What Is an IdP and Are They Secure?

Identity providers (IdPs) store and verify user identities to help organizations provide their users with secure access to the resources they need.

Since the COVID-19 pandemic, attacks on identity and access management (IAM) have risen significantly and continue to do so. The increased vulnerability of remote workers, the widespread availability of easy-to-deploy phishing kits and the fact that successful attacks serve as an entry point for bigger attacks have contributed to this growth. 

In this climate, trusted IdPs are a popular way for companies to secure and manage their IAM processes. But what is an IdP, how do they work and how secure are they really? 

What is an IdP? 

An IdP is a service that creates, stores and manages digital identities that can be provisioned to people and devices. As security pressures grow, it’s difficult for individual organizations to build and maintain robust authentication processes. Therefore, third-party IdPs offer identity-as-a-service, combining identity verification and authentication, identity management, and often single sign-on (SSO) for users. 

The core components of an IdP system generally include:

• A store of user identities that they have provisioned
• An authentication and authorization system to verify that the user is who they claim to be and what that person is allowed to access
• Security protocols that defend the system against intrusion and identity theft

A common example that most people encounter daily is Google as an IdP. Signing in to a Google account will give users access to Google’s suite of applications. However, as you move around the web, other non-Google sites and apps will allow users to sign in to their services directly through Google. This integration allows the service to take advantage of Google Identity Services to authenticate its users. 

Identity providers vary in their approach, breadth and depth of services but have basic methodologies and processes in common. Next, we’ll look at the more technical side of provisioning and managing secure identities.

What is an IdP: Methodology

As mentioned, an IdP provisions and stores identities that service providers can trust when granting access. However, one of their greatest values lies in their relatively seamless authentication of users across multiple online locations. 

The first element of this is the communication between the IdP and service providers, which generally is done using Security Assertion Markup Language (SAML). This is an open-standard XML-based language that exchanges authentication information between the IdP and a service provider. OAuth is also used, which is an open standard for delegating access, whereby an IdP can give another app or service limited access to a user’s data without giving them a username or password. 

These methodologies allow IdPs to give service providers or applications just the information they need to allow the user to access the required services. As they are a trusted entity, the service provider holds that the user’s authentication with the IdP is sufficient to grant them access. 

What is an IdP: A Workflow in Action

There are two parts to how an IdP operates. The first is the authentication with the IdP itself, which follows the pattern of a standard login, either through a username and password or MFA. However, the IdP or the organization deploying it may enforce more secure protocols. For example, they may integrate a FIDO-based passwordless authentication provider that enables a wider range of usable factors while deprecating the use of traditional passwords.

Once a user has been satisfactorily authenticated, the second part of the workflow is the IdP communicating with the service provider. The following is an example of a common IdP workflow:

1. The user is authenticated with the IdP
2. The user attempts log in to the service provider
3. The service provider sends a SAML request to IdP to verify the user’s identity
4. IdP sends an authentication assertion message via SAML confirming the user or device’s identity 
5. The data needed by the service provider is passed along using an attribution assertion in SAML
6. Access to services in line with the user’s privilege level is unlocked
7. If the user is granted access, an authorization assertion is sent back to the IdP informing them of this

What is an IdP: Benefits

As you’ve probably already gathered, there are several key benefits to using an IdP, including: 

Reduced Resources on Security: Managing an extensive user authentication and identity database requires a lot of resources. Third-party IdPs can deliver the same service and security without the need to maintain the capability in-house, relieving pressure on your IT and security teams.

Single Source of Truth: An IdP creates one identity for a user, which can then be referred to and authenticated, removing the prospect of multiple directories or identities that IT teams have to track. Centralized management of user identities also reduces the potential for fraud and impersonation.

Improved User Experience: IdPs save end users the hassle of creating and remembering new passwords for every site and application. In the enterprise, when used with single sign on, IdPs allow users to authenticate once to gain access to all connected systems. On the consumer side, IdPs make it easier for new customers to simply click to register, reducing form filling and abandonment. 

Mitigate Password Risks: Passwords are possibly the single greatest cybersecurity challenge today.  With widespread password reuse and a growth in password fatigue, reducing the number of logins a user has to perform, and thus passwords they have to remember, will always be beneficial. IdPs can enforce strong password policies and multi-factor authentication (MFA) requirements. Ideally, they will use passwordless authentication protocols. While most IdPs do not have a native fully passwordless authentication option, they can seamlessly integrate with dedicated passwordless solutions such as HYPR.

What is an IdP: Downsides

The biggest flaw affecting IdPs and SSO providers lies in the fact that the user puts a lot of trust in that system. In doing so, they are at risk of a “break once, run everywhere” situation if their identity is compromised. Unfortunately many IdPs still accept “username + password logins” or attempt to improve security with insecure MFA methods such as one-time passwords. If the IdP provides authentication, this also means that if the IdP itself is compromised so are its authentication processes.

Attackers are increasingly targeting IdPs as a lucrative entry point. In one recent spate of attacks, more than 140 organizations were breached through their Okta credentials. 

These issues can be overcome by integrating a decoupled authentication system that reinforces user and institutional trust. These systems employ stronger authentication methods such as extra hardware that supports security keys, smart key cards or biometric identifier devices that connect to desktops. The newest technologies create phishing-resistant authentication flows using a user’s smart device, turning the phone into a FIDO2 token.

Secure Your IdP With HYPR

With growing concerns around IAM security, many organizations are turning to IdPs to manage secure identities for their users. An IdP creates and stores identities and provides authentication services that improve the trust and security level around users accessing apps and web services. In addition, the IdP provides a single source of truth for user identities, reduces friction around logins and removes the need for different passwords for every site.

HYPR’s passwordless authentication system integrates with all major IdPs, providing secure, phishing-resistant MFA. Importantly, using HYPR in tandem with your IdP will decouple authentication from identity provision, creating an extra security layer. Read more about using HYPR with your IdP and passwordless SSO, or arrange a free demo.