Secure by Design: Modernizing Authentication With Centralized Access and Adaptive Signals

Introduction

Managing identity and access management (IAM) for large-scale enterprises is a complex challenge, particularly when dealing with legacy systems that cannot be transitioned from overnight to modern authentication. Traditional migration often spans years, leaving enterprises burdened with technical debts and inconsistent authentication systems. This study introduces a scalable architecture that accelerates the migration process, enabling thousands of legacy applications to transition to modern authentication.

The challenge becomes even more intricate when organizations rely on a combination of internal and third-party platforms. The proposed solution simplifies and centralizes authentication processes, making it adaptable to any OpenID Connect (OIDC) provider while seamlessly integrating with internal engineering systems. By addressing these complexities, this architecture enhances the security, eliminates technical debts, and ensures operational scalability.

Architecture Overview

As shown in Figure 1, the proposed architecture comprises three core components: centralized access control, adaptive authentication, and a bridging mechanism for integrating external platforms with internal systems.

1. Centralized Access Control: This component ensures consistent enforcement of security policies across all resources authorized by a user to access. It simplifies the management of permissions and provides a unified framework for seamlessly handling access for thousands of applications and user combinations.
2. Adaptive Authentication: Real-time signals such as user behavior, device health, and location are leveraged to enhance security. This enables context-aware step-up authentication, ensuring that users experience a secure yet seamless workflow tailored to their risk profile.
3. Bridging Mechanism: This mechanism uses mutual TLS (mTLS) and end-to-end tokens to enable secure communication between the external cloud platforms and internal systems. This ensures that external requests are translated and authorized in a format compatible with internal engineering systems, thereby maintaining data integrity and security.

 Fig 1.  

Proposed Enterprise Architecture

Implementation Details

The proposed architecture can be implemented in a large-scale enterprise environment to address the challenges of managing the identities and access of thousands of applications and users. This section describes the key components of the architecture—Identity Provider Proxy, Centralized Access Control, Adaptive Authentication, and Observability—and their roles in achieving secure and scalable enterprise authentication.

Identity Provider Proxy

Managing Identity and Access Management (IAM) for large-scale enterprises is a complex challenge, particularly when dealing with legacy systems that cannot be transitioned overnight to modern authentication. Traditional migrations often take years, leaving organizations burdened with technical debt, costs, and inconsistent authentication systems that strain operational efficiency.

To address these challenges, the proposed architecture introduces an Identity Provider (IdP) Proxy, which is a logical intermediary designed to accelerate migration. By abstracting interactions between legacy applications and modern platforms, the IdP Proxy enables thousands of legacy applications to transition seamlessly to modern authentication within days rather than years. This eliminates the need for extensive application-level changes, thereby significantly reducing the migration costs and operational disruptions.

Complexity increases when enterprises rely on a combination of internal and third-party platforms. The IdP Proxy addresses these challenges by performing the following critical functions.

1. Standardizing Interactions Across Systems:
   The IdP Proxy transforms legacy authentication requests into a format compatible with modern OpenID Connect (OIDC) providers, ensuring seamless integration with minimal disruption to existing workflows.
2. Minimizing Disruptions:
   By maintaining backward compatibility with legacy systems, the IdP Proxy allows applications to continue functioning without requiring immediate updates, giving teams the flexibility to migrate on their own timeline.
3. Enabling Centralized Management:
   The IdP Proxy provides granular control to migration teams, allowing them to manage the timeline efficiently. Teams can roll out or roll back changes on a per-application basis, thereby reducing the risk of system-wide disruptions and ensuring a smooth migration process.

This logical layer, as shown in Figure 2, is introduced between the end users and the enterprise authentication systems as the foundational step in transitioning to the proposed architecture. It serves as a critical entry point for authentication requests, and ensures consistency and security throughout the migration process.

