Identity Provider

An identity provider is the authority that verifies who a user is. When a user signs in, the relying application redirects the authentication request to the IdP, which validates the user’s credentials and returns a signed assertion (in SAML) or token (in OpenID Connect) confirming the user’s identity and selected attributes.

By centralizing authentication, the IdP lets multiple applications trust a single source of identity. The application never handles the raw password or other authenticators; it only consumes the assertion the IdP issues. This separation is what makes single sign-on and identity federation possible.

An IdP also enforces authentication policy on behalf of the applications that trust it, including multi-factor requirements, adaptive risk checks, and session lifetime. Changing that policy at the IdP changes it for every connected application at once.

For CIAM, the IdP is the customer-facing front door. It owns the login, registration, and recovery experience for end users while shielding each downstream application from the complexity of credential management and standards-based protocol handling.

Sources

• OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html