Identity providers
About identity providers
An Identity Provider (IdP), also known as Identity Assertion Provider, is a system that creates, maintains and manages identity information for principals (users, services, or systems) and provides principal authentication to other service providers (applications) within a federation or distributed network. It is a trusted third party that can be relied upon by users and servers when users and servers are establishing a dialog that must be authenticated. The IdP sends an "attribute assertion" containing trusted information about the user to the service provider.
An IdP is responsible for:
- Providing identifiers for users wanting to interact with a system
- Asserting to such a system that such an identifier presented by a user is known to the provider
- Possibly providing other information about the user that is known to the provider
This may be achieved via an authentication module which verifies a security token that can be accepted as an alternative to repeatedly explicitly authenticating a user within a security realm.
In perimeter authentication, a user needs to be authenticated only once (single sign-on). The user obtains a security token which is then validated by an Identity Assertion Provider for each system that the user needs to access.
Examples could be where a website allows users to log in with Facebook credentials and Facebook acts as an identity provider. Facebook verifies that the user is an authorized user and returns information to the website - for example, username and email address (specific details might vary). Similarly, if a site allows login with Google or Twitter credentials then Google and Twitter act as identity providers.
Supported protocols and external IdPs
There are multiple protocols an IdP could support. The list of supported protocols of Unit4 Identity Services (U4IDS) includes:
- WS-Federation
- SAML-P 2.0
- OpenID Connect
See Identity protocols for more information.
U4IDS support all third-party IdPs that fully support any of the protocols mentioned. They include:
- Azure Active Directory(Azure AD) - supports all three types of protocols
- ADFS 2.0 - supports WS-Federation
- Feide - supports SAML-P 2.0
- OKTA - supports all three types of protocols
Temporary identity provider
The Temporary Identity Provider functionality has been implemented in the Identity Service. This functionality is managed by Unit4 and provides users with a temporary Identity Provider that would allow users to access the IDS during initial setup while configuring their own Identity Provider.
The Temporary Identity Provider feature manages temporary Identity Providers automatically, based on the days elapsed since their creation. After 60 days, if the Identity Provider is enabled, it will be removed. If it is already deleted, nothing changes.
Identity provider order number
Functionality that allows Owner
and Contributor
users to sort Identity Providers (IdP) within their tenant through the IDS portal. This feature improves the previous Is Default IdP setting with a more flexible Identity Provider Priority field. The chosen order of IdPs is now maintained on the IdP selection screen (partial login screen).
To utilize the sorting feature, users can easily rearrange the order of IdPs by dragging and dropping them in the non-edit mode of the Tenant screen. The Identity Provider Priority field is updated based on the order chosen by the user, with a Temporary Identity Provider set at priority number 999. In the non-edit mode, users can save the selected priority order using the Save Priority button.
This enhancement ensures a consistent IdP order for users between the non-edit and edit modes. Additionally, it simplifies the process of managing IdPs in a tenant, providing more control over the login page's appearance.