Comparing the Identity Providers (IDP’s) that I use

I’m always asked which is the best IDP to use and I’ve never found a decent comparison matrix so I just bit the bullet and made one.

Note there is no such thing as a “best” IDP. There is only a best “fit” to a use case. And often when I’m consulting, my solution is a mix of different IDP utilising the best features of each.

(Also remember that I’m a Microsoft Identity Architect so my focus is on the Microsoft Identity stack.)

The solution may also be determined by customer constraints.

Sometimes the constraint is that it’s a security issue e.g. everything has to be on-premises.

Or the constraint is product based e.g. we are a Microsoft shop.

Often it’s cost based e.g. the customer only has a finite sum of money.

There are some IDP missing e.g. Ping Identity that I hear good things about but don’t use.

I haven’t included ACS that I have used because it’s pretty much deprecated. Azure AD B2C is a replacement via custom profiles.

Note that ADFS 3.0 is Windows Server 2012 R2 and ADFS 4.0 is Windows Server 2016.

The comparison is from the point of authentication not provisioning so I haven’t included anything about self-service registration, email validation, self-service password reset etc. This is somewhat unfair to Azure AD B2C because that is predominately its use case

For an example of how to add social logins to ADFS, look here.

The links to the code samples are:

• Azure AD
• Azure AD B2C
• ADFS 4.0
• Auth0

From the server side, the notation “(Server — STS / R-STS)” indicates whether the IDP can act as a STS (i.e. clients can use this for authentication) and whether the IDP can act as an intermediate step on the path to the final IDP e.g.

Application → IDP A → IDP B

So for IDP A. it would be “Yes / Yes” because the application can authenticate with IDP A and can also authenticate with IDP B (perhaps via Home Realm Discovery on IDP A). In other words, IDP A can act as a final destination and as an intermediate step. Not all IDP support all protocols in all scenarios so the answer differs depending on the protocol.

From a client perspective the table shows the stacks you need e.g. if you have an ASP.NET application that wants to connect to an IDP using WS-Federation, use the OWIN WS-Federation stack.

If you want a SAML stack, look here.

I apologise for the format of the table but Medium does not have a built-in table format and I can’t find anything that gives a decent resolution for a table this large. If you know of one, please comment on the article.

So screen-shot it is. (Actually three screen shots otherwise the text is so small it’s unreadable).

Please let me know if any errors or omissions or extra rows I should add and I’ll fix / update them.

Update: Updated the identityserver section after feedback. The social URL is:

https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers

Update: Just to note Azure MFA is available as a stand-alone service with per-user and per-authentication billing options, or bundled with Azure Active Directory Premium, Enterprise Mobility Suite, and Enterprise Cloud Suite.

All good!