Reputation: 128
Difference between STS and Identity Provider (IdP)
I was trying to implement Ws-Federation protocol for my application. When researching for this STS and IdP are used along with few other buzzwords. I know Federation is between two security realm to trust each other to access resource. And IdP was the source of identity about the user and IdP's can use SAML , OAUTH , OIDC and others during authentication of the user. What role does STS play here. Explain all Buzzwords like IdPs, SPs , relying party , Federation and STS in much more clear way and with some analogy Thanks.
Upvotes: 1
Views: 544
Answers (1)
Reputation: 46773
In the Microsoft world (since you are asking about WS-Fed):
IDP - handles authentication and issues tokens, either SAML or JWT (OIDC). Examples are ADFS or Entra ID. (WS-Fed issues SAML tokens)
CP - claims provider - the instance in the IDP that handles a particular RP request. In ADFS, this would run the claims rules
RP - The application, e.g. ASP.NET, that connects to the CP via WS-Fed
SP - this is the equivalent of an RP in the SAML world
Federation - connecting two IDPs together so, e.g. users in an ADFS tenant can authenticate to an Entra ID application
STS - security token system - the part of an IDP that issues tokens
I have also seen STS used as an intermediary IDP, e.g. RP --> ADFS --> Entra ID as opposed to RP --> Entra ID. The ADFS here would be the STS.
Upvotes: 1
Related Questions
- SSO without redirecting to the Identity provider webpage - workarounds
- ADFS 3.0 Single Sign Out with Relying Party STS
- micro services authentication using SAML and Identity Provider
- Onelogin SAML PHP toolkit - can it be used with a none onelogin SAML Identity Provider?
- Using SAML and https or http
- SAML Protocol Response Passthrough ADFS to WIF RP
- Do I need to create a STS to consume a SAML 2.0 that is not ADFS?
- SAML IDP and WS-Federation SP with ADFS 2.0
- Single Sign On SAML Interception