Identity providers
About identity providers
An Identity Provider (IdP), also known as Identity Assertion Provider, is a system that creates, maintains and manages identity information for principals (users, services, or systems) and provides principal authentication to other service providers (applications) within a federation or distributed network. It is a trusted third party that can be relied upon by users and servers when users and servers are establishing a dialog that must be authenticated. The IdP sends an "attribute assertion" containing trusted information about the user to the service provider.
An IdP is responsible for:
- Providing identifiers for users wanting to interact with a system
- Asserting to such a system that such an identifier presented by a user is known to the provider
- Possibly providing other information about the user that is known to the provider
This may be achieved via an authentication module which verifies a security token that can be accepted as an alternative to repeatedly explicitly authenticating a user within a security realm.
In perimeter authentication, a user needs to be authenticated only once (single sign-on). The user obtains a security token which is then validated by an Identity Assertion Provider for each system that the user needs to access.
Examples could be where a website allows users to log in with Facebook credentials and Facebook acts as an identity provider. Facebook verifies that the user is an authorized user and returns information to the website - for example, username and email address (specific details might vary). Similarly, if a site allows login with Google or Twitter credentials then Google and Twitter act as identity providers.
Supported protocols and external IdPs
There are multiple protocols an IdP could support. The list of supported protocols of Unit4 Identity Services (U4IDS) includes:
- WS-Federation
- SAML-P 2.0
- OpenID Connect
See Identity protocols for more information.
U4IDS support all third-party IdPs that fully support any of the protocols mentioned. They include:
- Azure Active Directory(Azure AD) - supports all three types of protocols
- ADFS 2.0 - supports WS-Federation
- Feide - supports SAML-P 2.0
- OKTA - supports all three types of protocols
Temporary identity provider
The Temporary Identity Provider functionality has been implemented in the Identity Service. This feature allows admin users to tag an Identity Provider (IdP) as temporary using both IDS Powershell and IDS Portal. The system automatically records the date of the temporary IdP generation for a tenant.
Only Owners of admin tenants have the privilege to perform this tagging. Additionally, non-admin tenants can view temporary IdPs but do not have the ability to make changes to them.
The function logic involves checking the number of days since creation and performing actions accordingly:
- The Temporary IdP functionality manages the
lifecycleof temporary IdPs automatically, and operates based on the number of days that have passed since the creation of a temporary IdP. - Within the First 60 Days After Creation: During this period, the function checks the status of the Temporary IdP. If it's enabled or has been manually disabled, no action is taken. The Temporary IdP remains in its current state.
- At Day 60: When 60 days have passed since the creation of the Temporary IdP, the function performs the following actions based on its current status: a. If the Temporary IdP is enabled, the function changes its state to disabled. b. If the Temporary IdP is already disabled, no further action is taken, and it remains in the disabled state.
- From `Day 61 until Day 90: Between days 61 and 90 since the Temporary IdP creation, the function monitors the status of the Temporary IdP. Regardless of whether it's disabled or has been manually re-enabled, the function will not perform any actions during this period.
- At Day 90: Upon reaching the 90-day mark from the Temporary IdP creation, the function takes different actions depending on its current status: a. If the Temporary IdP is disabled, the function removes the Temporary IdP from the system, effectively deleting it. b. If the Temporary IdP is still enabled, no further action is taken, and it remains active in the system.
- After Day 90` (Only for Temporary IdPs That Have Been Manually Re-enabled): For Temporary IdPs that have been manually re-enabled after the 90-day period, the function will monitor their status: a. If the Temporary IdP is enabled, the function will not perform any actions, and it will continue to remain active. b. If the Temporary IdP is disabled, the function removes the Temporary IdP from the system, effectively deleting it.
Identity provider order number
Functionality that allows Owner and Contributor users to sort Identity Providers (IdP) within their tenant through the IDS portal. This feature improves the previous Is Default IdP setting with a more flexible Identity Provider Priority field. The chosen order of IdPs is now maintained on the IdP selection screen (partial login screen).
To utilize the sorting feature, users can easily rearrange the order of IdPs by dragging and dropping them in the non-edit mode of the Tenant screen. The Identity Provider Priority field is updated based on the order chosen by the user, with a Temporary Identity Provider set at priority number 999. In the non-edit mode, users can save the selected priority order using the Save Priority button.
This enhancement ensures a consistent IdP order for users between the non-edit and edit modes. Additionally, it simplifies the process of managing IdPs in a tenant, providing more control over the login page's appearance.