An Identity Provider (IdP), also known as Identity Assertion Provider, is responsible for issuing identification information for all providers looking to interact / service with the system in any possible way, this is achieved via an authentication module which verifies a security token as an alternative to explicitly authenticating a user within a security realm.
An example of this could be, where an external website allows users to log in with Facebook credentials, Facebook is acting as an identity provider. Facebook verifies that the user is an authorized user and returns information to the external site such as username and email address (specific details might vary). Similarly, if a site allows login with Google or Twitter, Google and Twitter are acting as the identity provider.
In perimeter authentication a user needs to be authenticated only once (single sign-on) and pass along a security token which is processed by an Identity Assertion Provider for each system it needs to access.
Service provider vs. identity provider
"Provider" is a generic way of referring to both IdPs (Identity Providers) and SPs (Service Providers). There are overlaps when it comes to defining Identity providers vs. Service Providers. According to the OASIS organization that created SAML an Identity provider is defined as "A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles."
A service provider is "A role donned by a system entity where the system entity provides services to principals or other system entities" and a Federation is "An association comprising any number of service providers and identity providers."
In simple terms and as they relate to identity management an Identity Provider can be described as a Service Provider for storing identity profiles and offering incentives to other SPs with the aim of federating user identities. It should be noted however that Identity Providers can also provide services beyond those related to the storage of identity profiles.
- "Identity Assertion Providers".
- "Service Providers, Identity Providers, & Security Token Services explained".