Identity Provider – Common use cases

Tunnistuspalvelu, eli Identity Provider (IdP) on OpenId Connect (OIDC) ja SAML2-tunnistuskäytänteitä toteuttava palvelu, joka tunnistaa käyttäjät mahdollistaen heidän pääsynsä järjestelmiin ja sovelluksiin. IdP:n avulla voidaan toteuttaa kertakirjautuminen (Single Sign On – SSO), jonka avulla käyttäjä pääsee yhden tunnistustapahtuman perusteella käyttämään kaikkia tunnistamisen piiriin kuuluvia sovelluksia ilman eri tunnistautumista. IdP kytkeytyy tunnistusmenetelmiin tarpeen mukaan. WeAre on toteuttanut tunnistamisen välityspalvelumallin, jossa tukeudutaan olemassaoleviin OIDC-tunnistuslähteisiin (esim. Azure AD, Google, Facebook jne). Tunnistusmenetelmien tuottamaa käyttäjätietoa voidaan rikastaa muista lähteistä, kuten organisaation IdM-järjestelmästä. IdP on toteutettu avoimen lähdekoodin Shibboleth Identity Provider -ohjelmistolla.

Enrichment of identification

It is possible to implement phases to the identification process, in which the user identification information obtained from the identification method is enriched with user data from external sources. For example, if a customer's user authentication is based on the Azure AD authentication service, but the user role information is stored in a separate system, the role information can be retrieved from another system (e.g., CRM) after the actual authentication event and then added to the authentication response. The decision on user access to the application can be made based on the role information.

The enrichment of authentication information in connection with an authentication event saves the implementation of a separate synchronisation to the service, as the user role is handed over during the authentication event.

Identification adapter

The customer may have an identity provider service in use, which is not compatible with a system in use, that relies on authentication. Typically, the client has a SAML2 authentication solution, but the service has implementations for only OIDC-based access control. Or the case may be the other way around.

The authentication service can act as an adapter, i.e. an intermediary, where the authentication method is adapted to the service in the form for which it has ready-made solutions. Even the very unique and hand-tailored services can often be protected by authentication, even if they were not initially implemented with a single sign-on method or with connections to modern authentication protocols.

DO YOU WANT TO
HEAR MORE?

Contact us

JUHA AHLGREN
Sales and Marketing
juha.ahlgren@weare.fi
+358 44 504 4828