Identity Brokerage
An identity service that acts as an intermediary between multiple identity providers and service providers, enabling federated SSO across different domains.
What is Identity Brokerage?
Identity Brokerage is a service that sits between identity providers (IdPs) and service providers (SPs), mediating authentication and authorization. It decouples applications from specific identity sources, allowing organizations to switch IdPs or support multiple IdPs without changing applications.
Key capabilities:
- Protocol Translation: Converts between SAML, OIDC, OAuth, WS-Federation
- Multi-IdP Support: Users can authenticate with any configured IdP
- Session Management: Maintains sessions across multiple applications
- Attribute Transformation: Maps and transforms user attributes between systems
- Policy Enforcement: Applies access policies at the broker level
Analogy
Think of identity brokerage like a universal power adapter. When you travel internationally, one adapter lets you plug your device into any country's outlet. Similarly, an identity broker lets users authenticate with any identity provider (Google, Facebook, corporate IdP) and access any application.
Types and Use Cases
- Enterprise SSO: Broker connects employees to multiple SaaS apps via corporate IdP
- B2B Federation: Partners use their own IdP to access shared applications
- Consumer SSO: Users choose which social IdP (Google, Facebook, Apple) to authenticate with
- Mergers & Acquisitions: Broker bridges different identity systems during integration
- Cloud Migration: Broker facilitates gradual migration from on-prem IdP to cloud IdP
How it Works
Identity Brokerage vs Federation
Identity Brokerage
Federation
Identity Brokerage is an intermediary between IdPs and SPs
Federation is a direct trust relationship between IdP and SP ; Brokerage supports multiple IdPs simultaneously; Federation typically involves one IdP per trust relationship ; Brokerage handles protocol translation; Federation uses same protocol (SAML or OIDC)
Brokerage adds a central policy enforcement point
Federation is point-to-point ; Brokerage enables switching IdPs without app changes; Federation requires per-app configuration
Best Practices for Identity Brokerage
- Centralize policies: Use the broker as a single point for access policies, MFA requirements, and session rules
- Monitor broker health: The broker is a critical path - ensure high availability and performance
- Secure broker tokens: Tokens passing through the broker contain sensitive data - encrypt and sign them
- Log all transactions: Maintain detailed logs of all broker-mediated authentications for audit
How LoginRadius Powers Identity Brokerage
LoginRadius CIAM platform includes identity brokerage capabilities supporting multiple identity providers including social login (Google, Facebook, Apple, 40+), enterprise federation (SAML/OIDC with Okta, Azure AD, Ping), and custom IdPs. Our platform handles protocol translation, session management, and provides a unified authentication experience across all applications.
Resources
FAQs
An Identity Provider (IdP) authenticates users and issues assertions/tokens. An Identity Broker sits between IdPs and applications, mediating the authentication flow. The broker doesn't authenticate users itself - it delegates to IdPs and translates the results for applications. The broker also provides session management and policy enforcement across multiple applications.
You may need a broker if you: (1) Support multiple IdPs (different partners use different IdPs), (2) Need protocol translation (SAML app needs to work with OIDC IdP), (3) Are migrating IdPs and need both old and new to work simultaneously, (4) Need centralized policy enforcement across applications that connect to different IdPs.
LoginRadius provides identity brokerage through our federated SSO capabilities. Our platform supports multiple identity providers (social login providers, enterprise IdPs via SAML/OIDC, and custom IdPs) and allows customers to authenticate with their preferred IdP. LoginRadius handles protocol translation, session management, and policy enforcement across all connected applications.