About this series:
This tutorial series teaches the basic concepts of identity management and single sign on using different identity management system (Shibboleth and CAAS).This tutorial series also provides a solution for integrating your existing applications with security feature and also shows how to make multiple applications interact and login through a centralized authentication system, so that user don’t have to remember multiple username password for different applications that they will be accessing.
Part 1 starts simply, explaining the basic concepts behind identity management and single sign on and related technologies like SAML. It also shows the basic architecture for any identity management service.
Part 2 starts simply by developing identity management system with Shibboleth Identity Provider and Service Provider and followed by single sign on with multiple applications.
Part 3 simply shows how to develop identity management system for single sign-on on the web applications with Centralized Authentication and Authorization System (CAAS).This tutorial, the first of the three-part series, explains the basic concepts of IAM and SP. It gives an overview of the architecture of an Identity Provider. This document introduces the functionality of an identity management solution and describes this functionality within the context of the identity management infrastructure.
What is Identity and Access Management?
“Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise)
Identity and Access Management IAM has recently emerged as a critical foundation for realizing the business benefits in terms of cost savings, management control, operational efficiency, and, most importantly, business growth for e-Commerce. Enterprises need to manage access to information and applications scattered across internal and external application systems. Moreover, they must provide this access for a growing number of identities, both inside and outside the organization, without compromising security or exposing sensitive information.
Identity management refers to the process of employing emerging technologies to manage information about the identity of users and control access to company resources. The goal of identity management is to improve productivity and security while lowering costs associated with managing users and their identities, attributes, and credentials.
The purpose of this document is to offer a broad overview of current identitymanagement technologies and provide a framework for determining when an identity management system would benefit your company. This document first defines the underlying business problems and resulting business risks inherent in managing user identity information across a heterogeneous technology infrastructure. Next, this document highlights the unique challenges of implementing an identity management solution. This document introduces the functionality of an identity management solution and describes this functionality within the context of the identity management infrastructure. Next, this document highlights products from leading vendors. Finally, a basic framework is provided to help determine if an identity management solution would benefit your company.
Features Of Identity and Access Manager
This area is comprised of authentication management and session management.Authentication is the module through which a user provides sufficient credentials to gain initial access to an application system or a particular resource. Once a user is authenticated, a session is created and referred during the interaction between the user and the application system until the user logs off or the session is terminated by other means (e.g. timeout). The authentication module usually comes with a password service module when the userid / password authentication method is used. By centrally maintaining the session of a user, the authentication module provides Single Sign-On service so that the user needs not logon again when accesses another application or system governed under the same IAM Framework.
Authorization is the module that determines whether a user is permitted to access a particular resource. Authorization is performed by checking the resource access request,typically in the form of an URL in web-based application, against authorization policies that are stored in an IAM policy store. Authorization is the core module that implements role-based access control. Moreover, the authorization model could provide complex access controls based on data or information or policies including user attributes, user roles / groups, actions taken, access channels, time, resources requested, external data and business rules.
This area is comprised of user management, password management, role/group management and user/group provisioning. User management module defines the set of administrative functions such as identity creation, propagation, and maintenance of user identity and privileges. One of its components is user life cycle management that enables an enterprise to manage the lifespan of a user account, from the initial stage of provisioning to the final stage of de-provisioning. Some of the user management functions should be centralized while others should be delegated to end-users. Delegated administration allows an enterprise to directly distribute workload to user departmental units. Delegation can also improve the accuracy of system data by assigning the responsibility of updates to persons closest to the situation and information.
Self-service is another key concept within user management. Through self-profile management service an enterprise benefits from timely update and accurate maintenance of identity data. Another popular self-service function is self-password reset, which significantly alleviates the help desk workload to handle password reset requests.
User management requires an integrated workflow capability to approve some user actions such as user account provisioning and de-provisioning.
Support of multiple protocols like SAML, Oauth is a vital feature of modern identity provider. Modern applications are influenced by the advancement of the social network and cloud enabled services. Thus to bring all of these diverse system under one roof.