Identity Management and Federated ILM
I had of course heard the term Identity Lifecycle Management, and understood that it had something to do with centralizing and helping users manage identities across systems and all that jazz. Any IT jock or person involved in Technology should understand (and hopefully does) that Identity Management is probably the most integral part of any system. Hell, even with anonymous systems it still uses a form of identity management because these systems must be ‘administered’ by someone and that someone has an identity for use with that system.
So I decided to look a little more into it, and to say I am impressed by the solutions and ideas that people have come up with in relation to Identity Lifecycle Management solutions would be definitive understatement. I believe the best term for how impressed I am by this would be at the ‘totally freaking wicked awesome’ level. I know.. I am excitable, but seriously if you haven’t ever really read about or looked into Identity Management or Identity Lifecycle Management (which will be referred to as ILM from this point onward in this post) follow along with me here.
The concept of Identity Management is pretty simple. You have an identity. Everyone using any system of any sort uses an identity when they interact with that system. This could be an anonymous user (which uses an anonymous identity) or an identity that has information about who you are. The most common systems for this would be forms authentication running of a user store (let’s say… sql database for an example) or Active Directory if you are working with Windows, or whatever Linux and those other systems use for Identity Management.
So what’s the big deal? The fact that everything nowadays requires you to submit your identity. Think of the internet (big I know) and how you visit different sites and register or login (facebook, myspace are pretty popular so lets use them as an example). When you login it uses your profile information in a number of ways, presenting the information you want to see, who you are, who you might be associated with and other things. All of this of course comes down to being associated with your ‘identity’.
In a nutshell Identity Management provides you with more cability to manage identities. This can be in the form of policies, provisioning, workflows, or reducing ‘sign in’ needs.
So what’s cool? The whole federated identity management stuff and how far some groups have come with these systems.
So what is federated identity management? Exactly what the term sounds like unionizing, or bringing together these identity management. Let’s take a simple example. Your organization has AD and maybe an intranet. You login to the intranet and navigate to your benefits area. When you click on a link in the intranet to the benefits area it actually uses federated identity management to communicate who you are and (since your already authenticated) does not prompt you. The information it presents you with is based on your identity which has been passed onto and associated with the benefits system’s identity store.
This isn’t a new concept or anything, but what fascinated me was when I actually played with one of these systems (in my case Microsoft Identity Lifecycle Manager (the new beta)), it was how the interface was set up, and how it honestly was like something out of my dreams.
I have seen a great many different AD’s in my day and have wrote applications that integrated with PeopleSoft or other systems for identity management. Many of them had problems and issues, weren’t well maintained, or were structured poorly. This causes all sorts of issues when you are trying to implement systems like SharePoint 2007 because now you cannot rely on having organizational hiearchy (as an example) being available to you for audience targeting. Take that one step further and many of the clients I have worked with use many different user stores, or work directly with groups that have their own user stores.
It’s the way the world works, I evangelize and advocate SharePoint, another person sells their custom app and so on until there are a plethora of different systems that all use different identity stores.
With a tool like Microsoft’s Identity Lifecycle Manager it removes so many of the issues I would run into on a regular basis trying to either replace, or integrate the existing systems. That’s not to say you don’t have plenty of alternatives (single sign on is a good one), but seeing many systems so well integrated and being so easy to manage and synchronize made me fully understand the power (and obvious effort) these ISV’s and organizations solution’s provide.
Looking forward to learning more about the whole ILM marketplace,
P.S – Here’s some examples of solutions which fall under Identity Management and ILM…
Management of identities
- Provisioning/De-provisioning of accounts
- Workflow automation
- Delegated administration
- Password synchronization
- Self-service password reset
- Policy-based access control
- Enterprise/Legacy single sign-on (SSO)
- Web single sign-on (SeoS)
- Reduced sign-on
- Identity repository (directory services for the administration of user account attributes)
- Metadata replication/Synchronization
- Directory virtualization (Virtual directory)
- e-Business scale directory systems
- Next-generation systems – Composite Adaptive Directory Services (CADS) and CADS SDP
- Role-based access control (RBAC)
- Federation of user access rights on web applications across otherwise untrusted networks
- Directory-enabled networking and 802.1X EAP
- Security Assertion Markup Language (SAML)
- Liberty Alliance — A consortium promoting federated identity management
- Shibboleth (Internet2) — Identity standards targeted towards educational environments
- Abriva — Free mobile identity management framwork