Identity Broker


An Identity Broker is an intermediary service that connects multiple Service Providers with different Identity Provider (IDP)s.

A Identity Broker or Identity Correlation service maps Identity Attributes, including unique identifiers, across multiple Identity Provider (IDP) to the Digital Subject.

Often a Identity Broker is incorporated within the Identity Provider (IDP) service.

As an intermediary service, the Identity Broker is responsible to create a trust relationship with Identity Provider (IDP)s in order to use the Digital Identitys to access services exposed by Service Providers.

From an user perspective, an Identity Broker provides an user-centric and centralized way to manage Digital Identitys across different Security Domains or realms, where an existing Digital Identitys can be linked with into one Digital Subject as a Federated Identity from different Identity Provider (IDP)s or even created based on the identity information obtained from the various Digital Identitys.

Standardized cross-app Single Sign-On Experience#

Typically, An Identity Provider (IDP) is usually based on a specific Authentication Method and communicates authentication and Authorization information to the SP. The Identity Broker as an example, might utilize a SPNEGO to obtain a Kerberos Ticket and obtain information on the Digital Identity to be able to create a SAML V2.0 SAML Assertion into a SP which uses SAML V2.0 and transform the SAML Assertion into a Access Token for use within OAuth 2.0 or OpenID Connect.

Often various Authentication Agents would be installed on an Identity Broker machine allowing Cross-platform Authentication.

Often the Identity Broker would:

which would allow Single Sign-On ability for multiple platforms and domains.

The Native Applications Working Group is defining a profile of OpenID Connect (OIDC) that will enable a standardized cross-app Single Sign-On experience model for native mobile applications on both consumer-centric and enterprise applications.

More Information#

There might be more information for this subject on one of the following: