The Identity Provider provides Web Single Sign-On capabilities, authenticating users and supplying data to services, extending their reach beyond a single organization. In addition to a simple yes/no response to an authentication request, the Identity Provider can provide a rich set of user-related data to services. This data can help the service provide a more personalized user experience, save the user from having to manually enter data the service requires, and refresh the data each time the user logs into the service.
The normal Identity Provider process is to:
- Accept a SAML authentication request from the Service Provider a user wants to access;
- Authenticate the user against your organization’s existing authentication store(s);
- Collect user data from your organization’s existing data store(s);
- Apply policy to control what data is released to which Service Provider;
- Securely transmit the collected information to the Service Provider.
- Out-of-the-box support for LDAP, Kerberos, JAAS, X.509, SPNEGO, Duo Security, and container-based authentication systems.
- Out-of-the-box support for reading user data from arbitrarily-structured LDAP directories and relational databases and performing simple or complex transformations on the acquired data.
- Fine-grained control over the data to release to a relying party system.
- Excellent scaling, both in performance and manageability – a single instance can handle millions of authentication requests per day and can communicate with thousands of service providers.
- Out-of-the-box high availability via client-side state management, plus additional options for database or memcache state.
- Works with any compliant SAML 1.1 and 2.0 Service Provider implementation.
- Supports the CAS 2 SSO protocol and some additional extensions.
- Extensive and carefully-managed APIs to allow the software to be extended to support custom scenarios.