An Identity Provider (IdP), also known as Identity Assertion Provider, is responsible for issuing identification information for all providers looking to interact / service with the system in any possible way, this is achieved via an authentication module which verifies a security token as an alternative to explicitly authenticating a user within a security realm.
In perimeter authentication a user needs to be authenticated only once (single sign-on) and pass along a security token which is processed by an Identity Assertion Provider for each system it needs to access.
Service provider vs. identity provider
"Provider" is a generic way of referring to both IdP's (Identity Providers) and SP's (Service Providers). There are overlaps when it comes to defining Identity providers vs. Service Providers. According to the OASIS organization that created SAML an Identity provider is defined as "A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles."
A service provider is "A role donned by a system entity where the system entity provides services to principals or other system entities” and a Federation is “An association comprising any number of service providers and identity providers."
In simple terms and as they relate to identity management an Identity Provider can be described as a Service Provider for storing identity profiles and offering incentives to other SP's with the aim of federating user identities. It should be noted however that Identity Providers can also provide services beyond those related to the storage of identity profiles.
- "Identity Assertion Providers".
- "Service Providers, Identity Providers, & Security Token Services explained".