What is an Identity Provider (IdP)?
An identity provider is a system that:
1. Creates and manages identities.
2. Authenticates users and services.
3. Protects identity data through security protocols.
Example: Microsoft Entra ID manages your company’s users, validates credentials with
MFA, and issues secure tokens to apps like Teams or SharePoint.
Core components
Repository of user identities. Stores usernames, passwords, and attributes.
Authentication system. Verifies credentials or biometrics.
Security protocols. Defend against intrusion and ensure secure transactions.
Benefits of IdPs
Enable Single Sign-On (SSO) — users sign in once to access multiple services.
Reduce password fatigue and risk of credential theft.
Support seamless connections between devices, cloud resources, and apps.
Common Identity Protocols
Protocol Purpose Description
OpenID Connect
(OIDC) Authentication Built on OAuth 2.0; issues JSON Web Tokens
(JWTs) through REST APIs. Example: “Sign in with
Microsoft” buttons on third-party apps.
SAML (Security
Assertion Markup
Language) Authentication +
Authorization XML-based standard exchanging “assertions”
between IdP and service provider. Example:
Logging in to Salesforce with corporate
credentials.
Microsoft Identity Provider Options
Service Deployment Description Use Case
Active
Directory
Domain
Services (AD
DS) On-premises Full LDAP server with
authentication, Group Policy,
and trusts. Traditional enterprise
domain joined Windows
environments.
Microsoft Entra
ID Cloud Identity as a Service (IDaaS)
for users, apps, and devices.
Supports Microsoft 365 and
SaaS apps. Cloud-first or hybrid
organizations.
Microsoft Entra
Domain
Services (Entra
DS) Managed
domain service
in Azure Provides domain join, Group
Policy, LDAP, and
Kerberos/NTLM without
deploying AD servers. For legacy apps lifted to
Azure needing
traditional domain
features.
Example Integration:
An organization running on-prem AD DS synchronizes identities to Entra ID via Azure AD
Connect. For legacy line-of-business apps migrated to Azure VMs, Entra DS provides
domain services without new servers.