Identity Providers (IdPs)#
Reference of identity, authentication, and federation providers; the protocols they speak; and the directory products + token formats an operator deals with in IAM work. Useful for SSO design, breach response, and authorization forensics.
For broader cryptographic context, see Cryptographic Primitives. For biometrics + WebAuthn, see Biometrics.
Protocols#
Protocol |
Notes |
|---|---|
SAML 2.0 |
XML-based federated SSO; the enterprise default; SP + IdP roles. |
OAuth 2.0 |
RFC 6749 + family; delegated authorization; access tokens. |
OAuth 2.1 (draft) |
Consolidates best-current-practice into one spec. |
OpenID Connect (OIDC) |
OAuth 2 + identity layer; ID token (JWT); the modern web SSO. |
OIDC FAPI / FAPI 2 |
Financial-grade API profile; Open Banking / PSD2. |
WS-Federation |
Older Microsoft federation; SAML-compatible. |
LDAP / LDAPS |
RFC 4511; directory queries; bind = auth. |
Kerberos |
MIT; ticket-granting; AD’s transport. |
RADIUS |
RFC 2865; AAA over UDP; common with VPN / 802.1X. |
TACACS+ |
Cisco AAA; TCP; centralised admin auth. |
SCIM 2.0 |
RFC 7643/7644; user provisioning REST. |
WebAuthn / FIDO2 |
W3C + FIDO; passkeys. |
JWT |
RFC 7519; JSON Web Token. |
JWS / JWE / JWK / JWA |
RFC 7515-7518; signing / encryption / keys / algorithms. |
PASETO |
“Platform-Agnostic SEcurity TOkens”; JWT alternative. |
mTLS |
Mutual TLS; client cert + server cert. |
Directory products#
Product |
Vendor |
Notes |
|---|---|---|
Active Directory |
Microsoft |
Enterprise on-prem default; Kerberos + LDAP + DNS + GPO. |
AD LDS |
Microsoft |
Lightweight AD instance. |
Entra ID (Azure AD) |
Microsoft |
Cloud directory; SCIM + OIDC + SAML; the dominant cloud IdP. |
Entra ID B2C / B2B |
Microsoft |
Customer / external collab tenants. |
OpenLDAP |
Symas |
Open-source LDAP server. |
389 Directory |
Red Hat |
Open-source; FreeIPA / Red Hat IdM core. |
FreeIPA / IdM |
Red Hat |
Integrated identity (LDAP + Kerberos + DNS + CA). |
Samba AD |
Samba |
Open-source AD-compatible. |
Apache DS |
Apache |
Java LDAP server. |
Univention Corp Serv |
er Univention |
Open-source Linux server with AD-compatible features. |
Google Workspace |
Cloud directory + SSO. |
|
Okta Universal Direct |
Okta |
Cloud directory; bundled with Okta IdP. |
JumpCloud |
JumpCloud |
Cloud directory. |
Cloud / SaaS IdPs#
Vendor |
Product |
Notes |
|---|---|---|
Microsoft |
Entra ID |
OIDC + SAML; MFA; Conditional Access; PIM; access reviews. |
Okta |
Okta Identity C |
l oud Independent leader; Workforce + Customer (Okta CIC, formerly Auth0). |
Auth0 |
(now Okta) |
Developer-focused B2C / consumer. |
Google Identity |
Workspace SSO + Cloud Identity. |
|
Amazon |
Cognito |
AWS-native customer IdP. |
Amazon |
IAM Identity Ce |
nt er Workforce SSO (was AWS SSO). |
Ping Identity |
PingOne / Ping |
Fe d Enterprise SSO; large financial / gov footprint. |
Forgerock |
ForgeRock Ident |
. Acquired by Ping (2023). |
ID.me |
ID.me |
US-government identity-proofing (NIST IAL2). |
Login.gov |
GSA |
US-government identity (IAL1 / IAL2). |
Yoti |
Yoti |
Identity verification (UK / EU). |
Onfido |
Onfido |
Identity verification. |
Jumio |
Jumio |
Identity verification. |
Persona |
Persona |
Identity verification. |
SecureAuth |
SecureAuth |
Workforce IAM. |
CyberArk Identity |
CyberArk |
IDaaS + PAM. |
Beyond Identity |
Beyond Identity |
Passwordless device-bound. |
Stytch |
Stytch |
Passwordless API. |
WorkOS |
WorkOS |
SSO + SCIM-as-a-service. |
Frontegg |
Frontegg |
B2B IAM. |
Descope |
Descope |
No-code workflows. |
Clerk |
Clerk |
Developer-focused B2C. |
Magic |
Magic Labs |
Passwordless / Web3 wallet auth. |
SuperTokens |
SuperTokens |
Open-source Auth0-alternative. |
Self-hostable IdPs#
Product |
Org |
Notes |
|---|---|---|
Keycloak |
Red Hat / CNCF |
OIDC + SAML + WS-Fed + LDAP front-end; the OSS standard. |
Authentik |
authentik |
Modern OIDC + SAML; Python. |
Authelia |
Authelia |
Lightweight OIDC + portal. |
ZITADEL |
ZITADEL |
Multi-tenant OIDC. |
Hydra (Ory) |
Ory |
OIDC server (headless). |
Kratos (Ory) |
Ory |
Identity management. |
Oathkeeper (Ory) |
Ory |
Reverse-proxy auth. |
Keto (Ory) |
Ory |
Authorization (Zanzibar-style). |
Casbin |
Casbin |
