About identity providers

An IdP is a service that creates, manages, and saves user identity information. This identity information is used to authenticate users within a federated or distributed network. Identity information or attributes are stored in a directory.

A directory is the directory service that your enterprise uses to manage users and user groups. ‚ÄčSecure Internet Access Enterprise‚Äč supports AD, LDAP, and AD LDS. For more information on directory services, see About directories.

When you configure an IdP in ‚ÄčSIA‚Äč, you associate a directory service. Identity providers are primarily used for SSO. Most IdPs support advanced authentication protocols such as SAML and OpenID Connect (OIDC).

  • SAML is a federated IdP that enables single sign-on in a web browser by exchanging identity information.

  • OpenID Connect 1.0 is a federated protocol that's used to verify user identity and authorize access. This protocol is built on top of the OAuth 2.0 protocol or specifications.

This graphic shows the overall flow of an IdP.

In this graphic:

  • Active Directory is a directory service in the enterprise network. An administrator associates an identity connector to the directory.

  • The identity connector syncs with AD or the enterprise directory service to get user and user group information.

  • The identity connector communicates this data to an IdP. The IdP or third-party IdP contains the authentication settings that ‚ÄčSIA‚Äč uses to grant or deny access to websites.

  • If a third-party IdP is configured, it integrates with the IdP feature in ‚ÄčSIA‚Äč.

In ‚ÄčSIA‚Äč, you use an IdP to enable or require user authentication, which in turn:

  • Enables ‚ÄčSIA‚Äč to report access control events that include usernames and groups. The username and group name is also included in the Proxy Activity report.

  • Requires authentication or makes authentication optional to access AUP content. This setting is enabled in a policy. An ‚ÄčSIA‚Äč administrator needs to select an IdP to enable authentication. For more information, see Authentication policy.

  • Grants or blocks access to websites and web applications based on users or groups. You can allow or block access to all users or to specific users or groups that are associated with an IdP. The directories associated with the IdP make it possible for you to identify specific users and groups. When defining access control for an AUP or for AVC, ‚ÄčSIA‚Äč allows you to select the user and groups that are allowed to access content that's otherwise blocked. For more information, see Grant access to specific users or groups.

  • Defines multiple factors of authentication that a user needs to provide to access content. These factors are provided in addition to the user's ID and password. Two-factor authentication and MFA can be layered on top of SSO authentication. For more information, see About MFA.

  • Grants single sign-on to users with ‚ÄčETP Client‚Äč 3.0.4 or later. After a user authenticates, the session is maintained for the machine that was used during login. The duration of the session is configured in the IdP.

These IdPs are supported in ‚ÄčSIA‚Äč:

  • ‚ÄčAkamai‚Äč
  • Third-Party SAML
  • Okta
  • PingOne

After you create or edit an IdP configuration in ‚ÄčSIA‚Äč, you need to deploy it. The deploy operation takes three to five minutes.


If your organization uses a Microsoft Windows Terminal Server or a Remote Desktop Session Host for an IdP, make sure that users do not access the IdP with the same IP address. Instead, in the server or host configuration, assign unique IP addresses on a per-session basis.


An identity provider is currently not supported in an ‚ÄčSIA‚Äč tenant. A Managed Security Service Provider (MSSP) can use multi-tenancy to give their customers separate access to ‚ÄčSIA‚Äč without purchasing separate product licenses. For more information, see Multi-tenancy.