• Download a trial
  • Sales
  • Support
  • Login
logo
  • Home
  • Products
  • Solutions
  • Partners
  • About Us
  • Consulting
  • Resources
Request a Quote
  • Workforce Identity
  • Customer Identity
  • Comparison
  • Subscriptions

All Features

Overview of all features in Workforce Identity

User Onboarding and Offboarding

Automate joiner, mover, leaver processes

Access Request

Access requests with multi-step approvals

User Access Reviews

Save time with user access reviews

Self-Service Portal

Self-service portal for all end user activities

Segregation of Duties

Detect and remediate SoD violations

Password Management

Enforce password policies and enable synchronization

Single Sign-On (SSO)

Enable SSO using standards - SAML, oAuth, OIDC

Authentication and MFA

Improve security with adaptive authentication and MFA

3rd Party IdP Integration

Integrate with your existing identity provider

Integration API

Use the REST API to add identity into your applications

Connector Library

Integrate on-premise and SaaS applications

Modern Architecture

Microservice architecture that supports deployment using RPM, Kubernetes or OpenShift

Workforce Identity Concepts

All Features

Overview of all features in Customer IAM

Authentication and MFA

Improve security with adaptive authentication and MFA 

Single Sign-On (SSO)

Enable SSO using standards - SAML, oAuth, OIDC

Password Management

Enforce password policies and enable synchronization

Modern Architecture

Microservice architecture that supports deployment using RPM, Kubernetes or OpenShift

Customer Identity Concepts

Community vs Enterprise

Summary of the differences between the Community and Enterprise editions

Subscription Benefits

Overview of the benefits provided by an OpenIAM subscription

  • Integrations
  • Verticals
  • Workforce Use Cases
  • CIAM Use Cases
  • Compliance
  • Data Breach Mitigation

Active Directory

Azure (O365)

SAP

SAP SuccessFactors

Workday

AWS

Linux Server

LDAP

Microsoft SQL Server

Google Cloud

Windows Server

Oracle EBS

ServiceNow

SAP Fiori

Oracle Fusion

Entra ID

Salesforce

Keycloak

Custom Applications

Education

Manage identity for students, staff and alumni

Financial Services

Address the compliance and security challenges of the financial sector

User Access Requests

Empower end users and improve compliance with user access requests

Strong Authentication

Improve security with adaptive authentication and MFA

Single Sign-On (SSO)

Improve customer experience with SSO

NIS2

Achieve compliance with the EU directive for cybersecurity frameworks.

DORA

Comply with the Digital Operational Resilience Act for the EU.

HIPAA

For healthcare organizations seeking HIPAA compliance.

PCI DSS

Compliance with the Payment Card Industry Data Security Standard

SOC 2

Solutions for organizations subject to SOC 2 audits

GDPR

Take advantage of OpenIAM to comply with the General Data Protection Regulation

Social Engineering Attacks

  • Partners

Current Partners

Our Current Partners

  • About Us

About OpenIAM

Learn about OpenIAM

Press Releases

References to OpenIAM press releases

OpenIAM in the Media

References to OpenIAM in the media

Careers

Learn about open positions at OpenIAM.

  • Consulting

Proof of Value

Customized engagement to confirm defined proof of value objectives

Jump Start

Customized engagement to rapidly deliver a solution into production

Solution Implementation

Engagement with the objective to deliver a complete IAM solution based on customer requirements

  • Resources

Videos

Collection of videos describing how OpenIAM can be used to solve common use cases

Community Portal

Collaborative community portal to learn more about OpenIAM

CE Documentation

Documentation for the Community Edition

Blog

Musings on identity penned by the OpenIAM team

Webinar Calendar

Upcoming webinars and training sessions

Workforce Identity Concepts

Customer Identity Concepts

What is an Identity Provider (IdP)?

Understanding Identity Providers (IdPs)

An Identity Provider (IdP) is a service that authenticates users and issues identity assertions to applications or systems that trust it.

