Glossary>Identity Brokerage

Identity Brokerage

An identity service that acts as an intermediary between multiple identity providers and service providers, enabling federated SSO across different domains.

What is Identity Brokerage?

Identity Brokerage is a service that sits between identity providers (IdPs) and service providers (SPs), mediating authentication and authorization. It decouples applications from specific identity sources, allowing organizations to switch IdPs or support multiple IdPs without changing applications.

Key capabilities:

  • Protocol Translation: Converts between SAML, OIDC, OAuth, WS-Federation
  • Multi-IdP Support: Users can authenticate with any configured IdP
  • Session Management: Maintains sessions across multiple applications
  • Attribute Transformation: Maps and transforms user attributes between systems
  • Policy Enforcement: Applies access policies at the broker level

Analogy

Think of identity brokerage like a universal power adapter. When you travel internationally, one adapter lets you plug your device into any country's outlet. Similarly, an identity broker lets users authenticate with any identity provider (Google, Facebook, corporate IdP) and access any application.

Types and Use Cases

  • Enterprise SSO: Broker connects employees to multiple SaaS apps via corporate IdP
  • B2B Federation: Partners use their own IdP to access shared applications
  • Consumer SSO: Users choose which social IdP (Google, Facebook, Apple) to authenticate with
  • Mergers & Acquisitions: Broker bridges different identity systems during integration
  • Cloud Migration: Broker facilitates gradual migration from on-prem IdP to cloud IdP

How it Works

1
User attempts to access a service provider application
2
Application redirects to identity broker for authentication
3
Broker presents user with available identity provider options (corporate IdP, social login, etc.)
4
User selects their IdP and authenticates; broker receives the authentication assertion/token
5
Broker validates the assertion, transforms attributes as needed, and issues a new token/assertion to the application

Identity Brokerage vs Federation

Identity Brokerage
Federation

Identity Brokerage is an intermediary between IdPs and SPs

Federation is a direct trust relationship between IdP and SP ; Brokerage supports multiple IdPs simultaneously; Federation typically involves one IdP per trust relationship ; Brokerage handles protocol translation; Federation uses same protocol (SAML or OIDC)

Brokerage adds a central policy enforcement point

Federation is point-to-point ; Brokerage enables switching IdPs without app changes; Federation requires per-app configuration

Best Practices for Identity Brokerage

  • Centralize policies: Use the broker as a single point for access policies, MFA requirements, and session rules
  • Monitor broker health: The broker is a critical path - ensure high availability and performance
  • Secure broker tokens: Tokens passing through the broker contain sensitive data - encrypt and sign them
  • Log all transactions: Maintain detailed logs of all broker-mediated authentications for audit

How LoginRadius Powers Identity Brokerage

LoginRadius CIAM platform includes identity brokerage capabilities supporting multiple identity providers including social login (Google, Facebook, Apple, 40+), enterprise federation (SAML/OIDC with Okta, Azure AD, Ping), and custom IdPs. Our platform handles protocol translation, session management, and provides a unified authentication experience across all applications.

FAQs

An Identity Provider (IdP) authenticates users and issues assertions/tokens. An Identity Broker sits between IdPs and applications, mediating the authentication flow. The broker doesn't authenticate users itself - it delegates to IdPs and translates the results for applications. The broker also provides session management and policy enforcement across multiple applications.

You may need a broker if you: (1) Support multiple IdPs (different partners use different IdPs), (2) Need protocol translation (SAML app needs to work with OIDC IdP), (3) Are migrating IdPs and need both old and new to work simultaneously, (4) Need centralized policy enforcement across applications that connect to different IdPs.

LoginRadius provides identity brokerage through our federated SSO capabilities. Our platform supports multiple identity providers (social login providers, enterprise IdPs via SAML/OIDC, and custom IdPs) and allows customers to authenticate with their preferred IdP. LoginRadius handles protocol translation, session management, and policy enforcement across all connected applications.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!