Benefits of IdP Integration With the Curity Identity Server

Benefits of IdP Integration With the Curity Identity Server

Travis Spencer

Travis Spencer

4 min read

When it comes to choosing an identity and access management solution, one requirement that many organizations demand is the ability to integrate with the solution in various ways. One common integration need is to combine an existing Identity Provider (IdP) responsible for user authentication with the newly established system.

When it comes to the Curity Identity Server, such integration is not only possible but beneficial for organizations who decide to join two products. In this short post, I'll walk through some benefits of integrating Curity with an IdP.

Your preexisting IdP is likely responsible for user authentication, including onboarding and user self-service. Integrating such a service with the Curity Identity Server allows organizations to reuse and extend existing solutions. These scenarios include:

  1. Achieving collaborative adaptive authentication between an IdP and the Curity Identity Server
  2. Using the full power of claims with external identity sources
  3. Adding financial-grade capabilities to any IDaaS platform

The first point is an important one: it is achieved when the IdP platform performs the user authentication, which is collaboratively adapted based on signals and context available in the Curity Identity Server. In this case, our product can use the information provided by the IdP to make decisions about whether more measures should be taken to assert the user's identity.

Second, the IdP integration can unleash the power of Curity's token service. Since user login is federated to an external identity provider, the APIs and clients can benefit from the highly customizable tokens enabled via the claims subsystem of the Curity Identity Server. Since the upstream IdP returns attributes in the authentication result, these can be incorporated in the regular claims mapping performed when issuing tokens as any other claims source.

Finally, since the Curity Identity Server is based on OAuth and OpenID Connect standards, all the advanced features of these standards can be used to achieve high-grade security irrespective of the authentication process chosen. For example, a financial-grade setup using PAR, JARM, and message-level encryption can be achieved without the upstream IdP needing additional features.

Customers seeking to leverage the strengths and investment into an existing IdP solution can use our SDK to integrate with any IdP quickly. For example, our new open-source authenticator demonstrates how easy it is to set up. As described in the documentation of this exemplary authenticator, it is helpful in scenarios where:

  • The IdP is functioning as an OpenID Connect Provider (OP).
  • The Curity Identity Server is also an OP and a Relying Party (RP). Because it functions in both roles, it's a sort of identity proxy or relay to a downstream application.
  • The client application passes transparently through to the IdP.

This demo video shows this usage and details how it can be implemented with our new authenticator.

Combining an IdP with the Curity Identity Server can also be used in the reverse scenario as well. You may want to do this to:

  • Use an existing Curity deployment to quickly provide staff with access to various SaaS applications
  • Allow users to log in with additional kinds of credentials supported by Curity, such as BankID or social accounts.
  • Run actions and execute workflows as a part of the login process
  • Take further control over the look and feel of the login screens
  • Use the Hypermedia Authentication API

This second demo video describes the setup in which Curity is used as an IdP.

Integrating Curity's product with an IdP offers many benefits. Doing so is easy, even if there's no out-of-the-box integration with your IdP. The authenticator code demoed in this article was partially generated, and the OpenID Connect standard defined the implementation details. All in all, it took 16 hours to build this exemplary authenticator shown in the videos above.

This kind of integration is a poster child for the extensibility options available in the Curity Identity Server! Check it out and let us know what you think.

Read our Using External IDPs article if you want to learn more about the subject.

Join The Discussion

Follow @curityio on Twitter