Could someone please help me to understand the difference among the following entities in IAM with real word examples.
Thanks
An IdP
is an Authoritative Source
of identities for an organisation. An entity outwith the organisation can allow identities provided by the IdP
to login to its resources, for example ebooks. The IdP
can choose to use SSO
, which means the identities (i.e. the users) only need to provide their credentials once (username/password for example) for as long as an SSO
session lasts, for example 24 hours.
In order for an external resource provider such as an ebook provider to request that identities (i.e. users) be identified at login, it can ask the IdP
to release information about those identities using either SAML
or OAuth2
.
The IdP
and external resource provider can have SSO
independent of each other. A typical flow might be:
IdP
along with SAML requesting the user be authenticated by the IdP
.IdP
authenticates the user and sets up an SSO
session for themIdP
sends the user back to someebooks.com with some SAML
containing information about the user.SSO
session for the user.SSO
session finishes, go back to step 2.IdP
. As they already have an IdP
SSO
session from step 3, they don't need to login again.IdP
sends the user to morebooks.com with information about them in SAML
.The flow is similar for OAuth2
. It uses different tokens from SAML
. Both are a way of requesting that an identity (user) be authenticated by its Authoritative Source
and that the Authoritative Source
release information about the user.
OAuth2
uses a token released by the IdP
to allow, for example, someebooks.com to directly request information about the user from the IdP
. It's more complex than SAML
.
Information about the user might be a course enrolment. e.g. they are studying a medical degree. An ebook provider may only be prepared to allow access to its ebooks to medical students. The information in the SAML
or OAuth2
response from the IdP
(step 4) may include this information, if they are studying for a medical degree. The IdP
knows this as it is the Authoritative Source
for the user.
In summary, the IdP
AUTHENTICATES the user and the result is sent to the resource provider which AUTHORIZES the user based on information about the user the IdP
sends to it (SAML
) or based on information is asks the IdP
to release about the user (OAuth2
).