Identity Broker

An identity broker is a hub for authentication. Applications connect to the broker instead of to each identity provider directly, and the broker federates out to the providers behind it. To the application there is one connection and one token format. Behind the broker there can be many providers, each reached over whatever protocol it speaks.

Two jobs make a broker useful. It translates between protocols, so an application that speaks OpenID Connect can accept a user who authenticated through a SAML provider. And it routes, deciding which provider should handle a given user and applying consistent policy, such as a step-up requirement, at a single point rather than in every application.

In CIAM this matters because the same platform often has to accept very different login sources. Consumers arrive through social providers, business partners arrive through their own corporate identity providers, and increasingly users present credentials from a digital wallet. A broker lets all of these resolve into one customer identity without each downstream application integrating them separately. A broker handles the federation plumbing; an orchestration layer adds the journey logic, such as conditional flows and progressive data collection, on top of it.

Sources

• OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html