Identity providers

An identity provider (IdP) is a service that creates, manages, and saves user identity information. This identity information is used to authenticate users within a federated or distributed network. Identity information or attributes are stored in a directory.

A directory is the directory service that your enterprise uses to manage users and user groups. ETP supports Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and Active Directory Lightweight Directory Services (AD LDS). For more information about directory services, see Directories.

When you configure an identity provider in ETP, you associate a directory service. IdPs are primarily used for single sign-on (SSO). Most identity providers support advanced authentication protocols such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
  • SAML is a federated identity protocol that enables single sign-on in a web browser by exchanging identity information.
  • OpenID Connect 1.0 (OIDC) is a federated protocol that’s used to verify user identity and authorize access. This protocol is built on top of the OAuth 2.0 protocol or specifications.
This graphic shows the overall flow of an identity provider.
In this graphic:
  • Active Directory (AD) is a directory service in the enterprise network. An administrator associates an identity connector to the directory.
  • The identity connector syncs with AD or the enterprise directory service to get user and user group information.
  • The identity connector communicates this data to an identity provider. The identity provider or third-party identity provider contains the authentication settings that ETP uses to grant or deny access to websites.
  • If a third-party identity provider is configured, it integrates with the IdP feature in ETP.
In Enterprise Threat Protector (ETP), you use an identity provider to enable or require user authentication, which in turn:
  • Enables ETP to report access control events that include usernames and groups. The username and group name is also included in the Proxy Activity report.
  • Requires authentication or makes authentication optional to access AUP content. This setting is enabled in a policy. An ETP administrator must select an IdP to enable authentication. For more information, see Authentication policy.
  • Grants or blocks access to websites and web applications based on users or groups. You can allow or block access to all users or to specific users or groups that are associated with an IdP. The directories associated with the IdP make it possible for you to identify specific users and groups. When defining access control for an acceptable use policy (AUP) or for application visibility and control (AVC), ETP allows you to select the user and groups that are allowed to access content that’s otherwise blocked. For more information, see Grant access to specific users or groups.
  • Defines multiple factors of authentication that a user must provide to access content. These factors are provided in addition to the user’s ID and password. Two-factor authentication (2FA) and multi-factor authentication (MFA) can be layered on top of SSO authentication. For more information, see Multi-factor authentication.
  • Grants single sign-on to users with ETP Client 3.0.4 or later. After a user authenticates, the session is maintained for the machine that was used during login. The duration of the session is configured in the IdP.
These identity providers are supported in ETP:
  • Akamai
  • Third-Party SAML
  • Okta
  • PingOne

After you create or edit an IdP configuration in ETP, you must deploy it. The deploy operation takes three to five minutes.

Note: If your organization uses a Microsoft Windows Terminal Server or a Remote Desktop Session Host for an identity provider (IdP), make sure that users do not access the IdP with the same IP address. Instead, in the server or host configuration, assign unique IP addresses on a per-session basis.