LDAPWiki: Identity Broker

Overview#

Identity Broker is a service that provides Identity Correlation and is a Data aggregator

Identity Broker is a generic industry term and not part of any Standard

Identity Broker Single Sign-On [2]#

An Identity Broker is often part of a a Single Sign-On Architecture as an an intermediary service that connects multiple Service Providers with different Identity Provider (IDP)s.

A Identity Broker or Identity Correlation service maps Identity Attributes, including unique identifiers, across multiple Identity Provider (IDP) to the Digital Subject.

Often a Identity Broker is incorporated within the Identity Provider (IDP) service.

As an intermediary service, the Identity Broker is responsible to create a trust relationship with Identity Provider (IDP)s in order to use the Digital Identitys to access services exposed by Service Providers.

From an user perspective, an Identity Broker provides an user-centric and centralized way to manage Digital Identitys across different Security Domains or realms, where an existing Digital Identitys can be linked with into one Digital Subject as a Federated Identity from different Identity Provider (IDP)s or even created based on the identity information obtained from the various Digital Identitys.

Identity Broker are usually Security Token Service providers that can translate Tokens between different identity tokens from one standard format to another or to the proprietary session cookie formats used by many WAM systems.

Standardized cross-app Single Sign-On Experience#

Typically, An Identity Provider (IDP) is usually based on a specific Authentication Method and communicates authentication and Authorization information to the SP. The Identity Broker as an example, might utilize a SPNEGO to obtain a Kerberos Ticket and obtain information on the Digital Identity to be able to create a SAML V2.0 SAML Assertion into a SP which uses SAML V2.0 and transform the SAML Assertion into a Access Token for use within OAuth 2.0 or OpenID Connect.

Often various Authentication Agents would be installed on an Identity Broker machine allowing Cross-platform Authentication.

Often the Identity Broker would:

have multiple Authentication Agents allowing Cross-platform Authentication.
be a member of or have Federation into multiple domains to provide Cross-domain authentication

which would allow Single Sign-On ability for multiple platforms and domains.

The Native Applications Working Group is defining a profile of OpenID Connect (OIDC) that will enable a standardized cross-app Single Sign-On experience model for native mobile applications on both consumer-centric and enterprise applications.

Identity Broker in Marketing [3]#

Identity Broker service is provided to provide Marketing data to their customers to be able to perform Marketing to customers. These Identity Broker Services build (hopefully) De-anonymization data sets which create Anonymous data on marketing.

Acxiom Corporation, Google, Facebook are a few of the many Internet or Database Marketing Organizations that provide these type of services.

Privacy Considerations #

Needles to say Identity Broker have Privacy Considerations

More Information#

There might be more information for this subject on one of the following:

[#1] - Chapter 9. Identity BrokerContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png - loosely based on data observed:2015-06-03
[#2] - Identity Broker: An SSO Protocol Transition From OpenID Connect To WS-FederationContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png - based on information obtained 2018-09-01-
[#3] - Google and Mastercard Cut a Secret Ad Deal to Track Retail SalesContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png - based on information obtained 2018-09-01-

Active Sessions	3438
Uptime	106d, 7h 3m 40s
Number of pages	16125