Identity Providers
About Identity Providers
In the context of TrustBuilder.io, an Identity Provider is a type of provider that stores, manages and provides digital identities. It can optionally issue verifiable credentials.
The connection between a user profile and an account at an identity provider (so-called account linking) is policy-driven and subject to consent enforcement using the consent_to_obtain flag managed by the user. The function of an identity provider is often combined with that of an authentication provider, and TrustBuilder_io allows to make this distinction if and when needed. TrustBuilder_io itself can also function as an identity provider to your application and to your partner’s platform issuing verifiable presentations.
TrustBuilder enables to connect to different types of Identity Providers (IdP):
Internal → The system IdP (IDHUB_IDP_UP) which cannot be deleted.
SAML 2 → Identity Providers that use SAML 2.0 protocol to authenticate and authorize users. TrustBuilder will act as a Service Provider when sending an Authentication Request to the Identity Provider.
OAuth 2.0 → Identity Providers that use the OAuth 2.0 or OAuth 2.1 protocol (or the OpenID Connect protocol, which extends the OAuth 2.0 protocol) to authenticate and authorize users. TrustBuilder will act as a Service Provider when sending an Authentication Request to the Identity Provider.
Active Directory → The Active Directory can be used for authentications (as an authentication method), and after the authentication with another IDP (attributes lookup).
How to manage Identity Providers?
The Identity Providers can be added and managed:
using the TrustBuilder admin portal
using TrustBuilder Admin API (See Developer guide)
Request Parameters
Sometimes an application will provide information that needs to be passed on to the Identity Provider. The information can be passed in several ways:
http body
http header
SAML extension
URL parameter
OAuth/OpenID Claim
Similarly, the Identity provider can accept these parameters as one of the ways as listed above. Since TrustBuilder can orchestrate between a SAML SP and an OAuth IDP, we have built a mechanism that can pass these parameter values from one SP Type to any other IDP Type.
Note that the parameter values will remain unchanged.
How to configure?
Create a parameter name (for example "Language") in the menu item 'Request Parameters'
This is the definition for the parameter to be passed. It can be configured on multiple Service and Identity Providers.Go to the Service provider settings (wrench icon)
Add a parameter
Set the SP parameter name (eg. "lang")
Chose the corresponding parameter name ("Language")
Define the source; how the Service Provider is passing the parameter (eg. "URL Parameter")
Save and close
Go to the Identity Provider settings
Add a parameter
Set the Identity Provider parameter name (eg. "locale")
Chose the corresponding parameter name ("Language")
Define the source; how the Identity Provider is receiving the parameter (eg. "Body")
Save and close
Scenario for parameters
User A opens a website, and changes the language to French
User A wants to access a secured part of the application, the query parameter "lang=FR" is added to Authentication Request from the SP, and an equivalent parameter and value is also sent to the Identity Provider
User A is redirected to IDP and the log-in screen is shown in French
Scenario for claims
The user initiates a payment request (containing a recipient & amount)
The banking application sends an authN request to TrustBuilder, containing the claims "recipient" & "amount"
TrustBuilder sends the AuthN request to the banking app to confirm, passing the claims "beneficiary" and "amount"
User authenticates to confirm the transaction
IDP Confirms to TrustBuilder, which in turn confirms to the Banking App that the AuthN is successful, confirming the transaction.
Connect an Identity Provider
To connect an Identity Provider to TrustBuilder.io, you can configure from the Identity Providers Catalogue. You can also configure a custom Identity Provider.