Two roles in every federation
Federated login splits responsibility between two parties. The identity provider authenticates the user and vouches for who they are. The service provider is the application the user actually wants to use and relies on that proof to grant access.
The service provider never sees the password. It only receives a signed assertion from the identity provider saying the user is authenticated and listing some attributes.
How they cooperate
- The service provider sends the user to the identity provider with a request.
- The identity provider authenticates and returns a signed assertion.
- The service provider validates the signature and reads the attributes.
Trust flows one direction: the service provider trusts the identity provider's signature, established ahead of time by exchanging keys or metadata.
Why the split matters
- One identity provider can serve many service providers.
- A company can host its own identity provider and let outside apps consume it.
- Credentials stay in one audited place.
Key idea
The identity provider proves who the user is and the service provider consumes a signed assertion, so credentials stay in one trusted place.