Understand STACKIT IdP
STACKIT IdP is an authentication system that gives you fine-grained access management to your STACKIT resources. The following sections explain important phrases to help you understand STACKIT IdP.
Identity providers
Section titled “Identity providers”An identity provider (IdP) is a system that confirms a user’s identity. It issues authentication assertions to the applications or services that rely on it. An IdP manages digital identities, ensuring users can securely prove who they are before they access resources.
Authentication vs. authorization
Section titled “Authentication vs. authorization”When you manage access, you need to understand the difference between authentication and authorization:
- Authentication: This is the process of confirming a user’s identity. It answers the question, “Are you who you say you are?”. An IdP primarily handles authentication by confirming a user’s login credentials.
- Authorization: This is the process of deciding what a user is allowed to do or access after they have been authenticated. It answers the question, “What are you allowed to do?”. An IdP mainly focuses on authentication, but it often provides identity information, like roles, that other systems use for authorization.
Relying Party or Service Provider
Section titled “Relying Party or Service Provider”A Relying Party (RP), also called a Service Provider (SP), is an application or service that delegates user authentication to an identity provider. The IdP verifies the user’s identity, and the relying party trusts the IdP’s assertion to give the user access to its resources. This setup lets applications hand off authentication tasks to a specialized IdP.
Identity claims and tokens
Section titled “Identity claims and tokens”Identity claims and tokens are the key methods for sharing user identity information:
- Claims: These are statements about a user, like their name, email address, or assigned roles, that an IdP confirms as true after a successful authentication.
- Tokens: These are digital objects, often JSON web tokens (JWTs) or SAML assertions, that contain these claims. The IdP digitally signs these tokens to ensure they are authentic and have not been changed. Applications get these tokens from the IdP to verify identity and get user attributes.
Multi-factor authentication (MFA)
Section titled “Multi-factor authentication (MFA)”Multi-factor authentication (MFA) is a security method that requires users to provide two or more distinct verification factors to get access to a resource. MFA significantly improves security by adding layers beyond a username and password.
Common factors include:
- Something you know: A password or PIN.
- Something you have: A phone, hardware token, or smart card.
- Something you are: A biometric identifier, like a fingerprint or face scan.
Single sign-on (SSO)
Section titled “Single sign-on (SSO)”Single sign-on (SSO) is an authentication process that lets a user access multiple distinct applications or systems after logging in once with a single set of credentials. This streamlines the user experience by removing the need to repeatedly enter usernames and passwords for each service. It also simplifies password management for users and improves security by centralizing authentication.
User provisioning
Section titled “User provisioning”User provisioning is the automated process of creating, updating, and managing user accounts and their associated access rights across various systems and applications. It ensures that users are granted the appropriate level of access permissions based on their role within an organization. These permissions are promptly revoked when a user’s role changes or they leave the organization. This automation reduces manual effort, minimizes errors, and improves security by maintaining accurate access control.
System for cross-domain identity management (SCIM)
Section titled “System for cross-domain identity management (SCIM)”SCIM, or system for cross-domain identity management, is an open standard protocol designed to automate the exchange of user identity information between different identity domains or IT systems. It provides a standardized way to perform common identity management operations, such as creating, updating, and deactivating user accounts and group memberships across various applications and cloud services. By providing a common language and standardized API, SCIM significantly reduces the manual effort and potential for errors associated with managing user identities across multiple platforms. This ensures consistent and secure access control.
OAuth 2.0
Section titled “OAuth 2.0”OAuth 2.0 is an industry-standard authorization framework that enables applications to get limited access to user accounts on an HTTP service, such as a social media platform or cloud storage. It works by letting a user grant a third-party application access to their information without sharing their actual login credentials.
Instead of sharing credentials, the user authorizes the application to act on their behalf to access specific resources. The application receives an access token from an authorization server. This token represents the granted permissions and is used to make requests to the resource server. OAuth 2.0 focuses only on authorization, not authentication, making it a key component for secure delegated access in modern web and mobile applications.
OpenID Connect (OIDC)
Section titled “OpenID Connect (OIDC)”OpenID Connect (OIDC) is an authentication layer built on top of the OAuth 2.0 authorization framework. While OAuth 2.0 mainly handles authorization, OIDC extends it to perform user authentication. An IdP using OIDC verifies the user’s identity and provides basic profile information in a secure, standardized way.
When a user authenticates, the IdP issues an ID token, which is a JSON web token (JWT). This token contains verifiable “claims” about the user, such as their unique identifier, name, and email address. OIDC is widely adopted due to its simplicity, flexibility, and suitability for mobile and web applications, enabling secure identity verification across various platforms.
SAML 2.0 (security assertion markup language)
Section titled “SAML 2.0 (security assertion markup language)”SAML 2.0 (security assertion markup language) is an XML-based protocol used for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It is a foundational standard for web-based single sign-on (SSO) across different security domains.
In a SAML flow, after a user authenticates with the IdP, the IdP issues a SAML assertion. This is an XML document containing statements about the user’s identity and attributes. This assertion is then sent to the service provider, which trusts the IdP and uses the assertion to grant the user access. SAML is especially common in enterprise environments for federated identity management due to its strong security features and widespread support.