The Identity Provider provides Single Sign-On services and extends reach into other organizations and new services through authentication of users and securely providing appropriate data to requesting services. In addition to a simple yes/no response to an authentication request, the Identity Provider can provide a rich set of user-related data to the Service Provider. This data can help the service provide a more personalized user experience, save the user from having to manually enter data the service requires, and refresh the data each time the user logs onto the service.
The normal Identity Provider process is:
- Accept a SAML authentication request from the Service Provider a user wants to access;
- Authenticate the user against your organization's existing authentication service;
- Collect user data from your organization's existing data stores;
- Apply policy to control what data is released to which Service Provider;
- Securely transmit the collected information to the Service Provider.
- Out-of-the-box support for LDAP, Kerberos, JAAS, X.509, SPNEGO, and container-based authentication systems.
- Out-of-the-box support for reading user data from arbitrarily-structured LDAP directories and relational databases and performing simple or complex transformations on the acquired data.
- Fine-grained control over the data to release to a relying party system.
- Excellent scaling, both in performance and manageability - a single instance can handle millions of authentication requests per day and can communicate with thousands of service providers.
- Out-of-the-box high availability via client-side state management, plus additional options for database or memcache state.
- Works with any compliant SAML 1.1 and 2.0 Service Provider implementation.
- Supports the CAS 2 SSO protocol and some additional extensions.
- Extensive and carefully-managed APIs to allow the software to be extended to support custom scenarios.