Implementation Highlights

1. The IdP Proxy leverages AWS CloudFront for high availability and Lambda@Edge for real-time processing of single-sign-on (SSO) requests.
2. Routing configurations specific to each application were stored in DynamoDB with replicas across all 13 CloudFront Edge locations to ensure low-latency access and high resilience.
3. The system is responsible for:
   1. Parsing incoming SSO requests to extract routing configurations.
   2. Transforming authentication requests into a format compatible with the modern identity platform.
   3. Forwarding transformed requests to the identity provider (e.g., Okta) ensures seamless interaction.

Fig 2.   

IDP Proxy architecture

Tying Back to Security

1. The IdP Proxy enhances the security by acting as a single control point for all authentication workflows.
2. Consistency: Every request is routed, transformed, and logged through the IdP Proxy to ensure uniformity in the processing of the authentication requests.
3. Traceability: The IdP Proxy generates a unique correlation ID for each authentication request propagated across downstream systems. This enables end-to-end traceability, allowing organizations to monitor and audit authentication workflows precisely.
4. Centralized Monitoring: By consolidating authentication requests into a single-entry point, the IdP Proxy simplifies monitoring and strengthens the ability to detect anomalies or threats.

Centralized Access Control – Strengthening Enterprise Security

Centralized access control ensures that security policies are consistently enforced across all resources and applications within the enterprise. In the proposed architecture, every user request for resource access is evaluated against a centralized policy decision system that seamlessly integrates with an authentication provider. These evaluations occur during all relevant OpenID Connect (OIDC) and OAuth 2.0 flows, ensuring that access decisions are continuously enforced.

For example, during a standard OIDC flow, where a stateful request is sent to the authentication provider (Authorization Server), the policy decision system evaluates whether access should be granted based on the user’s attributes, resource permissions, and contextual signals. Furthermore, this evaluation also takes place during refresh-token flows, ensuring that stale decisions from earlier stateful requests do not expose the system to security risks. By dynamically reevaluating policies, the architecture reduces the blast radius of potential attacks and ensures that access decisions remain up-to-date.

This centralized approach simplifies access management, while strengthening enterprise security by ensuring consistency, transparency, and accountability across all applications and resources.

Implementation Highlights

The centralized access control framework is built on the industry-standard principles of Policy Information Points (PIP), Policy Decision Points (PDP), and Policy Enforcement Points (PEP):

1. Policy Information Points (PIP):
   The PIP collects and aggregates data from various sources such as user attributes, resource metadata, and contextual signals (e.g., time of access and location).
   1. These data were securely transmitted through the bridge using the mTLS and end-to-end tokens.
   2. End-to-end tokens provide downstream systems with the full context of the origin of the request and its linear path, enabling informed decision-making.
2. Policy Decision Points (PDP):
   The PDP is a centralized policy management system embedded within an authentication provider that evaluates access requests against predefined rules and permissions.
   1. The inputs from the PIP are processed, policy logic is applied, and access decisions (grants or denies) are made.
   2. To ensure transparency, every decision is logged with metadata detailing the applied policies and the evaluation context.
3. Policy Enforcement Points (PEP):
   It enforces access decisions determined by the PDP, ensuring consistent application of policies across all resources.
   1. Embedded within the enterprise’s applications and services, PEP prevents unauthorized access to resources or actions.
   2. By integrating with the authentication provider, PEP enables the uniform enforcement of access control across thousands of applications.

System Features as per Figure 3:

1. Audit Trails: The system maintains a complete history of all policy changes, including those that made changes when they were made and the specific modifications. This allows full traceability and accountability.
2. Metrics and Visibility: Centralized metrics are collected for all policy evaluations, providing valuable insights into access patterns and policy impacts. These metrics include policy evaluation times, denial rates, and policy utilization trends.

Fig 3.  

