Approachs

1. Isolated, or Silo-oriented IdM

Per-service IdM

No relation between services in the organization (or world).

Identity attributes are not shared among services

Duplication:

• Each person would have an identity profile on each service.

• Each service must ensure proper protection mechanisms.

Not scalable for users, nor user-friendly:

• Unless you use the same identifiers and authentication credentials.

But possibly better against identity theft!

• Unless you use the same identifiers and authentication credentials…

Onboarding and Offboarding issues:

• Need to provision/remove/disable identities across all services.

2. Aggregated IdM

One IdM for several services

A single profile for each entity:

• Each profile contains the union of all attributes required by all services.

• More efficient management, onboarding and offboarding.

Each service uses only the attributes it needs.

Usually explored with a central IdP

To centralize the authentication of profile owners.

To provide assertions with identity claims.

Services rely on the IdP

Relying Parties (RPs).

3. Federated identity

Concept that encompasses a common set of policies, practices and protocols to manage identity across organizations.

Goal

Enable an entity to access a service of an organization with a set of identity claims provided by one or more trustworthy third-party IdMs.

Use case: organizations share identity management

Entity@DomainA accesses system@DomainA and Entity@DomainA accesses system@DomainB.

Organizations agree on using federated identities

Single source of Identities for all Organizations.

Can use an independent IdP or accept users from any participant.

4. Claim-based identity management

Multi-IdP identity claims’ provisioning.

The service provider asks for several identity attributes.

• As identity claims.

• And proposes alternative IdMs.

Service client uses one or more IdMs to get all the necessary identity claims.

• Usually no more than one.