Can Identity Manager act as an IdP (SAML) for authenticating and authorizing users in other applications?

Could you help me with the following question? Is it possible to use One Identity Manager as an IdP (SAML) to authenticate and authorize users for other applications? Or are the configuration parameters in Identity Manager only intended for allowing Identity Manager to authenticate against an external IdP, rather than acting as an IdP itself to authenticate other service providers?

If the answer is yes, could you please point me to some documentation or resources that would help me justify this case to one of my customers?

  • Thanks, Markus, for your response.

    Quick question: What is the use case for STS?

    My use case is that I have a client who is redesigning an internal application and is considering replacing their previous authentication process (username and password) and RBAC permission model with a more dynamic ABAC approach and microservices architecture.

    The Authorization and Authentication guide states that I can authenticate external applications using OAuth 2.0/OpenID Connect. Could this help with what my client needs?

  • The Authorization and Authentication guide explains how an external application can authenticate against Identity Manager using OAuth 2.0/OpenID Connect if they want to use the REST API of the Application Server or the API Server APIs.

    So, you can think of an architecture where your application fetches information from Identity Manager to provide the attributes or role memberships to drive your ABAC approach but Identity Manager itself does not act as IDP.