Metrics & Audit into centralized policy evaluations

Advantages

1. Consistency:
   1. Policies are uniformly applied across thousands of applications and resources, eliminating gaps in enforcement, which can lead to security vulnerabilities.
   2. Centralization ensures that all applications, regardless of their protocol or deployment environment, adhere to the same set of rules.
2. Transparency:
   1. A robust audit trail provides visibility of who accessed what, under what conditions, and based on which policies.
   2. This transparency simplifies compliance reporting and enables rapid forensic analysis in the event of a security incident.
3. Efficiency:
   1. By centralizing policy management, the administrative overhead is significantly reduced. Application teams no longer need to maintain individual access control configurations, thereby freeing up resources for other tasks.
   2. The integration of PIP, PDP, and PEP ensures a streamlined access control workflow, minimizing the latency in decision making.
4. Scalability:
   1. Centralized access control scales effortlessly to accommodate thousands of applications and millions of users.
   2. As new applications are added, they inherit centralized policies, reduce onboarding time, and ensure immediate compliance with security standards.

Tying Back to Security

1. Centralized access control is fundamental for securing enterprise authentication. By consolidating policy management into a single framework, the architecture achieved the following results:
2. Enhanced Security: Ensures that only authorized users access enterprise resources and reduces the risk of unauthorized access.
3. Improved Accountability: Detailed audit trials and metrics provide insights into every access decision, enabling rapid detection and response to potential threats.
4. Simplified Compliance: Uniform enforcement of access policies simplifies the adherence to industry regulations and internal security standards.

Adaptive Authentication – Enhancing Security Without Disrupting Users

Traditional authentication models often apply a one-size-fits-all approach, leading to unnecessary friction or security vulnerabilities. Adaptive authentication dynamically adjusts security measures based on real-time signals such as user behavior, device health, and location. The architecture shown in Figure 4 aggregates contextual data, including IP address, device type, application details, and user behavior, into a centralized system. This system integrates signals from both internal legacy risk systems and external provider-management devices. These aggregated signals are fed into the authentication provider, which then applies the adaptive measures. For example, risky behaviors may trigger multifactor authentication (MFA), whereas low-risk actions allow seamless access. This ensures a secure yet frictionless user experience tailored to individual risk profiles.

Implementation Highlights

1. The system identifies critical signals to determine when and how to adjust authentication. Examples include:
   1. Step-Up Authentication: Unusual login behavior triggers MFA to verify the user’s identity.
   2. Proactive Responses: Indicators of session hijacking may result in a universal logout to protect user accounts.
2. Signals from the authentication provider are combined with internal and external risk data in real time. This aggregated analysis dynamically adapts the authentication requirements by adding friction only in high-risk scenarios.

 Fig 4.  

Aggregated signals to determine when to step-up authentication

Advantages

1. Enhanced Security: Real-time analysis of risk signals enables proactive responses to potential threats, minimizing the likelihood of unauthorized access.
2. Seamless User Experience: Adaptive measures ensure that low-risk scenarios do not disrupt the user workflow, striking a balance between usability and security.
3. Scalability: The system effectively scales across thousands of applications while maintaining consistent and context-aware enterprise-wide security policies.

Tying Back to Security

Adaptive authentication strengthens the security posture by making access decisions context-aware and responsive to real-time risks. The architecture ensures robust protection and a user-friendly experience by dynamically adjusting authentication requirements based on aggregated signals.

Observability Real-Time Security Observability: Detecting and Responding to Threats Faster

A modern authentication system should provide end-to-end visibility into authentication events. Real-time observability enables security teams to detect anomalies, track user authentication journeys, and respond to threats in real time

The observability in the architecture combines signals from third-party platforms and internal systems to enable enhanced monitoring, logging, and rapid responses to anomalies.

Implementation Highlights

1. AWS CloudFront generates unique request IDs for each authentication request. These IDs are propagated through the IdP Proxy, Authentication provider, and internal systems, enabling end-to-end request correlation, as shown in Figure 5.
2. The IdP Proxy injects correlation parameters into all requests, allowing these identifiers to appear in downstream logs.
3. Centralized logging, as shown in adaptive authentication aggregates data from multiple sources and provides a comprehensive view of the user activity and system behavior.

Fig 5.  

Correlation and tracing user’s journey

Advantages

1. Comprehensive Monitoring: Logs and signals from external and internal systems are unified for a complete view of the authentication workflows.
2. Rapid Incident Response: Correlation of request logs enables the quick identification and resolution of anomalies.
3. Improved Security Insights: Observability metrics provide valuable insights into user behavior, authentication trends, and potential threats.

