What is Identity Brokering

Identity Broker:

An Identity Broker is a service that integrates multiple Identity Providers with different Service Providers. Identity Broker is responsible for creating a trust relationship between Identity Providers with respect to digital identities which are required to access services of apps provided by Service Providers. An Identity Broker provides a centralized way to manage identities across multiple security domains. Any existing account can be integrated with different Identity Providers or can be newly created based on the identity obtained.
Usually Identity Brokering System is dependant on standard Protocols like SAML, OpenID, OAUTH, OpenID Connect, etc. But the problem is that very few people understand how these protocols work and where they are supposed to be used. It gets complicated to implement such protocols and is also expensive and time-consuming. Here Identity Brokering Service comes in .

Identity Broker Service:

An Identity broker service hides all the complexity of these protocols and provides a simple HTTPS endpoint for parties to use. Without implementing SAML, OpenID, OAUTH or OpenID Connect, you can suddenly start speaking these languages and have access to identity and access tokens from hundreds of providers. The only thing you will need to know is how to call an HTTPS endpoint which is much simpler than understanding different standards.

With miniOrange Identity broker service you can delegate all your Single SignOn requirements, user management, 2 factor authentication and even risk based access at the click of a button and focus on your business case. We can integrate with any type of app even if it does not understand any standard protocol like SAML, OpenId Connect or OAuth. miniOrange Single Sign-On Service can establish trust between two apps via secure https endpoint and automated user mapping to achieve SSO.

Identity broker terminologies:

When considering Identity Broker, there are multiple identity providers because it's not necessary for all of your user Identities to be stored in one Identity Provider. miniOrange provides a right to admin where he can configure multiple SAML Identity Providers and configure which users/apps authenticate against which Identity Source. From the given information about identity broker you can do SP initiated SSO or IDP initiated SSO according to your requirements.

Multiple SAML Providers :
It's not necessary for all of your user Identities to be stored in one Identity Provider/Source. In a realistic scenario, user identities are stored across different Identity Providers. miniOrange provides a feature where you can configure multiple Identity Providers to authenticate your user against. Admins can configure multiple SAML Identity Providers and configure which users/apps authenticate against which Identity Source.
App based Identity Source :
With the ability to configure multiple Identity Sources one issue that arises is to figure out a way to authenticate the right set of users against the correct Identity Source. One way to handle this is by allowing admins to configure the Identity Source on a per-app basis. miniOrange provides a feature where admins can configure which Identity Source should the users be authenticated from if the authentication request originates from a particular app.
Domain-based redirection to IDP :
With the ability to configure multiple SAML Identity Providers one issue that arises is to figure out a way to authenticate the right set of users against the correct SAML Identity Provider. One way to handle this is through domain-based redirection. miniOrange providers a feature where Admins can configure the domains of the users who would authenticate against a particular SAML Identity Provider. miniOrange system would automatically check the domain of the user and redirect him to the correct SAML Identity Provider to authenticate against.
IDP discovery :
It might not always be possible to know where the user identity is stored and which Identity Source to authenticate against. miniOrange provides an Identity Provider Discovery endpoint where the users can choose their Identity Provider to authenticate from. On successful authentication, this Identity Source is remembered by the system so that the user is redirected to that Identity Source automatically without prompting the user to choose his/her Identity Source on each login attempt.
Assertion Attribute Mapping :
SP initiated SSO :
Single sign-on (SSO) is a session and user authentication service that allows a user to use one set of login credentials (e.g. name and password) to access multiple applications. When users land on the Service Provider first and are then redirected to the Identity Provider for authentication then it's termed at SP Initiated SSO.Users can be automatically redirected or redirected on clicking a button/link to the IdP with an authentication request. This request is read and processed by the IdP. In case the user has an active session at the IdP then the user is redirected back to the Service Provider with a valid authentication response.

miniOrange supports SP-initiated SSO in broker flow with each application having it's own unique SSO endpoint.
IDP initiated SSO :
Single sign-on (SSO) is a session and user authentication service that allows a user to use one set of login credentials (e.g. name and password) to access multiple applications. When users land on the Identity Provider first and are then redirected to the Service Provider then it's termed at IDP Initiated SSO.In case of the broker flow miniOrange provides a way for Admins to allow their users to log in to their IDP first and then be redirected to the app with a valid authentication response. miniOrange provides unique IDP initiated SSO endpoints on a per-app basis which can be used to redirect the user from their Identity Provider directly.

