Identity Providers (IdPs)#

Reference of identity, authentication, and federation providers; the protocols they speak; and the directory products + token formats an operator deals with in IAM work. Useful for SSO design, breach response, and authorization forensics.

For broader cryptographic context, see Cryptographic Primitives. For biometrics + WebAuthn, see Biometrics.

Protocols#

Protocol

Notes

SAML 2.0

XML-based federated SSO; the enterprise default; SP + IdP roles.

OAuth 2.0

RFC 6749 + family; delegated authorization; access tokens.

OAuth 2.1 (draft)

Consolidates best-current-practice into one spec.

OpenID Connect (OIDC)

OAuth 2 + identity layer; ID token (JWT); the modern web SSO.

OIDC FAPI / FAPI 2

Financial-grade API profile; Open Banking / PSD2.

WS-Federation

Older Microsoft federation; SAML-compatible.

LDAP / LDAPS

RFC 4511; directory queries; bind = auth.

Kerberos

MIT; ticket-granting; AD’s transport.

RADIUS

RFC 2865; AAA over UDP; common with VPN / 802.1X.

TACACS+

Cisco AAA; TCP; centralised admin auth.

SCIM 2.0

RFC 7643/7644; user provisioning REST.

WebAuthn / FIDO2

W3C + FIDO; passkeys.

JWT

RFC 7519; JSON Web Token.

JWS / JWE / JWK / JWA

RFC 7515-7518; signing / encryption / keys / algorithms.

PASETO

“Platform-Agnostic SEcurity TOkens”; JWT alternative.

mTLS

Mutual TLS; client cert + server cert.

Directory products#

Product

Vendor

Notes

Active Directory

Microsoft

Enterprise on-prem default; Kerberos + LDAP + DNS + GPO.

AD LDS

Microsoft

Lightweight AD instance.

Entra ID (Azure AD)

Microsoft

Cloud directory; SCIM + OIDC + SAML; the dominant cloud IdP.

Entra ID B2C / B2B

Microsoft

Customer / external collab tenants.

OpenLDAP

Symas

Open-source LDAP server.

389 Directory

Red Hat

Open-source; FreeIPA / Red Hat IdM core.

FreeIPA / IdM

Red Hat

Integrated identity (LDAP + Kerberos + DNS + CA).

Samba AD

Samba

Open-source AD-compatible.

Apache DS

Apache

Java LDAP server.

Univention Corp Serv

er Univention

Open-source Linux server with AD-compatible features.

Google Workspace

Google

Cloud directory + SSO.

Okta Universal Direct

Okta

Cloud directory; bundled with Okta IdP.

JumpCloud

JumpCloud

Cloud directory.

Cloud / SaaS IdPs#

Vendor

Product

Notes

Microsoft

Entra ID

OIDC + SAML; MFA; Conditional Access; PIM; access reviews.

Okta

Okta Identity C

l oud Independent leader; Workforce + Customer (Okta CIC, formerly Auth0).

Auth0

(now Okta)

Developer-focused B2C / consumer.

Google

Google Identity

Workspace SSO + Cloud Identity.

Amazon

Cognito

AWS-native customer IdP.

Amazon

IAM Identity Ce

nt er Workforce SSO (was AWS SSO).

Ping Identity

PingOne / Ping

Fe d Enterprise SSO; large financial / gov footprint.

Forgerock

ForgeRock Ident

. Acquired by Ping (2023).

ID.me

ID.me

US-government identity-proofing (NIST IAL2).

Login.gov

GSA

US-government identity (IAL1 / IAL2).

Yoti

Yoti

Identity verification (UK / EU).

Onfido

Onfido

Identity verification.

Jumio

Jumio

Identity verification.

Persona

Persona

Identity verification.

SecureAuth

SecureAuth

Workforce IAM.

CyberArk Identity

CyberArk

IDaaS + PAM.

Beyond Identity

Beyond Identity

Passwordless device-bound.

Stytch

Stytch

Passwordless API.

WorkOS

WorkOS

SSO + SCIM-as-a-service.

Frontegg

Frontegg

B2B IAM.

Descope

Descope

No-code workflows.

Clerk

Clerk

Developer-focused B2C.

Magic

Magic Labs

Passwordless / Web3 wallet auth.

SuperTokens

SuperTokens

Open-source Auth0-alternative.

Self-hostable IdPs#

Product

Org

Notes

Keycloak

Red Hat / CNCF

OIDC + SAML + WS-Fed + LDAP front-end; the OSS standard.

Authentik

authentik

Modern OIDC + SAML; Python.

Authelia

Authelia

Lightweight OIDC + portal.

ZITADEL

ZITADEL

Multi-tenant OIDC.

Hydra (Ory)

Ory

OIDC server (headless).

Kratos (Ory)

Ory

Identity management.

Oathkeeper (Ory)

Ory

Reverse-proxy auth.

Keto (Ory)

Ory

Authorization (Zanzibar-style).

Casbin

Casbin

Policy-based access control library.

