Summary
An identity provider (IdP) is the trusted service responsible for authenticating users and machines, and for issuing tokens or assertions that applications use to grant access.
What is an Identity Provider?
The IdP centralises everything related to "who is this user." It stores accounts, group memberships, and credentials; runs authentication flows including multi-factor; and issues standardised tokens — OIDC ID tokens, OAuth 2.0 access tokens, or SAML assertions — that applications consume. Applications themselves do not store passwords; they trust the IdP.
Self-hosted IdPs include Keycloak, Zitadel, Authentik, and PocketID. Managed IdPs include Microsoft Entra ID, Google Workspace, Okta, Auth0, and JumpCloud. Most modern platforms accept any of them by speaking the same open standards (OIDC, OAuth 2.0, SAML), so organisations can keep their identity choice consistent across cloud services, internal apps, and infrastructure tools such as mesh VPNs.
In a Zero Trust context, the IdP becomes the anchor of every access decision: the connection from a user to an internal service is allowed only if a valid, signed token from the trusted IdP backs it. Identity provisioning into the IdP itself is typically automated via SCIM from an HR or directory system.
Why is an Identity Provider relevant?
- Single source of truth: One place to manage accounts, groups, and authentication policy
- Zero Trust foundation: Every access check ultimately depends on an IdP-issued token
- Open standards: OIDC, OAuth 2.0, and SAML keep applications portable across IdPs
- Auditability: Centralised authentication logs simplify compliance and incident response
Related Terms
- Single Sign-On: User-facing experience built on IdP-issued tokens
- Multi-Factor Authentication: Strength check the IdP enforces
- SCIM: Protocol used to provision and de-provision identities into the IdP
- Keycloak: Open-source IdP commonly self-hosted in EU setups
- Zero Trust: Security model anchored on IdP-issued identity for every request