Overview#Identity Broker is a service that provides Identity Correlation
Identity Broker is a generic industry term and not part of any Standard
Identity Broker Single Sign-On #An Identity Broker is often part of a a Single Sign-On Architecture as an an intermediary service that connects multiple Service Providers with different Identity Provider (IDP)s.
Often a Identity Broker is incorporated within the Identity Provider (IDP) service.
As an intermediary service, the Identity Broker is responsible to create a trust relationship with Identity Provider (IDP)s in order to use the Digital Identitys to access services exposed by Service Providers.
From an user perspective, an Identity Broker provides an user-centric and centralized way to manage Digital Identitys across different Security Domains or realms, where an existing Digital Identitys can be linked with into one Digital Subject as a Federated Identity from different Identity Provider (IDP)s or even created based on the identity information obtained from the various Digital Identitys.
Identity Broker are usually Security Token Service providers that can translate Tokens between different identity tokens from one standard format to another or to the proprietary session cookie formats used by many WAM systems.
Standardized cross-app Single Sign-On Experience#Typically, An Identity Provider (IDP) is usually based on a specific Authentication Method and communicates authentication and Authorization information to the SP. The Identity Broker as an example, might utilize a SPNEGO to obtain a Kerberos Ticket and obtain information on the Digital Identity to be able to create a SAML V2.0 SAML Assertion into a SP which uses SAML V2.0 and transform the SAML Assertion into a Access Token for use within OAuth 2.0 or OpenID Connect.
Often the Identity Broker would:
- have multiple Authentication Agents allowing Cross-platform Authentication.
- be a member of or have Federation into multiple domains to provide Cross-domain authentication
The Native Applications Working Group is defining a profile of OpenID Connect (OIDC) that will enable a standardized cross-app Single Sign-On experience model for native mobile applications on both consumer-centric and enterprise applications.Marketing data to their customers to be able to perform Marketing to customers. These Identity Broker Services build (hopefully) De-anonymization data sets which create Anonymous data on marketing. Privacy Considerations
More Information#There might be more information for this subject on one of the following:
- Anonymous Identity
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
- Credential Mapping
- Cross-domain authentication
- Cross-platform Authentication
- Data aggregator
- Federated Identity
- Federation Models
- Identity Broker
- Identity Correlation
- Identity Provider (IDP)
- Identity Verification Service
- LDAP and Bind Throttling
- Legal Entity Identifier
- Mobile Connect
- National Provider Identifier
- Ping Identity
- Proxy Server
- Reverse Proxy
- Security Token Service
- Single Sign-On
- Single Sign-On Scenarios
- WEB Access Management
- Web Blog_blogentry_030615_1
- Web Blog_blogentry_231015_1
- [#1] - Chapter 9. Identity Broker - loosely based on data observed:2015-06-03
- [#2] - Identity Broker: An SSO Protocol Transition From OpenID Connect To WS-Federation - based on information obtained 2018-09-01-
- [#3] - Google and Mastercard Cut a Secret Ad Deal to Track Retail Sales - based on information obtained 2018-09-01-