Tying Back to Security

Enhanced observability ensures that potential security threats are detected and addressed in real-time. The ability to track user activity end-to-end strengthens both the detection and response capabilities.

Results and Impact

Implementation of the proposed enterprise authentication architecture has led to significant improvements across various dimensions of identity and access management (IAM) for large-scale organizations. The following key results and impacts were observed:

Operational Efficiency

1. Reduction in Complexity: The architecture streamlined the IAM processes, resulting in a 40% reduction in the operational complexity. This simplification was achieved by centralizing access control and automating authentication workflows, which reduces the need for manual intervention and minimizes the potential for human errors.
2. Cost Savings: Organizations have experienced substantial cost savings by accelerating the migration of legacy systems to modern authentication methods. The reduction in technical debt and the elimination of redundant systems have decreased maintenance costs and freed up resources for strategic initiatives.

Enhanced Security

1. Real-Time Monitoring and Adaptive Measures: The ability of the architecture to integrate real-time signals and apply adaptive authentication measures significantly enhances security. Organizations can proactively respond to potential threats, thereby reducing the risk of unauthorized access and data breaches.
2. Improved Threat Detection:  The observability component of the architecture provides comprehensive monitoring and logging capabilities, enabling the rapid detection and response to anomalies. This has strengthened the organization's ability to identify and mitigate security threats in real time.

Scalability and Flexibility

1. Support for Diverse Applications: The architecture demonstrated scalability by effectively supporting over 10,000 applications and diverse user groups. This scalability ensures that as organizations grow and evolve, their IAM systems can seamlessly accommodate new applications and users without compromising performance or security.
2. Adaptability to Changing Needs: The flexible design of the architecture allows it to be integrated with any OpenID Connect (OIDC) provider and adapt to evolving security requirements. This adaptability ensures that organizations can quickly respond to changes in the threat landscape and regulatory environment.

User Experience

1. Seamless Authentication: By leveraging adaptive authentication, the architecture provides a seamless user experience. Users benefit from context-aware authentication processes that minimize disruptions, while maintaining high security standards.
2. Increased User Satisfaction: The reduction in authentication-related issues and streamlined access to resources have led to increased user satisfaction and productivity.

Compliance and Accountability

1. Simplified Compliance Reporting: Centralized access control and detailed audit trails simplify compliance reporting, making it easier for organizations to adhere to industry regulations and internal security standards.
2. Enhanced Accountability: The architecture's comprehensive logging and traceability features provide clear visibility into access decisions and user activities, enhancing accountability and enabling rapid forensic analysis when needed.

Overall, the implementation of this architecture not only strengthened the security posture of organizations but also improved operational efficiency and user satisfaction. These results underscore the potential of the architecture to transform enterprise IAM by providing a scalable, secure, and adaptive solution.

Conclusion

This study demonstrates how a simplified, yet robust architecture can address the challenges of enterprise IAM. By integrating OIDC platforms with internal systems and leveraging adaptive security measures, the proposed solution achieved both scalability and enhanced security. Future work will explore additional use cases for adaptive authentication and expand the architecture to support emerging technologies such as zero-trust models.

References

Final: OpenID Connect Core 1.0 incorporating errata set 2. (n.d.). https://openid.net/specs/openid-connect-core-1_0.html#Authentication

Auth0. (n.d.). Secure and Seamless User Experience with Auth0’s Adaptive MFA. https://assets.ctfassets.net/2ntc334xpx65/31O2mqwHGxWt2Gx4oScP8G/7bc43eace2340c9a8fb9967263981f45/Adaptive-MFA-Auth0.pdf

Ferraiolo, D., Atluri, V., & Gavrila, S. (2010). The Policy Machine: A novel architecture and framework for access control policy specification and enforcement. Journal of Systems Architecture, 57(4), 412–424. https://doi.org/10.1016/j.sysarc.2010.04.005

Amazon AWS. (n.d.). https://aws.amazon.com/. https://aws.amazon.com/lambda/edge/