IDSync — identity software buyer platform
Run Stack Finder

Architecture

Identity Provider (IdP)

An Identity Provider (IdP) is the system that authenticates users (or workloads) and issues signed assertions about their identity to other applications — Okta, Microsoft Entra ID, Google Workspace, Auth0, Ping Identity, and Keycloak are common examples.

Last reviewed 5/30/2026

Key points

  • The IdP holds the authoritative user record and credentials (or delegates to social/enterprise IdPs).
  • In SAML, the IdP issues signed Assertions to Service Providers. In OIDC, the OpenID Provider (OP) issues ID tokens to Relying Parties.
  • Workforce IdPs: Okta, Microsoft Entra ID, Google Workspace, Ping, JumpCloud. CIAM IdPs: Auth0, Cognito, Keycloak, FusionAuth, Stytch.
  • An IdP is the chokepoint for MFA, conditional access, lifecycle (SCIM), and audit — making it the single most important system in your security stack.
  • Federated IdPs let you accept identities from external orgs (B2B SSO) or social networks (consumer login).

What is an Identity Provider?

An Identity Provider (IdP) is the system of record for who a user (or workload) is, and the authority that signs cryptographic assertions telling other applications "yes, this is alice@acme.com, here's what we know about her."

In the SSO world, the IdP authenticates the user once, then issues short-lived tokens that downstream applications — called Service Providers (SPs) in SAML or Relying Parties (RPs) in OIDC — accept as proof of identity.

What the IdP owns

  • Credentials and authenticators — passwords (ideally none), passkeys, FIDO2 keys, TOTP, push, biometrics.
  • The authentication policy — MFA rules, conditional access, device trust, risk-based step-up.
  • The user directory — either native (Entra ID, Google Workspace) or synced from an HRIS / on-prem AD.
  • Federation trust — relationships with downstream SPs (via SAML metadata or OIDC client registration) and upstream IdPs (social, B2B).
  • Audit and logs — every sign-in, every consent grant, every admin change.

Workforce vs CIAM IdPs

| Workforce IdP | CIAM IdP | | --- | --- | | Okta, Entra ID, Google Workspace, Ping, JumpCloud | Auth0, Cognito, Keycloak, FusionAuth, Stytch, WorkOS, Frontegg | | Optimized for employees: SCIM, lifecycle, MFA enforcement | Optimized for customers: progressive profiling, social login, multi-tenant, B2B SSO | | ~$3–15 per user/month | Pricing by MAU | | HRIS-driven JML | Self-service signup, account recovery, consent management |

When buyers care

Picking the IdP is the single biggest identity decision a company makes:

  • Cost of switching is enormous — every downstream SP integration has to be re-federated.
  • Security depends on it — IdP compromise = total compromise (Okta breaches, midnight blizzard).
  • It defines your MFA story, lifecycle automation ceiling, and B2B SSO capabilities.

Editorial note

When evaluating an IdP, score on these, in order: (1) phishing-resistant MFA support and policy granularity, (2) lifecycle (SCIM in/out and HRIS-driven), (3) admin model (delegated admin, just-in-time elevation, MFA on admins), (4) audit & logs (export to SIEM, retention), (5) breach history and customer-facing incident response.