The system that authenticates users and federates their identity into your cloud accounts. SSO sits on top.
Identity providers (IdPs) hold user identities and authenticate sign-in attempts via password, MFA, SAML or OIDC tokens. Common cloud IdPs are Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, and AWS IAM Identity Center.
IdP logs are a high-value detection surface: anomalous sign-in patterns, failed-MFA bursts, unusual source IPs, and federated-identity bridge abuse all show up here before they show up in cloud audit logs. CloudSigma generates Sigma rules for the major IdP signal sources (Okta System Log, Entra Sign-in Logs, Entra Audit Logs).