Approachs
1. Isolated, or Silo-oriented IdM
Per-service IdM
No relation between services in the organization (or world).
Identity attributes are not shared among services
Duplication:
Each person would have an identity profile on each service.
Each service must ensure proper protection mechanisms.
Not scalable for users, nor user-friendly:
Unless you use the same identifiers and authentication credentials.
But possibly better against identity theft!
Unless you use the same identifiers and authentication credentials…
Onboarding and Offboarding issues:
Need to provision/remove/disable identities across all services.
2. Aggregated IdM
One IdM for several services
A single profile for each entity:
Each profile contains the union of all attributes required by all services.
More efficient management, onboarding and offboarding.
Each service uses only the attributes it needs.
Usually explored with a central IdP
To centralize the authentication of profile owners.
To provide assertions with identity claims.
Services rely on the IdP
Relying Parties (RPs).
3. Federated identity
Concept that encompasses a common set of policies, practices and protocols to manage identity across organizations.
Goal
Enable an entity to access a service of an organization with a set of identity claims provided by one or more trustworthy third-party IdMs.
Use case: organizations share identity management
Entity@DomainA accesses system@DomainA and Entity@DomainA accesses system@DomainB.
Organizations agree on using federated identities
Single source of Identities for all Organizations.
Can use an independent IdP or accept users from any participant.
4. Claim-based identity management
Multi-IdP identity claims’ provisioning.
The service provider asks for several identity attributes.
As identity claims.
And proposes alternative IdMs.
Service client uses one or more IdMs to get all the necessary identity claims.
Usually no more than one.
Last updated