Advantages of using miniOrange Identity broker service:

When you are using miniOrange Identity broker service you don't need to think about complexity you are free to explore your business ideas. miniOrange covers all your security concerns according to your business model. Given below are the advantages and the services provide by "miniOrange identity broker".

Advantages of miniOrange identity broker:-

You don't need to understand complex Single Sign on protocols like SAML, OpenID and OAUTH.
You can enable your apps using simple HTTPS calls.
You don't need to worry if Your Service Provider App and Identity Provider doesn"t support the same Protocol . We provide Cross Protocol Brokering which lets to configure IDP and SP with different protocols.
You can provide social login to your site without the hassle of understanding how all this works.
If you get access tokens from the site of your choice, you can then put custom code and extend that application.

Besides all the advantages listed above,

miniOrange identity broker services provides:-

The ability to configure any IdP of your choice including OKTA, PING, RSA, Centrify,Google, Facebook, LinkedIn and even Custom ones.
Once you have the identity established with your choice of Identity provider,miniOrange allows you to use our 2 factor authentication product on top for the app of your choice.
miniOrange also allows you to provide risk based access to your apps so that you can have another layer of security based on trusted devices, trusted locations, trusted time of access and even user behavior.

SAML Integration:

This section tells about configuring Single Sign-On (SSO) Settings for SAML Integration. Our SAML broker service will act as a Service Provider to any IDP of your choice and you don't have to worry about understanding SAML protocol at all. It can work with ADFS, Okta, salesforce, SimpleSamlPhp, Shibboleth, PING, RSA, Centrify, One Login, miniOrange or any other SAML Identity Provider (IdP). This SAML service returns all the attributes provided by the IdP along with the username of the logged in user. You can then use these attributes to login user into your application.

Configure Single Sign-On (SSO) Settings for SAML Integration :

To configure and use miniOrange SAML Broker services, create a business free trial account here.
Click here to login to miniOrange admin dashboard.
Go to Identity Providers from side menu.
Click on Add Identity Source.
By default SAML is selected, enter all the required fields and click on SAVE button.

For registering miniOrange as Service Provider following are the endpoint URLs given below:

ACS URL (cloud version)	https://login.xecurify.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY>
ACS URL (on-premise version)	https:///broker/login/saml/acs/<YOUR_CUSTOMER_KEY>
SP Entity ID	https://login.xecurify.com/moas/

Note: You can go to Integrations -> Custome App Integrations to get your Customer Key

OAuth Integration:

This document is about configuring Single Sign-On (SSO) Settings for OAuth Integration. The OAuth Server is created in WordPress by virtue of which, the user can work with OAuth2 compliant client. These client applications can be Salesforce, Slack or any other third party applications which support OAuth Server allows Single Sign On to client applications with WordPress credentials.

Configure Single Sign-On (SSO) Settings for OAuth Integration :

To configure and use miniOrange OAUTH Broker services, you can create a business free trial account here.
Login to miniOrange console.
Go to Identity Providers from side menu.
Click on Add Identity Source.
Select OAuth, enter all the required fields and click on SAVE button.

For Facebook:

Leave the Scope field empty.
Create Developers account with Facebook.
Create an App here.
Under "Tell us about your website" section, enter https://login.xecurify.com/moas/oauth/client/callback in the Site URL field
Collect App ID and App Secret by navigating to My Apps ->(Your App name).
Enter the App ID and App Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
Click on SAVE button to add the Facebook App.
Now to integrate Login With Facebook, add a button and add the following URL to it. https://login.xecurify.com/moas/oauth/client/authorize?token=token&id= customer_key&encrypted=<true,false&gt&app=facebook_oauth&returnurl=return_url

For Google:

Enter https://www.googleapis.com/auth/plus.login in the Scope field.
Visit the Google website for developers console.developers.google.com
At Google, create a new Project and enable the Google+ API. This will enable your site to access the Google+ API
At Google, provide https://login.xecurify.com/moas/oauth/client/callbackfor the new Project's Redirect URI
At Google, you must also configure the Consent Screen with your Email Address and Product Name. This is what Google will display to users when they are asked to grant access to your site/app
At Google, under APIs & auth -> Credentials get Client Id by clicking on the button Create Client Id.
Collect the Client ID and Client Secret
Enter the App ID and App Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
Click on SAVE button to add the Google App.
Now to integrate Login With Google, add a button and add the following URL to it.https://login.xecurify.com/moas/oauth/client/authorize?token=token&id=customer_key&encrypted=<true,false&gt&app=google_oauth&returnurl=return_url

