Overview#An Identity Broker is an intermediary service that connects multiple Service Providers with different Identity Provider (IDP)s.
Often a Identity Broker is incorporated within the Identity Provider (IDP) service.
As an intermediary service, the Identity Broker is responsible to create a trust relationship with Identity Provider (IDP)s in order to use the Digital Identitys to access services exposed by Service Providers.
From an user perspective, an Identity Broker provides an user-centric and centralized way to manage Digital Identitys across different Security Domains or realms, where an existing Digital Identitys can be linked with into one Digital Subject as a Federated Identity from different Identity Provider (IDP)s or even created based on the identity information obtained from the various Digital Identitys.
Standardized cross-app Single Sign-On Experience#Typically, An Identity Provider (IDP) is usually based on a specific Authentication Method and communicates authentication and Authorization information to the SP. The Identity Broker as an example, might utilize a SPNEGO to obtain a Kerberos Ticket and obtain information on the Digital Identity to be able to create a SAML V2.0 SAML Assertion into a SP which uses SAML V2.0 and transform the SAML Assertion into a Access Token for use within OAuth 2.0 or OpenID Connect.
Often the Identity Broker would:
- have multiple Authentication Agents allowing Cross-platform Authentication.
- be a member of or have Federation into multiple domains to provide Cross-domain authentication
The Native Applications Working Group is defining a profile of OpenID Connect (OIDC) that will enable a standardized cross-app Single Sign-On experience model for native mobile applications on both consumer-centric and enterprise applications.
More Information#There might be more information for this subject on one of the following:
- Account Linking
- Anonymous Identity
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
- Credential Mapping
- Cross-domain authentication
- Cross-platform Authentication
- Federated Identity
- Federated Identity Management
- Federation Models
- Identity Broker
- Identity Provider (IDP)
- Mobile Connect
- Ping Identity
- Proxy Server
- Single Sign-On
- Single Sign-On Scenarios
- WEB Access Management
- Web Blog_blogentry_030615_1
- Web Blog_blogentry_231015_1