Online and on-premise applications identify trusted authentication providers. The applications are configured with a list of trusted issuers of authentication credentials. When an application receives a request requiring authentication, the application returns a 401 response that includes the trusted issuer list. The requesting application compares the trusted issuer list from the 401 response to its own list of authentication providers. If there is a match between the two lists, then the requesting application creates a self-issued token for the authentication provider. The authentication provider uses the self-issued token to generate an authentication token for the requesting application. The requesting application may also directly create a token for a target partner application, without an authentication provider, if there is a direct trust between the two applications.