For LinkedIn:

Leave the Scope field empty.
If you have not already done so, create an application. If you have an existing application, select it to modify its settings.
After app creation, collect Client ID and CLient Secret from here.
Enter https://login.xecurify.com/moas/oauth/client/callback in Authorized Redirect URLs and click on Add button.
Now click on Update button to save settings.
Enter the Client ID and Client Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
Click on SAVE button to add the LinkedIn.
Now to integrate Login With LinkedIn, add a button and add the following URL to it.https://login.xecurify.com/moas/oauth/client/authorize?token=##token##&id=##customer_key##&encrypted=<true,false>&app=linkedin_oauth&returnurl=##return_url##

-token in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp and API Key (The Customer API Key you collected above) separated by colon. -customer_key is the Customer Key you collected above Value of encrypted value can be true or false depending on, if the token is encrypted or not. -return_url will be the URL where you want to redirect the user after Login with EVE Online.

OpenID Integration:

Before your application can use miniOrange Open ID Connect authentication system for user login, you must set up an application in miniOrange administrator console to obtain Open ID Connect credentials, set a redirect URI, and (optionally) and add an application name.

Configure Single Sign-On (SSO) Settings for OpenID Integration :
Step 1 : Create app and get credentials

To configure and use miniOrange SAML Broker services, create a business free trial account here.
Click here to login to miniOrange admin dashboard.
Go to Identity Providers from side menu.
Click on Add Identity Source.
Select OpenID, enter all the required fields and click on SAVE button.

Note that not all types of credentials use both a client ID and client secret and won't be listed in the document if they are not used. So now once you have created the application for OpenID Connect. You need to create a policy for the same to let user authenticate with our various b authentication methods

Step 2. Create a policy

Go to the miniOrange Administrator Console.
Go to Policy > App Authentication Policy. Then select tab "Add Policy".
In the Application name select the OpenID Application that you have created.
Enter configuration settings and Save.

Download our miniOrange SampleApp
You can download our miniOrange Sample Application written in JAVA/PHP/PYTHON to have a demonstration of our OpenId Connect flow or to make an OpenId Connect client application for yourself.

JAVA

Click here to download miniOrange OpenId Sample Application for JAVA.

PHP

Click here to download miniOrange OpenId Sample Application for PHP

Python

Click here to download miniOrange OpenId Sample Application for Python

Create a REST service or similar on your application to handle response from Authorization Endpoint(Note : this must be the redirect URI parameter).

Example (https://<your-domain>/rest/openidresponse)

Response attributes: code, state.

Now you just need to make two calls: one to get an access token and another to get user info with the help of that access_token.

JAVA

//Click here to download the JAVA library
//Java – Import our miniOrange API(copy all the JAR files in a lib folder and add them to build path)
import com.miniorange.openid.client.AuthorizationServerRequest;//Get the parameters from the request
String code = request.getParameter(“code”);
String state = request.getParameter(“state”);
String clientSecret = “enter-your-client-secret-noted-from-miniOrange-admin-console“;
String hostName = “enter-the-miniOrange-host-name-without-http-or-subdomain Example: login.xecurify.com”;

//Step 1 : Initialize the Object with hostName, code and clientSecret.

AuthorizationServerRequest clientObj = new AuthorizationServerRequest(hostName, code, clientSecret);

//Step 2: Make a token request using a code and state parameter received on the redirect URI.

String token = clientObj.sendTokenRequest();

/**
String token is a JSON. Example string token JSON :
{“scope”:”openid”,”expires_in”:3600,”token_type”:”bearer”,
“id_token”:”eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy
IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1
MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4
NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt
ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5
tNmjoWrEK4NzR1fWYXRmL5eyu51o”,
“access_token”:”2f6fyjXdQRgVU9w”}
**/

//Step 3 : OPTIONAL. Validate id_token on your side.
< Your java code for validating id_token from the JWK set>

//Step 4: Make a user_info request. Fetch access_token from the JSON string token received in Step 1.
String user_info = clientObj.sendUserInfoRequest(access_token);

/**
Example user info JSON :
{“sub”:”demo@miniorange.co.in”,”primaryPhone”:”+917XXXXXXX”,
“email”:”demo@miniorange.co.in”,”name”:”Demo User”,”family_name”:”User”,
“preferred_username”:”demo@miniorange.co.in”,”given_name”:”Demo”}
**/
Return user_info; //Proceed your login flow with the user_info scopes.

