Across the industry, many companies are implementing new, hosted Identity and Access Management Service (“IAM”) that will be used by all the products to authenticate customers accessing our services.
The Identity service will provide a central user profile that can be shared across products. Customers will manage their profile from a central location; thus ensuring the accuracy and timeliness of their data across all products. The central identity will have the effect of increasing customer satisfaction (a benefit to the customer), but use of this central identity will give organization better abilities to track customers throughout their product lines over a period of time; which will provide better insight into how our products are used (a benefit to the company).
The Authentication service provides a single login that can be used by products across the company (in a fashion similar to Google, Amazon, Facebook, Apple, Microsoft and other technology companies). This will allow our customers to log in once across all products, rather than into each product separately. As corporate security policies change, modifications are made centrally at the Authentication service rather than individually in various products across businesses. As a result, security polices can be made (and enforced) consistently across the organization.
The Identity and the Authentication services should include graphical, web-based interfaces that allow clients and administrators to interact directly with these services. Additionally, Identity and Authentication services should be exposed via web services and implemented using architectural styles such as representational state transfer (“REST”). This will allow products to easily interact with the central IAM solution programmatically.
Companies often have dozens of different systems that contain customer identity data and these systems are used by hundreds of products. Having multiple identity systems not only limits the ability to leverage assets easily across the organization but it also provides suboptimal customer experience and prevents us from tracking customers across products.
By consolidating on a central IAM service, it will improve the ability to integrate existing products within the organization, provide better user management for our largest customers, increase our ability to scale and support identity and access management services, and bring us closer to our customers so that we can better market and sell to them.
SAML & OAuth are often mentioned as methods of connecting various products using different identity systems. In this document we will briefly discuss what SAML & OAuth are, and how they can help in the identity landscape of an organization. We will also look at design patterns with and without a central IAM and perform an objective analysis of pros and cons of various methods of identity federation.
Before we start talking about the key protocols used for identity, it is important to understand that these are broad standards and there are many ways that you can implement them. Next couple blogs will review commonly used implementations and those that have direct applicability in most systems.
This is a broad topic, so I have split this content in different blogs to help focus discussion on sub topics in different blogs.
- Identity Federation Design Patterns: 1 – Executive Summary
- Identity Federation Design Patterns: 2 – Introduction
- Identity Federation Design Patterns: 3 – SAML
- Identity Federation Design Patterns: 4 – Open Authorization (“Oauth”)
- Identity Federation Design Patterns: 5 – Integration without IAM
- Identity Federation Design Patterns: 6 – Integration with a Central IAM
Also if you liked this blog then you might also like my previous blog “Benefits of Identity and Access Management as Corporate Service“