In an SSO-enabled environment, what is the role of an identity provider?

In an SSO-enabled environment, the main idea is that there is a single, trusted place that verifies who a user is and then lets multiple applications rely on that verification. The identity provider is that trusted authority. It handles authentication—confirming the user’s identity, often with extra checks like multi-factor authentication—and then issues a token or assertion that the connected apps (the service providers) trust. Because of this, users sign in once and can access multiple apps without re-entering credentials, while the identity provider can also manage user provisioning across all those apps, creating, updating, or revoking access as needed. That’s why centralizing authentication and provisioning is the best fit: the identity provider is responsible for verifying identities and distributing the necessary access rights to many apps, rather than each app managing its own credentials or permissions. Storing user data locally on each app isn’t the role of the identity provider, and neither is bypassing access controls or automatically assigning licenses per app. Those are handled by different parts of the system or separate processes.