What is a service provider (SP)?
In the realm of Identity and access management (IAM) , a service provider (SP) (or a relying party in the context of OpenID Connect (OIDC) ) is an application or service that relies on an Identity provider (IdP) for authentication and authorization. It is responsible for providing services to users and enforcing Access control policies based on the tokens issued by the identity provider.
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape rect%2c%23mermaid-0 .image-shape rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-pointEnd'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 0 L 10 5 L 0 10 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='8' markerWidth='8' markerUnits='userSpaceOnUse' refY='5' refX='4.5' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-pointStart'%3e%3cpath style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 0 5 L 10 10 L 10 0 z'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='11' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-circleEnd'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5' refX='-1' viewBox='0 0 10 10' class='marker flowchart-v2' id='mermaid-0_flowchart-v2-circleStart'%3e%3ccircle style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' r='5' cy='5' cx='5'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='12' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-0_flowchart-v2-crossEnd'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cmarker orient='auto' markerHeight='11' markerWidth='11' markerUnits='userSpaceOnUse' refY='5.2' refX='-1' viewBox='0 0 11 11' class='marker cross flowchart-v2' id='mermaid-0_flowchart-v2-crossStart'%3e%3cpath style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b' class='arrowMarkerPath' d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_IdP_SP_0' d='M183.609%2c45.017L202.895%2c40.847C222.18%2c36.678%2c260.75%2c28.339%2c289.678%2c25.951C318.605%2c23.562%2c337.891%2c27.125%2c356.52%2c30.566C375.15%2c34.007%2c393.124%2c37.328%2c402.111%2c38.988L411.098%2c40.648'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_IdP_SP_1' d='M183.609%2c64L202.895%2c64C222.18%2c64%2c260.75%2c64%2c289.678%2c64C318.605%2c64%2c337.891%2c64%2c356.509%2c64C375.128%2c64%2c393.079%2c64%2c402.055%2c64L411.031%2c64'/%3e%3cpath marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)' style='' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' id='L_IdP_SP_2' d='M183.609%2c82.983L202.895%2c87.153C222.18%2c91.322%2c260.75%2c99.661%2c289.678%2c102.049C318.605%2c104.438%2c337.891%2c100.875%2c356.52%2c97.434C375.15%2c93.993%2c393.124%2c90.672%2c402.111%2c89.012L411.098%2c87.352'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg transform='translate(299.3203125%2c 20)' class='edgeLabel'%3e%3cg transform='translate(-70.265625%2c -12)' class='label'%3e%3cforeignObject height='24' width='140.53125'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3cp%3eAuthenticates users%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(299.3203125%2c 64)' class='edgeLabel'%3e%3cg transform='translate(-48.9140625%2c -12)' class='label'%3e%3cforeignObject height='24' width='97.828125'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3cp%3eIssues tokens%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(299.3203125%2c 108)' class='edgeLabel'%3e%3cg transform='translate(-90.7109375%2c -12)' class='label'%3e%3cforeignObject height='24' width='181.421875'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' class='labelBkg' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='edgeLabel'%3e%3cp%3eProvides user information%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg transform='translate(95.8046875%2c 64)' id='flowchart-IdP-0' class='node default'%3e%3crect height='54' width='175.609375' y='-27' x='-87.8046875' style='' class='basic label-container'/%3e%3cg transform='translate(-57.8046875%2c -12)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='24' width='115.609375'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eIdentity Provider%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg transform='translate(537.515625%2c 64)' id='flowchart-SP-1' class='node default'%3e%3crect height='78' width='244.96875' y='-39' x='-122.484375' style='' class='basic label-container'/%3e%3cg transform='translate(-92.484375%2c -24)' style='' class='label'%3e%3crect/%3e%3cforeignObject height='48' width='184.96875'%3e%3cdiv style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b' xmlns='http://www.w3.org/1999/xhtml'%3e%3cspan class='nodeLabel'%3e%3cp%3eService Provider%3cbr /%3e(Application%2c Service%2c API)%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Service provider standards
There’s no strict standard for service providers, as they can be any type of application or service that requires identity management. However, service providers often follow the standards set by the identity provider they rely on. For example, if the identity provider supports OpenID Connect (OIDC) , the service provider will typically use OIDC for authentication and authorization.
Service provider architecture
The term “service provider” does not specify a particular architecture or implementation. Usually, service providers need to be registered with the identity provider to establish trust and enable secure communication. The registration process typically involves exchanging metadata and client credentials.
For example, in the context of OpenID Connect, the service provider metadata typically includes:
- Client ID: A unique identifier for the service provider.
- Client secret: A shared secret used to authenticate the service provider.
- Redirect URIs : The URIs where the identity provider will redirect users back after authentication and authorization.
Once registered, the service provider can initiate the Authentication process by redirecting users to the identity provider’s specified endpoint.
When service providers are built for non-interaction use cases, they are often referred to as clients that require Machine-to-machine communication.