Vouch Proxy

Vouch

OIDC reverse-proxy.

oauth2-proxy

OAuth2 Proxy

Forward-auth OIDC for Nginx / Traefik / etc.

Lemonldap-NG

OW2

SSO portal.

GitHub Enterprise IdP

GitHub

SAML + SCIM via GHE.

AD FS

Microsoft

Federation server (legacy).

Shibboleth

Internet2

SAML federation; education.

Gluu

Gluu

OIDC + SAML; Janssen.

Janssen

LF / Gluu

OIDC + SAML; cloud-native.

PAM / privileged access#

Product

Vendor

Notes

CyberArk PAS

CyberArk

Market leader; vault + session.

BeyondTrust

BeyondTrust

PAM + endpoint privilege.

Delinea

Delinea

Thycotic + Centrify merged.

HashiCorp Vault

HashiCorp

Secrets + dynamic creds; not a full PAM.

Teleport

Goteleport

SSH / K8s / DB / Web access proxy.

StrongDM

StrongDM

Access proxy.

Boundary

HashiCorp

OIDC-aware access proxy.

Smallstep

Smallstep

SSH cert authority + step-ca.

sssd

Red Hat

Linux IdP daemon.

WALLIX

WALLIX

PAM (FR).

Cisco DUO

Cisco

MFA (acquired 2018).

Microsoft Entra PIM

Microsoft

Just-in-time admin role activation.

MFA / authenticator#

Product

Vendor

Notes

Yubikey 5 / 5C / Bio

Yubico

Hardware FIDO2 + smartcard + OTP.

Titan key

Google

FIDO2 hardware.

SoloKeys / Solo 2

Solo

Open-source FIDO2.

Nitrokey 3

Nitrokey

Open-source FIDO2 + GPG.

Feitian

Feitian

Chinese-origin FIDO2.

Onlykey

Onlykey

PIN-protected FIDO2 + password manager.

Microsoft Authenticat or

Microsoft

TOTP + push.

Google Authenticator

Google

TOTP.

Authy

Twilio

TOTP + cloud sync (sunset 2024 desktop).

2FAS

2FAS

Open TOTP iOS / Android.

Aegis

OSS

Android TOTP.

Raivo

OSS

iOS TOTP.

Duo Mobile

Cisco

Push / TOTP.

Okta Verify

Okta

Push / WebAuthn / TOTP.

RSA SecurID

RSA

OTP token (legacy hardware + soft).

Symantec VIP

Broadcom

OTP.

Common attacks / detection#

Attack

Detection / mitigation

Password spray

rate-limit + impossible-travel + risky-sign-in.

Credential stuffing

bot detection + leaked-password lookup (HIBP).

MFA bombing

number matching + cooldown (Entra ID / Okta have it now).

SIM swap

prefer FIDO2 over SMS; carrier port-out alerts.

AiTM phishing

Conditional Access + token binding + device-bound passkeys.

Token theft

short token TTL + sender-constrained tokens (DPoP / mTLS).

SAML golden ticket

ADFS token-signing key compromise; rotate; HSM.

Pass-the-hash / -tic ket

Tier 0 segmentation; LSASS protections; PtH guidance.

Kerberoasting

strong service-account passwords; gMSA.

DCSync

monitor Replication-Get-Changes-All grants.

NTLM relay

disable NTLM; SMB signing; LDAP channel binding.

Standards / frameworks#

Standard

Notes

NIST SP 800-63

Digital identity guidelines; IAL / AAL / FAL levels.

NIST SP 800-207

Zero Trust Architecture.

ISO/IEC 24760

Identity management framework.

eIDAS / eIDAS 2.0

EU electronic identification + trust services.

PSD2 SCA

Strong Customer Authentication for EU payments.

GLBA / SOX / HIPAA

US sector regs.

PCI-DSS

Card-data; MFA on admin / remote access.

FedRAMP / StateRAMP

US-government cloud auth baseline.

CISA Zero Trust Matur

ity Model US gov ZT roadmap.

Operator notes#

  • Phishing-resistant MFA (FIDO2 / passkeys / smartcards) is the bar for high-trust accounts. Push-based MFA without number-matching is no longer sufficient.

  • Conditional Access / Adaptive auth (Okta / Entra / Ping), evaluate device, network, signal-of-risk before issuing tokens.

  • Token theft is the new password phish, rotate refresh tokens, prefer short-lived, sender-constrained (DPoP / mTLS).

  • Global admins, minimize count, JIT-elevate (Entra PIM / CyberArk), break-glass account in a vault, MFA on break-glass.

  • Identity attack TTPs map to MITRE ATT&CK TA0001 + TA0006 + TA0008 (initial / cred / lateral).

  • Identity logs, Entra ID Sign-in / Audit logs; Okta System Log; AWS CloudTrail; Google Audit logs; ship to SIEM.

  • SCIM is the right answer for user lifecycle; deprovisioning on offboarding is the most-missed control.

  • IdP outage = total outage, design for IdP downtime (caching, fallback IdP, break-glass).

References#