifies that people trying to access a resource are who they say they are. By validating one or more authentication factors, these systems confirm the user’s identity so the authorization system can grant them access. Authentication factors fall into one of three categories:
- What You Know - Users memorize passwords.
- What You Have - Users carry USB security keys.
- Who You Are - Users register fingerprints.
Each factor has security strengths and weaknesses, which get evened out the more factors an authentication system uses.
When networks were confined to company facilities in the old days, authentication was relatively easy to manage with user passwords and identity badges. Now, resources are distributed across many locations, hosted on cloud platforms, and outsourced to third-party cloud services. Users would need multiple accounts and passwords to access these resources, which creates several problems:
- Unsecure passwords - People have to manage dozens of passwords in their work and personal lives. To deal with everything, they choose and reuse simple passwords that are easy for hackers to crack.
- Privacy risks - Authentication systems require users’ personal information to confirm their identity. The more identities a company manages, the more personal information it must protect.
- More attack vectors - The more user credentials a company manages, the more opportunities hackers have to penetrate network defenses.
Identity Providers solve these problems by letting people use a single identity across multiple resources. Your Google account, for example, does more than allowing you access to Google-owned services. Media, e-commerce, and other websites treat your Google account as a login credential. This makes it easier for you to access their services. At the same time, they don’t need to store and protect your identity information.
In the enterprise setting, Identity Providers unify access to a company’s on-premises, cloud-hosted, and X-as-a-Service resources. Users do not need to remember multiple account passwords as they jump between e-mail, ERP, video conferencing, and other systems. The company’s IdP validates a user’s identity for seamless authorization.
Protecting resources while letting users get work done requires both sides of the IAM equation. An Identity Provider simplifies authentication across distributed resources while reducing privacy and security risks. But validating a user’s identity is only the first step in giving users secure access to sensitive resources.
A shift is underway in IAM as organizations of all sizes replace obsolete security architectures with new systems based on the principles of Zero Trust. Identity is a critical element of this modern approach to secure access. Learn more by reading the latest Twingate white paper: “Identity Providers (IdPs) Critical Role in Zero Trust Adoption.”