Various features are being used to simplify logins – from passwordless logins to registration via other providers such as Apple or Google. Identity providers (ID-providers) play a central role here, as they take over identity and access management. By authenticating and authorising users, they ensure the security of sensitive information and enable seamless access controls. But what exactly is behind the term “ID-provider” and why are they crucial for security and user-friendliness in numerous online platforms? In this article, we take a comprehensive look at how ID-providers work, their key functions and their role in the modern information society.
Definition
Identity providers are service providers that store and manage digital identities. They verify, authenticate and authorise users within an information system. In this way, the provider ensures that only authorised users can access certain resources.
Authentication and authorisation:
Authentication and authorisation are two fundamental concepts in the field of access control. The terms are often used together as they usually go hand in hand, although they refer to different aspects of access to resources. To make them easier to understand, we will point out the main differences here and provide a categorisation:
Authentication
Authentication describes the checking of proof of identity for authenticity, i.e. whether the person or system actually possesses the real identity.
Examples: User name/password combination, fingerprint scans, smartcards or other biometric identification methods.
Authorisation
An authorisation grants a person or system special rights so that access to certain resources is permitted.
Example: The purchasing department has no access to business secrets such as patents or sales strategies.
Practical implementation
An ID-provider works in a similar way to a doorman: its guest list contains the users stored for the information system along with their authorisations. The corresponding access data is stored cryptographically so that if someone wants to gain access to the system, the doorman can compare this with his list. Of course, new users can also be registered, i.e. added to the list by the doorman by hand!
Once authentication has been completed, for example via multi-factor authentication, a connection to the information system is established, in other words: the bouncer allows users to enter the location. And here, too, there are different areas – from the cloakroom to the VIP lounge. A doorman is also present at the relevant key points and checks access authorisation. On a virtual level, this is referred to as an authorisation request, as not every user has or may have unrestricted rights to all files in the information system. These rights are also stored in the “guest list” of the ID-provider and give access to the desired resources depending on the rights assigned.
ID-providers and Single Sign-On (SSO)
A brief explanation of single sign-on:
Single sign-on refers to an authentication method where a user logs in once and then gains access to multiple systems or applications without having to log in again.
In order to enable such single sign-on, certain processes must be implemented by the ID-provider:
The user logs in to the identity provider once. This can be done by entering a user name and password or using other authentication methods such as multi-factor authentication.
After successfully logging in, the identity provider creates a digital authentication token that contains information about the user.
If the user wants to access a protected resource or application provided by a service provider, the identity provider forwards the user to this service provider.
The service provider receives the authentication token of the user. This can be done in various ways, such as through URL parameters, HTTP headers or cookies, depending on the implementation and security guidelines.
The service provider checks the validity of the authentication token to ensure that it originates from the valid identity provider and has not been tampered with. This may include checking the signature of the token, the expiration date and other security features.
After successful token validation, the service provider grants the user access to the desired resource or application without the need to log in again.
Federated identities
In order to present themselves to customers in a more user-friendly way alongside their own identity access management (IAM), service providers link up with ID-providers in order to work together beyond a single system. As the name suggests, service providers provide services such as services, applications or other resources. This approach makes sense insofar as the end user does not have to create a separate account for each individual domain.
In the case of federated identities, a login takes place beyond a single system, usually by the use of a single sign-on. This is referred to as “merged identities”. The login information is transferred from one identity provider to another.
The advantage of this is that only one service provider is responsible for verifying and authenticating the user login information.
Standardized protocols
In general, there are a large number of different authentication and authorization protocols. Open standards are important here. This is the only way to ensure secure connections between multiple systems in the context of identity and resource management.
OAuth 2.0 and OpenID Connect (OIDC) are both part of the decentralized authentication protocol IndieAuth. OAuth 2.0 creates the basis for authorization requests by enabling secure access to resources with the help of applications or APIs. OpenID Connect builds on this and supplements the level of identity control. It enables users to use different client systems, for example via the internet, mobile devices or JavaScript, in order to exchange identity and session data.
Another option is Security Assertion Markup Language (SAML). Here, complete profiles including authentication and authorization data are collected and exchanged between different domains.
Practical applications and examples
There are many examples of ID-providers in everyday life. After all, in the digital world, they act as a digital “ID checks”. Accordingly, they can be used wherever user accounts are created.
In the private sphere, we mainly encounter the giants around Apple, Google and Meta, which enable registration with the existing account at other service providers. The use cases range from social media to online stores and a wide variety of mobile apps.
In professional life, private ID-providers are not so easy to use. But here, too, identity providers are in demand:
In the German healthcare sector, for example, digital patient records have been in practical use since January 2021. Access to it must be well regulated and managed via a trustworthy ID-provider. gematik currently bears overall responsibility for the telematics infrastructure for the Federal Republic of Germany. One example of an ID-provider in this context is Keycloak.
Educational institutions have also had to significantly increase their user infrastructure, especially recently due to the coronavirus pandemic, in order to be able to guarantee learning platforms such as Lernsax, Moodle and co. In the university context, Microsoft is used as an ID-provider, but mainly for the Office applications used by students.
It is not only government bodies and institutions that rely on ID-providers; the private sector is also increasingly using cloud services in the context of digitalization. Bare.ID, for example, offers centralized user management and the linking of multiple providers via SSO.
