Identity providers

About identity providers

An Identity Provider (IdP), also known as Identity Assertion Provider, is a system that creates, maintains and manages identity information for principals (users, services, or systems) and provides principal authentication to other service providers (applications) within a federation or distributed network. It is a trusted third party that can be relied upon by users and servers when users and servers are establishing a dialog that must be authenticated. The IdP sends an "attribute assertion" containing trusted information about the user to the service provider.

An IdP is responsible for:

This may be achieved via an authentication module which verifies a security token that can be accepted as an alternative to repeatedly explicitly authenticating a user within a security realm.

In perimeter authentication, a user needs to be authenticated only once (single sign-on). The user obtains a security token which is then validated by an Identity Assertion Provider for each system that the user needs to access.

Examples could be where a website allows users to log in with Facebook credentials and Facebook acts as an identity provider. Facebook verifies that the user is an authorized user and returns information to the website - for example, username and email address (specific details might vary). Similarly, if a site allows login with Google or Twitter credentials then Google and Twitter act as identity providers.

Supported protocols and external IdPs

There are multiple protocols an IdP could support. The list of supported protocols of Unit4 Identity Services (U4IDS) includes:

See Identity protocols for more information.

U4IDS support all third-party IdPs that fully support any of the protocols mentioned. They include:

Temporary identity provider

The Temporary Identity Provider functionality has been implemented in the Identity Service. This feature allows admin users to tag an Identity Provider (IdP) as temporary using both IDS Powershell and IDS Portal. The system automatically records the date of the temporary IdP generation for a tenant. Only Owners of admin tenants have the privilege to perform this tagging. Additionally, non-admin tenants can view temporary IdPs but do not have the ability to make changes to them. The function logic involves checking the number of days since creation and performing actions accordingly:

Identity provider order number

Functionality that allows Owner and Contributor users to sort Identity Providers (IdP) within their tenant through the IDS portal. This feature improves the previous Is Default IdP setting with a more flexible Identity Provider Priority field. The chosen order of IdPs is now maintained on the IdP selection screen (partial login screen). To utilize the sorting feature, users can easily rearrange the order of IdPs by dragging and dropping them in the non-edit mode of the Tenant screen. The Identity Provider Priority field is updated based on the order chosen by the user, with a Temporary Identity Provider set at priority number 999. In the non-edit mode, users can save the selected priority order using the Save Priority button. This enhancement ensures a consistent IdP order for users between the non-edit and edit modes. Additionally, it simplifies the process of managing IdPs in a tenant, providing more control over the login page's appearance.