PHP

//Click here to download the PHP library//PHP – Step 1. Import the PHP Library
require(‘AuthorizeOpenIDRequest.php’);
$code = $_GET[‘code’]; //Code response parameter
$state = $_GET[‘state’]; //Match the state received
$host = ‘login.xecurify.com’; // Server host name without http or sub-domain name or port.
$clientSecret = ‘abcdefghijklm’; //Client Secret noted from The ‘Configure App’ page in miniOrange administrator Console.

//Step 2. Initialize Object
$obj = new AuthorizeOpenIDRequest();
$obj->authCode = $code;
$obj->state = $state;
$obj->hostName = $host;
$obj->clientSecret = $clientSecret;

//Step 3. Make request to token Endpoint to gain Access token.
$token = $obj->sendTokenRequest();
/**
{“scope”:”openid”,”expires_in”:3600,”token_type”:”bearer”,
“id_token”:”eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy
IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1
MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4
NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt
ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5
tNmjoWrEK4NzR1fWYXRmL5eyu51o”,
“access_token”:”2f6fyjXdQRgVU9w”}
**/

//Get the access_token from the JSON token.
$jObj = json_decode($token);
$access_token = $jObj->access_token;

//Step 4. Validate id_token from $jObj->id_token; Using JWK Set uri.

//Step 5. Make request to userinfo Endpoint with the help if access_token received.
$user_info = $obj->sendUserInfoRequest($access_token);

/**
Example user info JSON :
{“sub”:”demo@miniorange.co.in”,”primaryPhone”:”+917XXXXXXX”,
“email”:”demo@miniorange.co.in”,”name”:”Demo User”,”family_name”:”User”,
“preferred_username”:”demo@miniorange.co.in”,”given_name”:”Demo”}
**/
//Read user_info JSON, contains user information.
$uinfo = json_decode($user_info);

Python

//Click here to download the PYTHON library”PHP – Step 1. Import the PYTHON Library”
from AuthorizeOpenIdRequest import AuthorizeOpenIDRequest
import json

“Step 1. Initialize Object with hostName, AuthCode, clientSecret”
“hostName : enter the miniOrange Host name without adding HTTP/HTTPS or SUBDOMAIN”
“Enter the client secret noted while creating app in miniOrange Admin Console”
“authCode is returned after authentication in miniOrange”
hostName = “login.xecurify.com”
clientSecret = “iercoierncoiec”
authCode = request.GET.get(‘code’)

“Initialize”
authReq = AuthorizeOpenIDRequest(hostName, authCode, clientSecret)

“Step 2. Make request to token endpoint”
token = authReq.sendTokenRequest()
print(‘token is ‘ + token)

/**
{“scope”:”openid”,”expires_in”:3600,”token_type”:”bearer”,
“id_token”:”eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy
IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1
MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4
NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt
ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5
tNmjoWrEK4NzR1fWYXRmL5eyu51o”,
“access_token”:”2f6fyjXdQRgVU9w”}
**/

“OPTIONAL. Perform token validation”

“Step 3. Retrieve access_token from token JSON”
jsonData = json.loads(token)
accessToken = jsonData[‘access_token’]

“Step 4. Make request to userinfo endpoint”
userInfo = authReq.sendUserInfoRequest(accessToken)

/**
Example user info JSON :
{“sub”:”demo@miniorange.co.in”,”primaryPhone”:”+117XXXXXXX”,
“email”:”demo@miniorange.co.in”,”name”:”Demo User”,”family_name”:”User”,
“preferred_username”:”demo@miniorange.co.in”,”given_name”:”Demo”}
**/
print(‘Userinfo is : ‘ + userInfo)

LDAP Integration:

Here we will see steps to Configure Single Sign-On (SSO) Settings for LDAP Integration. LDAP/Active Directory Login Plugin provides a login to WordPress using credentials stored in your LDAP Server. It allows users to authenticate against various LDAP implementations like Microsoft Active Directory, OpenLDAP, and other directory systems. There are paid add-ons to provide sync with LDAP, auto login and integration with other plugins such as BuddyPress, Woo-Commerce, gravityform etc.

