← All terms
Identity Provider (IdP)

What is an Identity Provider (IdP)?

An identity provider is the central service that authenticates users and issues trusted tokens that applications rely on for sign-in.

Last updated: 13 July 2026

How an identity provider works

The IdP holds or connects to the directory of user identities and owns the authentication experience: the login page, password checks, MFA challenges, and session management. Applications, called service providers or relying parties, delegate sign-in to it. When a user arrives, the application redirects to the IdP, which authenticates the user and returns a cryptographically signed assertion or token.

Applications trust these tokens because they can verify the signature against keys exchanged during setup. The IdP communicates over federation protocols, chiefly SAML 2.0 for established enterprise software and OpenID Connect for modern web and mobile applications, with WS-Fed, Kerberos, LDAP, and RADIUS covering older infrastructure.

Why the IdP matters

The IdP is the control point of the entire identity architecture. Because every sign-in flows through it, this is where the organization enforces MFA, passwordless methods, adaptive risk policies, and session limits once, for every connected application. Improving a policy at the IdP instantly improves security everywhere.

It is also the audit point: a single log of who authenticated, when, from where, and to which application, which is invaluable for incident response and compliance reporting. And it is the kill switch, since disabling an identity at the IdP severs access to everything at once. That concentration of power is why IdP hardening, monitoring, and availability deserve first-class attention.

Choosing and running an IdP in practice

Key selection criteria include protocol coverage across SAML, OIDC, and legacy bridges, the breadth of the pre-built application catalog, MFA and passwordless options, SCIM provisioning, and deployment model. Organizations with data-residency or regulatory constraints often need a self-hosted option rather than cloud-only service.

Operationally, treat the IdP like tier-zero infrastructure: high availability, tested backup and recovery, strict admin access controls, and monitored certificate rotation. Monosign serves as a full identity provider with SAML 2.0, OIDC, WS-Fed, and Kerberos support, a catalog of over 7,000 applications, and the choice of cloud or self-hosted deployment.

Frequently asked questions

What is the difference between an IdP and a service provider (SP)?
The IdP authenticates users and issues tokens; the service provider is the application that consumes those tokens and grants access. One IdP typically serves many SPs, which is exactly what makes single sign-on possible.
Can an organization have more than one IdP?
Yes, and it is common after mergers or in hybrid environments. IdPs can federate with each other, so one acts as the primary broker and trusts assertions from the others. Long term, most organizations consolidate toward a single primary IdP to simplify policy and auditing.
Is Active Directory an identity provider?
Active Directory is primarily a directory service that stores identities and handles Kerberos and LDAP authentication inside the network. It does not natively speak SAML or OIDC to cloud applications, which is why organizations put a federation-capable IdP in front of it to extend those identities to SaaS.