Instead of every application managing its own credentials, the IdP acts as a central authentication authority — verifying users once and securely sharing that identity across applications. In a Workforce Identity context, the IdP validates employees, contractors, and partners across both on-premises and cloud environments — ensuring consistent, secure, and frictionless access.

The Identity Provider is the authentication foundation for your enterprise — one login, verified centrally, trusted everywhere.

How Identity Providers Work

When a user attempts to access an application, the IdP verifies their identity and issues a digital assertion (such as a token or claim). That assertion is consumed by the application to establish a secure session.

Typical authentication flow:

  1. The user attempts to access an application (the “service provider”).
  2. The application redirects the user to the IdP for authentication.
  3. The IdP validates credentials (password, token, certificate, etc.).
  4. The IdP issues a standards-based token (SAML assertion or OIDC ID token).
  5. The service provider validates the token and grants access accordingly.

This forms the basis of federated identity — multiple systems trusting a single authentication source.

Common Federation Standards and Protocols

Protocol  Description  Common Use 
SAML (Security Assertion Markup Language)  XML-based standard for exchanging authentication data between an IdP and SP.  Enterprise SSO and legacy app integration. 
OAuth 2.0  Authorization framework enabling delegated access without sharing credentials.  APIs and cloud applications. 
OpenID Connect (OIDC)  Identity layer built on OAuth 2.0 providing authentication through signed tokens.  Modern web and mobile SSO. 

OpenIAM’s IdP supports all major federation standards, connecting your workforce securely to SaaS, cloud, and on-premises systems.

Emerging Standards and the Evolution of OIDC

Authentication and federation standards continue to evolve to meet higher security and privacy expectations, especially in regulated industries such as finance, healthcare, and government.

  • OpenID Connect for Financial-grade APIs (FAPI):

An extension of OIDC developed by the OpenID Foundation to deliver stronger authentication and token integrity for sensitive data exchange.

FAPI enhances client authentication, mitigates replay attacks, and provides assurance profiles used in Open Banking and financial APIs.

  • OpenID Connect Federation:

A framework that simplifies trust establishment between organizations’ IdPs and Service Providers.

It automates metadata discovery and trust negotiation — ideal for multi-IdP or cross-domain federation environments.

  • GNAP (Grant Negotiation and Authorization Protocol):

A next-generation protocol being developed as a successor to OAuth 2.0, introducing richer consent flows and advanced privacy controls for API-driven architectures.

OpenIAM actively monitors and aligns with these evolving standards.

As extensions like OIDC Federation and FAPI mature, OpenIAM’s roadmap includes supporting these capabilities — ensuring financial, public, and highly regulated enterprises can adopt secure, standards-aligned federation.

Identity Provider vs. Single Sign-On (SSO)

While closely related, an IdP and SSO serve distinct roles:

  • The IdP authenticates the user and issues a secure token representing their verified identity.
  • SSO uses that token to provide seamless access to multiple applications without repeated logins.

The IdP is the authentication authority; SSO is the user experience layer built on top of it.

Key Benefits of Using an IdP

  • Centralized authentication: Manage all workforce logins from one trusted location.
  • Enhanced security: Enforce MFA, adaptive risk, and passwordless login.
  • Improved user experience: Enable single sign-on across all apps and environments.
  • Consistent policy enforcement: Apply uniform authentication policies everywhere.
  • Audit and compliance readiness: Capture authentication and federation logs for reporting.

How the IdP Fits in the OpenIAM Architecture

In OpenIAM, the Identity Provider (IdP) acts as the front door for authentication — the gateway users pass through before reaching either the OpenIAM UI or any Service Provider (SP) application integrated with OpenIAM.

Authentication Flow

  1. User authentication: The IdP validates credentials, applying MFA or adaptive risk rules as configured.
  2. Token issuance: It generates a standards-based token (SAML, OAuth, or OIDC).
  3. Token consumption:
    • If the target is the OpenIAM UI, the token initiates a session for self-service or administration.
    • If the target is a federated SP application, the token is passed to that application for access.