Policy-based access control library. |
Vouch Proxy |
Vouch |
OIDC reverse-proxy. |
oauth2-proxy |
OAuth2 Proxy |
Forward-auth OIDC for Nginx / Traefik / etc. |
Lemonldap-NG |
OW2 |
SSO portal. |
GitHub Enterprise IdP |
GitHub |
SAML + SCIM via GHE. |
AD FS |
Microsoft |
Federation server (legacy). |
Shibboleth |
Internet2 |
SAML federation; education. |
Gluu |
Gluu |
OIDC + SAML; Janssen. |
Janssen |
LF / Gluu |
OIDC + SAML; cloud-native. |
PAM / privileged access#
Product |
Vendor |
Notes |
|---|---|---|
CyberArk PAS |
CyberArk |
Market leader; vault + session. |
BeyondTrust |
BeyondTrust |
PAM + endpoint privilege. |
Delinea |
Delinea |
Thycotic + Centrify merged. |
HashiCorp Vault |
HashiCorp |
Secrets + dynamic creds; not a full PAM. |
Teleport |
Goteleport |
SSH / K8s / DB / Web access proxy. |
StrongDM |
StrongDM |
Access proxy. |
Boundary |
HashiCorp |
OIDC-aware access proxy. |
Smallstep |
Smallstep |
SSH cert authority + step-ca. |
sssd |
Red Hat |
Linux IdP daemon. |
WALLIX |
WALLIX |
PAM (FR). |
Cisco DUO |
Cisco |
MFA (acquired 2018). |
Microsoft Entra PIM |
Microsoft |
Just-in-time admin role activation. |
MFA / authenticator#
Product |
Vendor |
Notes |
|---|---|---|
Yubikey 5 / 5C / Bio |
Yubico |
Hardware FIDO2 + smartcard + OTP. |
Titan key |
FIDO2 hardware. |
|
SoloKeys / Solo 2 |
Solo |
Open-source FIDO2. |
Nitrokey 3 |
Nitrokey |
Open-source FIDO2 + GPG. |
Feitian |
Feitian |
Chinese-origin FIDO2. |
Onlykey |
Onlykey |
PIN-protected FIDO2 + password manager. |
Microsoft Authenticat or |
Microsoft |
TOTP + push. |
Google Authenticator |
TOTP. |
|
Authy |
Twilio |
TOTP + cloud sync (sunset 2024 desktop). |
2FAS |
2FAS |
Open TOTP iOS / Android. |
Aegis |
OSS |
Android TOTP. |
Raivo |
OSS |
iOS TOTP. |
Duo Mobile |
Cisco |
Push / TOTP. |
Okta Verify |
Okta |
Push / WebAuthn / TOTP. |
RSA SecurID |
RSA |
OTP token (legacy hardware + soft). |
Symantec VIP |
Broadcom |
OTP. |
Common attacks / detection#
Attack |
Detection / mitigation |
|---|---|
Password spray |
rate-limit + impossible-travel + risky-sign-in. |
Credential stuffing |
bot detection + leaked-password lookup (HIBP). |
MFA bombing |
number matching + cooldown (Entra ID / Okta have it now). |
SIM swap |
prefer FIDO2 over SMS; carrier port-out alerts. |
AiTM phishing |
Conditional Access + token binding + device-bound passkeys. |
Token theft |
short token TTL + sender-constrained tokens (DPoP / mTLS). |
SAML golden ticket |
ADFS token-signing key compromise; rotate; HSM. |
Pass-the-hash / -tic ket |
Tier 0 segmentation; LSASS protections; PtH guidance. |
Kerberoasting |
strong service-account passwords; gMSA. |
DCSync |
monitor Replication-Get-Changes-All grants. |
NTLM relay |
disable NTLM; SMB signing; LDAP channel binding. |
Standards / frameworks#
Standard |
Notes |
|---|---|
NIST SP 800-63 |
Digital identity guidelines; IAL / AAL / FAL levels. |
NIST SP 800-207 |
Zero Trust Architecture. |
ISO/IEC 24760 |
Identity management framework. |
eIDAS / eIDAS 2.0 |
EU electronic identification + trust services. |
PSD2 SCA |
Strong Customer Authentication for EU payments. |
GLBA / SOX / HIPAA |
US sector regs. |
PCI-DSS |
Card-data; MFA on admin / remote access. |
FedRAMP / StateRAMP |
US-government cloud auth baseline. |
CISA Zero Trust Matur |
ity Model US gov ZT roadmap. |
Operator notes#
Phishing-resistant MFA (FIDO2 / passkeys / smartcards) is the bar for high-trust accounts. Push-based MFA without number-matching is no longer sufficient.
Conditional Access / Adaptive auth (Okta / Entra / Ping), evaluate device, network, signal-of-risk before issuing tokens.
Token theft is the new password phish, rotate refresh tokens, prefer short-lived, sender-constrained (DPoP / mTLS).
Global admins, minimize count, JIT-elevate (Entra PIM / CyberArk), break-glass account in a vault, MFA on break-glass.
Identity attack TTPs map to MITRE ATT&CK TA0001 + TA0006 + TA0008 (initial / cred / lateral).
Identity logs, Entra ID Sign-in / Audit logs; Okta System Log; AWS CloudTrail; Google Audit logs; ship to SIEM.
SCIM is the right answer for user lifecycle; deprovisioning on offboarding is the most-missed control.
IdP outage = total outage, design for IdP downtime (caching, fallback IdP, break-glass).