---
title: Federation roles
description: A variety of federation roles work together in an identity federation partnership.
component: pingfederate
version: 13.1
page_id: pingfederate:introduction_to_pingfederate:pf_fed_roles
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/introduction_to_pingfederate/pf_fed_roles.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  identity-provider: Identity provider
  service-provider: Service provider
  idp-discovery-provider: IdP Discovery provider
  authorization-server: Authorization server
  openid-provider: OpenID provider
---

# Federation roles

A variety of federation roles work together in an identity federation partnership.

The most recent sets of standards, SAML 2.0 and WS-Federation, define two roles in an identity federation partnership: an identity provider (IdP) and a service provider (SP).

|   |                                                                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Earlier SAML 1.x specifications used the terms asserting party (for IdP) and relying party (for SP). For consistency and clarity, PingFederate adopts the later terms IdP and SP across all specifications. |

A third role, defined in the SAML 2.0 specifications and available in PingFederate, is that of an IdP Discovery provider.

OAuth 2.0 and OpenID Connect 1.0 can configure PingFederate as an authorization server (AS), an OpenID provider (OP), and a relying party (RP).

## Identity provider

An IdP, also called the SAML authority, is a system entity that authenticates a user, or SAML subject, and transmits referential identity information based on the authentication.

|   |                                                                                                                                                                       |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The SAML subject may be a person, a web application, or a web server. Since the SAML subject is often a person, our documentation employs the term "user" throughout. |

## Service provider

An SP is the consumer of identity information provided by the IdP. Based on trust, technical agreements, and verification of adherence to protocols, SP applications and systems determine how to use information contained in an SSO token: a SAML assertion, a JSON Web Token (JWT), or an OAuth access token in conjunction with an ID token.

## IdP Discovery provider

This role provides an IdP look-up service that can be incorporated into the implementation of either an IdP or an SP, or employed as a standalone server.

## Authorization server

An OAuth authorization server issues access tokens and refresh tokens to OAuth clients after the resource owner fulfills the authentication requirement.

## OpenID provider

An OpenID provider (OP) is an AS that is capable of authenticating the resource owner and providing claims (user attributes) to an RP about the authentication event and the user.