Managing Identity Providers

An Identity Provider (IdP) manages accounts for users who may need secure access to the applications or services. A Service Provider (SP) is the server receiving request from a user for access to a service or application. In a typical SAML flow, when a user requests a service from the SP, the SP first requests and obtains an identity assertion from the IdP. The IdP receives the request from SP and generates an identity assertion based on the user account information. SP then decides whether to perform the service based on assertion provided by IdP. UAA supports SAML protocol for communicating with IdPs or SPs.

You can configure your UAA instance to act as an IdP or use an external IdP. The following scenarios determine the type of configuration you need for your UAA:

  • If you administer users accounts locally in UAA using UAA SCIM APIs or UAA dashboard, then UAA is your default identity provider. You do not need any additional configuration for identity provider in UAA.
  • If you provision your user accounts remotely on an external IdP such as Company SSO, you can configure UAA as SP that redirects to external IdP. For more information, see t_configuring_uaa_as_service_provider_for_external_identity_provider.html#task_oct_sz2_5w.
  • If you have applications that provide SP capability (For example, GitHub Enterprise or ServiceNow), you can configure UAA as IdP. For more information, see t_configuring_uaa_as_identity_provider.html#task_nbg_cg2_3v.
  • It is possible to configure UAA as both SP and IdP. However such a configuration is useful only as a test environment. To set up UAA as SP and IdP, you can complete steps for configuring UAA as both SP and IdP.