Deployment Patterns

OpenIAM can operate flexibly as both an Identity Provider (IdP) and a Service Provider (SP):

  • OpenIAM as the Primary IdP

OpenIAM authenticates users directly and issues tokens trusted by connected applications and services.

Ideal for organizations consolidating authentication and governance in one platform.

  • OpenIAM as a Service Provider (Federated Mode)

For organizations using IdPs like Azure AD, Okta, or Ping Identity, OpenIAM can seamlessly integrate by consuming tokens from those external IdPs.

In this configuration, OpenIAM acts as a trusted Service Provider, extending governance, lifecycle, and access policies to users authenticated externally.

This dual capability enables enterprises to retain existing IdPs while expanding identity governance and policy enforcement through OpenIAM.

IdP Chaining and Multi-IdP Federation

Many enterprises work with subsidiaries, partners, or acquired entities that maintain separate IdPs.

OpenIAM supports IdP chaining, allowing authentication requests to flow seamlessly between identity providers.

Example Scenario:

  • A subsidiary uses its own IdP (e.g., Azure AD or Ping).
  • A shared application is integrated with OpenIAM.
  • The user authenticates through their local IdP.
  • That IdP passes the authentication assertion to OpenIAM, which authorizes and grants access to the application.

The user experiences a transparent, single sign-on flow.

OpenIAM acts as a federation bridge, enabling cross-domain trust and centralized governance.

IdP chaining allows organizations to build a federated trust fabric — linking multiple identity domains without duplicating users, credentials, or access policies.

Where Authorization Happens

  • Authentication (IdP): Determines who the user is and issues the identity token.
  • Authorization (OpenIAM Policy Layer): Determines what the user can do — applying RBAC, ABAC, and SoD policies after login.

The IdP validates identity; the policy layer enforces access — together, they create a unified and secure identity fabric.

Implementing an Identity Provider with OpenIAM

OpenIAM includes a fully standards-based Identity Provider that supports both IdP and SP roles and integrates easily into existing identity ecosystems.

With OpenIAM, you can:

  • Authenticate users directly or federate with external IdPs.
  • Implement SAML, OAuth 2.0, and OIDC federation in both directions (IdP ↔ SP).
  • Support IdP chaining across subsidiaries and partner organizations.
  • Extend governance and access policies to all federated users.
  • Apply MFA, adaptive risk, and passwordless authentication consistently.
  • Centralize logs and analytics for visibility and compliance.

OpenIAM acts as both a secure authentication authority and a federation bridge, connecting users, partners, and applications across domains — while maintaining unified governance.

             FAQ- Frequently Asked Questions

How is an IdP different from SSO?

An IdP authenticates users and issues tokens; SSO uses those tokens for seamless access across apps.

Which federation standards does OpenIAM support?

SAML, OAuth 2.0, and OpenID Connect (OIDC) — including alignment with evolving extensions like OIDC Federation and FAPI.

Can OpenIAM integrate with my existing IdP like Azure AD or Okta?

Yes. OpenIAM can act as a Service Provider, consuming tokens from other IdPs while applying governance and lifecycle policies.

What is IdP chaining?

It’s the ability to connect multiple IdPs in a trust chain — allowing users authenticated by one IdP to access resources managed by another through OpenIAM.

How does OpenIAM prepare for new standards like OIDC FAPI?

OpenIAM tracks and adapts to evolving protocols to ensure compliance and secure interoperability for regulated industries.

Related Concepts

  • Single Sign-On (SSO)
  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Identity Governance (IGA)
  • Workforce Identity Concepts

Let’s Connect

Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.

For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.

Download a Trial Contact Sales
footer-top-logo
openIAM-white-logo

All modules of our IAM platform share a common infrastructure allowing customers to see one unified identity solution versus a collection of disparate products.

  • linkedin-icon
  • facebook-icon
  • twitter-icon
  • youtube-icon

sales@openiam.com

(858)935-7561

Copyright © 2025 OpenIAM. All rights reserved.
  • Privacy Policy