What are Identity Providers (IdPs), and Why Do They Matter in Content Services?

Do your users have to log in and re-log in into multiple applications or systems daily? An IdP may be the solution for you.

What is an Identity Provider (IdP)?

Imagine a world where you did not need identification to get on a plane, drive a car, get prescription medication, buy alcohol, tobacco, watch movies or vote! Can you think of some problems this could cause? In our daily lives, we need to provide an ID to do quite a lot, and that’s a good thing.

Our world relies on IDs, and for things to work as intended, these IDs have to be authentic. That’s why in order to get a valid ID, you typically go to the driver’s license bureau or passport office, and have to provide pieces of paper that hopefully prove that you are you (e.g., birth certificate, bills, credit card).

In the physical world, your state’s DMV office or the passport office act as identity providers who authenticate you and provide you with an ID that proves that you are who you say you are.

Similarly, in the digital world, you need to provide identification in order to check your email, use teleconferencing, or get access to other corporate systems. Many organizations have hundreds or even thousands of different applications and systems in their environments. How do you enable secure authentication without driving your users crazy with various login prompts?

This is where IdPs can help. IdPs help create and manage digital IDs so that your users can effortlessly and securely authenticate into the various systems and services they need to use.

How do IdPs work?

In order to get a valid digital ID, you need to provide the IdP with pieces of information that prove you are you (username, password, answers to security questions, rotating number on a fob). The IdP then issues you a token that serves as your digital ID. This token is your digital proof that you are who you say you are.

Think of the IdP as a driver’s license bureau; it is a service that provides a token of your identity that another service can trust so you can access certain resources based on information contained on the token.

The following table below shows the parallels between the real-world license bureau and the digital-world IdP.

Real World Digital World
Authority Driver’s license bureau or passport office IdP
Authentication Provide birth certificate, bills, social security or national identity card, proof of citizenship, photo Provide username/password, security questions, fob/dongle
Proof of Identity Driver’s license or passport Token
Relying Party Travel authority, liquor store, movie theater, pharmacist, the police Email service, online store
Validation ID validation by checking the picture, the hologram, expiration date Token validation by cryptographic signature validation, verify token validity window
Requested Service Perform an activity that requires proof of identity: Flying, buying alcohol, tobacco, attending a movie Access a resource: send email, make an online purchase
Relevant information Date of birth, endorsements on the license, address Claims on the token, such as sub (subject)

Isn’t that what Single Sign-On (SSO) does?

An IdP ultimately provides similar functionality as an SSO, but in a more standardized way that allows applications and authentication services to limit the protocols they support. This means that there is no need for custom authentication schemes that need to be supported, limiting your attack exposures by adhering to known and trusted protocols.

Why do IdPs matter in content services?

Modern content services platforms are not the rigid, monolithic application suites of a decade ago. They are designed to be open, integrated and extensible to give you the flexibility to use the technology in ways that best fit the needs of your various users. This means that your users may no longer be consuming content services from the same single interface. Perhaps they are simply using enterprise search from inside their CRM application, or perhaps they are using an application you custom-configured for them that combines several content services like capture and workflow with third-party systems like ERP and cloud sharing.

Componentization of your IT architecture offers a lot of benefits, but can also add complexity, and this is where IdPs offer several advantages:

A Standard Authentication Experience

One benefit of an IdP is that it establishes a standard authentication experience across multiple applications and systems. Your users can know what to expect and what to do to log into all your applications. Their experience is not dictated by each application.

This has security implications as well – if your users come across a login screen that is different from the standard screen in any way, their degree of suspicion should increase.

A Standards-Based Authentication Experience

The other benefit of an IdP is that by using open standards, it becomes easy for applications to integrate into the shared authentication experience. Your IT department does not need to develop independent authentication code for internal applications, and solutions you purchase or subscribe to can easily integrate with the IdP.

Automated Authentication Experience

As noted before, IdP can also provide SSO service to enable secure authentication into multiple applications, giving your users a more seamless user experience so they can focus on being productive.

Innovation matters

The growing demand for IdP functionality is just one example that underscores the importance of continued innovation in content services. Legacy ECM systems are quickly falling behind in their ability to support infrastructure modernization initiatives and in meeting the evolving expectations of your users and customers.

This is why it is critical that content services vendors continue to innovate the core elements of their platforms to meet modern demands. Continued investment in Identity and Access Management (which includes IdP) is essential because it not only helps improve your user and developer experience, but also provides IdP capabilities that help your organization meet modern security and compliance requirements.

When considering investing in a new content or process management platform, choose one that uses standard IdP protocols like OAuth2 or OpenID Connect. This will allow you to easily federate to your existing authentication solution, be it an internal Active Directory-based solution or an external hosted solution such as Okta or Ping Federate. This will ensure seamless integration with your existing authentication experience to allow your users to access their new solutions.

+ posts

Cliff Bender is a software architect at Hyland Software.