Configure Single Sign-On (SSO) Settings for LDAP Integration:

Go to User Stores from side menu.
Now click on Add User Store and select AD/LDAP tab.
Choose this if you want to keep configuration in miniOrange. You need to make sure that if there is a firewall, you open the firewall to allow incoming requests to your LDAP.
Choose this if you want to keep configuration in your premise and only allow access to LDAP inside premises. You will have to download and install miniOrange gateway in your onpremise.
Click here to login to Xecurify admin dashboard.
Go to User Stores from side menu.
Click on the Edit link of the added idp.
Save your LDAP configuration here entering all the required fields and click on SAVE button.
If you want to store your LDAP/AD configuration here in miniOrange, enter your ldap details here and save.
If you want to store your LDAP/AD configuration on-premise, select option two and download miniOrange gateway.

WS Fed:

miniOrange WS-federation (WS-FED) client allows users residing at WS federation capable Identity Provider to log in to your WordPress website. miniOrange WS-fed Single Sign-on (SSO) Plugin acts as a WS federation Service Provider which can be configured to establish the trust between the plugin and a WS federation capable Identity Providers to securely authenticate the user to the WordPress site.

Configure Single Sign-On (SSO) Settings for WS-Fed Apps :

Login as a customer from Admin Console.
Go to Apps >> Manage Apps. Click Configure Apps button.
Click on WS-Fed tab. Select Custom WS-Fed App and click on Add App button.
Enter the Custom Application Name.
Enter the WT-Realm i.e. Callback URL.
Make sure Reply URL is in this format https://<mycompany.domainname.com>.
Select Name Id like first name, username etc.
Add a new policy for Custom WS-FED.
Select a Group Name from the dropdown - the group for which you want to add Custom Apps policy.
Give a policy name for Custom App in Policy Name.
Select the First Factor Type for authentication.
Click on Save button to add policy for App.

External Database:

External databases feature allows you to connect your existing My SQL, Microsoft SQL, Postgres SQL and other databases with miniOrange. With this users will be able to leverage miniOrange SSO service using their existing credentials for authentication and Single-SignOn without the need of moving users into miniOrange and asking them to do a new system setup.

Configure Single Sign-On (SSO) Settings for External Databases :

Login to miniOrange Admin Console
Go to User Stores from side menu.
Click on Add User Store select Database
Add your Database here entering all the required fields and click on SAVE button.

RADIUS:

RADIUS (Remote Authentication Dial In User Service) is a networking protocol that provides client authentication, authorization, and accounting for the network. RFC standards 2865 and 2866 describe the RADIUS accounting, respectively. RADIUS protocol is implemented by a number of servers including Free radius, Steel-Belted radius etc. A strong authentication server is one that protects applications and other network resources like Virtual desktop Infrastructures and Cisco VPN's etc. It supports various authentication methods like password based, one-time password etc. If any RADIUS server is installed (to protect the access to a network) side by side to a strong authentication server (to protect the access to network resources), then it would be advantageous to integrate these two servers so that the end user can access the resources he needs by signing on once(Single Sign-on or SSO). Configure Single Sign On (SSO) Settings for RADIUS Apps :

Login to miniOrange Admin Console
Go to User Stores from side menu.
Click on Add User Store select Database
Add your Database here entering all the required fields and click on SAVE button.

API Integration:

miniOrange Single Sign-On API integration allows you to integrate SSO quickly and secure access to your applications. Single Sign-On (SSO) removes the need to repeatedly type usernames and passwords, which increases productivity and prevents many types of online fraud that is caused by using same or similar passwords across apps, tying in passwords in unsafe environments, password sharing etc. Configure Single Sign On (SSO) Settings for API Integration :

Login to miniOrange Admin Console
Go to User Stores from side menu.
Click on Add User Store select Database
Add your API here entering all the required fields and click on Save button.

SP and Identity Broker Service:

	SAML IdP	OAUTH Provider	OpenID Provider	LDAP	WS-FED IdP	RADIUS	External Database	API
SAML SP
OAUTH Client
OpenID Client
WS-FED Client
JWT

Identity broker terminologies
Advantages of miniOrange Identity
broker service
SAML Integration
OAuth Integration
OpenID Integration
LDAP Integration
WS Fed
External Database
RADIUS
API integration
SP and Identity Broker Service

Identity Brokering