SP (Service Provider)
A Service Provider (SP) is an entity that offers services to users or organizations, relying on an Identity Provider to authenticate and authorize access.
What is SP (Service Provider)?
What is a Service Provider (SP)?
A Service Provider (SP) is an entity — an individual, company, or system — that delivers services to users or other organizations. In the context of identity and access management (IAM), an SP typically relies on an external Identity Provider (IdP) to handle user authentication. Instead of managing usernames and passwords itself, the SP trusts the IdP to verify who the user is.
The SP-IdP relationship is the foundation of federated Single Sign-On (SSO). When a user tries to access a resource hosted by the SP, the SP redirects them to the IdP for login. After successful authentication, the IdP sends a security token (such as a SAML assertion) back to the SP, which then grants access. This pattern is defined in the SAML 2.0, OIDC, and WS-Federation standards.
Service Providers exist across many domains — from SaaS applications and cloud platforms to online banking portals and government services. By outsourcing authentication to a dedicated IdP, SPs reduce security risk, simplify user management, and deliver a seamless login experience to end users.
Analogy
A Service Provider is like a hotel. The hotel (SP) offers rooms and services, but checks your ID at the front desk. The government that issued your ID is the Identity Provider — the hotel trusts it without needing to verify your identity from scratch.
Types and Use Cases
- "SaaS Applications: Cloud-based apps (e.g., Salesforce, Slack) act as SPs, letting users log in via corporate IdPs for SSO access."
- "Enterprise Portals: Internal company portals consume SAML assertions from an IdP to grant employees access to HR, IT, and finance tools."
- "E-Commerce Platforms: Online marketplaces delegate login to social IdPs (Google, Facebook) so customers can check out without creating new accounts."
- "Government Services: Citizen portals rely on national eID IdPs to authenticate users before allowing access to tax, health, or benefits information."
How it Works
{
"spEntityId": "https://myapp.example.com/saml/metadata",
"acsUrl": "https://myapp.example.com/saml/acs",
"assertionConsumerService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
"location": "https://myapp.example.com/saml/acs"
},
"attributeConsumingService": [
{ "name": "email", "required": true },
{ "name": "firstName", "required": false },
{ "name": "lastName", "required": false }
]
}SP (Service Provider) vs Identity Provider (IdP)
SP (Service Provider)
Identity Provider (IdP)
SP requests and consumes authentication assertions to grant access
IdP produces and issues those assertions after verifying the user's identity.
SP manages resource access policies and application sessions
IdP manages user credentials, MFA policies, and the user directory.
In a SAML flow, the SP initiates the request and receives the token
the IdP authenticates the user and signs the response.
Best Practices for SP (Service Provider)
- Always validate SAML assertions or OIDC tokens on the server side, checking signatures, audience, and timestamps.
- Use short session lifetimes and force re-authentication for sensitive operations within the SP.
- Implement a secure ACS (Assertion Consumer Service) endpoint that only accepts POST bindings from trusted IdP locations.
- Store SP metadata and IdP certificates securely and rotate them on a regular schedule.
How LoginRadius Powers SP (Service Provider)
LoginRadius supports the Service Provider model through its federation capabilities. Businesses using LoginRadius can configure SAML and OIDC SP connections to accept authentication from external IdPs. The LoginRadius Admin Console provides a simple interface to manage SP metadata, attribute mappings, and certificate trust, enabling secure SSO across hundreds of enterprise applications.
Resources
FAQs
A Service Provider (SP) is the application or service that users want to access. An Identity Provider (IdP) is the system that authenticates the user. The SP trusts the IdP's authentication and grants access based on the identity information it receives. In short: the SP provides the service, and the IdP proves who you are.
In a federated SSO model, the SP typically does not store user passwords. That responsibility lies with the IdP. The SP may store user profile attributes (like name, email, and roles) that it receives from the IdP, but it never handles credential verification directly.
LoginRadius allows businesses to act as both an SP and an IdP. As a Service Provider, LoginRadius can consume SAML and OIDC assertions from external identity providers. As an Identity Provider, LoginRadius can federate identity to downstream SPs. This dual capability makes it a flexible platform for enterprise SSO, B2B partner access, and customer identity management.