Identity Management System (IDM) Overview
Terry.Cho (http://bcho.tistory.com)
1. Background
IDM
(Identity Management system) is one of most important and complex component in
common IT system.
Pain Point
Here is sample pain point in Identity management scenario when
it comes from identity management area commonly.
Federation.
1)
Enterprise
build their IT system with very simple & isolated identity management
feature. All of each system has own IT management features.
2)
Number
of the IT system has been grown, and it has own identity management system.
3)
End
user starts complain to log in with different id for each system.
Lifecycle management & Provisioning
1)
After
employee leaves company, Enterprise it admin needs to delete all of identity
across the system.
2)
After
new employee has been joined, his identity need to be created in email, ERP,
CRM etc. Some identity creation needs to be approved by manager
Without common Identity management platform, identity
management is being very painful.
B2B vs B2C
There are two main category that uses identity management.
One is B2B and the other one is B2C.
B2B is enterprise IT. It is designed for manage internal
user or restricted number of end client.
The characteristic of B2B system is,
-
It
has very complex scenario to support their business
-
It
has a lot of package based legacy system like ERP,CRM etc.
-
It
needs very elaborate authorization control.
-
It
has many types of roles (admin, manager, end user, org admin etc).
So the product which supports B2B scenario, focuses legacy system integration
(provisioning, connector, standard support - WS-Security, SAML, XACML etc ) ,
work flow support etc.
This area is mainly driven by enterprise vendor like
Oracle,CA,IBM etc.
In contrast, B2C area has different requirement.
In B2C area , it provides service to customer like SNS.
-
It
supports huge # of end user (+million)
-
Role
type and authorization control is very simple compare to B2B scenario.
-
Open
standard based federation model (OAuth 2.0, Open ID etc)
-
Global
deployment
Trend & Implementation
options
To build up IDM system there are 3 different approach.
1)
Option A. build with open
source framework
build
IDM system from scratch or reuse open source frame work.
To
support just single silo system, big identity management system is not
required. In this case, user just build the IDM system from scratch. For small
to medium # of user, RDBMS backend preferred. For medium to big number of user, LDAP or
Microsoft Active Directory is preferred.
To
provided more platformanized (or well defined) IDM, open source frame work can
be used.
Spring
Security is one of major player in this area. It is more focused on web based
application.
Apache
Shiro is also one of the other major player. It can support web and others
(REST API based security control etc).
2)
Option B. build with niche
vendor solution
If IT
has to support more complex scenario. It that case it can consider solution.
There are a lot of solutions which are optimized to specific scenario.
For
example, Centrify is well optimized to support Active Directory based single
sign on in B2B scenario. PingIdentity is good for user account federation
scenario.
3)
Option C. Full package from
enterprise vendor
If
the company has a lot of package based legacy system and it needs sophisticated
role based authorization control, long running work flow for authorization
approval, audit etc, full packaged IDM is recommended.
These
kind of IDM product is delivered by enterprise vendor like Oracle,IBM,CA etc.

Figure 1. IDM gartner magic quadrent
2010
Trend is,
For B2C, commonly it uses Option A and if there is more
complex requirement it uses (or moves from Option A to ) Option B. Big B2C
company like Facebook, Google builds up their own IDM system with Option A
approach.
For B2B, for small & isolated system it uses Option A. For
restricted scenario, Option B. For enterprise wide it uses Option C. Commonly
enterprise IT system has its own LDAP server internally and they provides minimum
single sign on with solutions (Option B).
Commonly they has
SSO, Provisioning only, not support authorization and other stuff. The authorization supports requires a lot of
customization both in IDM and service application side. And full package vendor
solution is very expensive, complex and hard to manage.
2. IDM
System common features
Here
is common feature which is provided by traditional IDM systems.

1) User Management
It managed user identity
during full life cycle. It created, update and delete the user identity
information.
Lifecycle
management
This feature manages whole
life cycle of user identity management from creation to remove. Depends on
requirement, user identity can be expired based on pre-defined logic. It also
can manage password expiration date etc.
Work
flow
Some user identity creation or
new authorization permission guarantee needs a approval. For example in case of
banking account creation, it needs to check user identity. This kinds of
approval required long running process.
It is implemented by using
work flow engine (eg. BPM etc)
Provisioning
When user identity has been
created or modified, it need to be replicated another system. For example new
email has been created in email system, new account in sales system need to be
created. In that case the user profile should be replicated (provisioned). It
is one of very important feature in centralized IDM.
Delegated
Admin
To manage user identity ,
single IDM admin is not enough. If the company has a lot of organization and
authorization control is requires, single IDM admin cannot cover whole of the
requests. So in that case restricted admin authority need to be delegated to someone
(ex. managers in the organization ). This feature is delegated admin.
One more thing for this
feature, if the delegated admin has been leaved the company the delegated
authority should be propagated to another user in the IDM.
Identification
management
In specific system, user
identity which prove "Who is the user?" is very important.
In Banking, Stock Trading
system, user identity proven is very important issue. To support them IDM
manages additional information like user certification, finger print and user
biometric data
2) Access Management
Access management defines
"Can user access specific resource?". It allows system to provide
restricted access
Authentication
Authentication is the process
of determining whether someone or something is, in fact, who or what it is
declared to be. This is commonly done by comparing user identity &
credentials (id & password)
Authorization
(ACL , Entitlement)
This is process of granting or
denying access to resource.
In other term, it is controlled
by "ACL (Access Control List)". It describes "Who can access
what resource".
In authorization scenario,
there are 3 types of access control
① RBAC (Resource Based Access
Control)
Resource access is controlled
by user role. Individual user can have number of role. For example a user can
be "Partner" ,"Admin" ,"End User". Resource
control is granted by pre defined access control based on each role.
RBAC is one of most broadly
used authorization method.
② DAC (Discretionary Access
Control)
It is more flexible compare to
RBAC. DAC manages authority based on user identity (user id or it's associated
group)
③ MAC (Mandatory Access Control)
User are given permission to resources by system administrator. Only the admin
can grant permission to resource.
Federation
(SSO)
If there are number of systems
and user logged once in one system, it doesn't need to log into other system
anymore. This is Single Sign On.
There are standards to support
SSO like SAML, CAS, Kerberos etc.
3) Repository
Repository persists user
identity & profile.
User identity has user id and
password for log in. ACL (Access Control List) and user profile which contains
user related data for example - name, address , email etc.
This repository is read
intensive. And it needs to support tree like structure because, user identity
combines user organization structure too. In this reason LDAP is common
solution for repository.
If system have to support
global roll out, it should also consider regulation issue. Some user
information cannot be stored outside their country. When it designs user
profile scheme, legal check is required.
And to support the global roll
out, data replication across data center should be supported.
4) Audit & Reporting
Audit means, "who did
what to which resource?". It can enables admin to track resource usage,
denial resource access etc. In some system , the access log can be used to
track user pattern. Web access log analysis scenario is one of the example. In
addition the resource access log can be used to metering service usage. (cloud
computing scenario etc)
For denial access, it need to
support notification message to admin and reporting. To prevent denied access,
it also need to support "black list".
This area is consists of
logging, gathering, analysis, reporting and achieving. Now days, it is
implemented by using big data technology. (logging framework etc)
5) Integrations
Integration feature is
integrate multiple identity management system.
There are many perspectives.
Replicate user profile from one to other systems is covered by
"provisioning". Authentication across number of system can be covered
by Single Sign On. Authorization over number of system can be covered by XACML
based authorization system.
To simplify integration, we
can have 3 perspective like below
Open
standard support
Integration support is old
problem in Identity management area. So there are already open standard to
support the integration issue.
In B2C area, Open ID and OAuth
are major player that support authentication.
In B2B area, there are a lot
of standard like
-
SAML,WS-Security:
support SSO & Federation
-
XACML:
support authorization
-
LDAP
or Microsoft Active Directory : repository integration
-
WS-Trust
: API Security
Internal
service integration
In
enterprise, there are a lot of internal system. Especially legacy enterprise system
(ERP,CRM) has very complex user profile scheme, organization structure and
sometimes it doesn't support open standard. So it needs special integration connector to
support the integration (provisioning, authorization etc).
The
Connector support is main feature of internal service integration
External
service integration
It
covers identity integration covers external system which resides in outside of
company.
-
B2C
integration - There are already well know B2C service system like google,
Windows Live accout, Face book, Twitter account. B2C integration scenario is usually
implemented with open standard (OAuth, OpenID, Active Directory etc)
-
B2B
integration - This area can have various scenario depends on requirement. If
company A provides service B's from company B with white-label. They need to
support SSO. In this case company A,B need to integrate their authentication by
using SSO. In this scenario, if company B charge the service, user identity
need to be provisioned from company A to company B to measure their usage.
B2B
integration is occurred by ad-hoc way. There are no common approach in this
area. Best way is clarify gap between two different identity management system
and make integration scenario case by case. This approach is similar to EAI
(Enterprise Application Integration).
-
B2B
(Cloud) integration - There are already cloud enterprise cloud service like
SalesForce.com, Microsoft Office 365. This service needs to integrate with
company wide IDM system.
3. IDM deployment
model
To
understand IDM deployment model, we have to understand IDM term first
IdP (Identity Provider) : This
is IDM. It persists user identity, authenticate & authorize incoming
request.
SP (Service Provider) : It
provides service to end user. It has resource. Access to the resources are
restricted by Idp. Example. Web Site etc.
Token : User credentials (id
& password, or log in token - which is used for authentication)
There
are 3 types of deployment models
Isolated IDM Model
Each
service provider has it's own IdP. End user has to log in for each service
provider with different identity.

Centralized IDM
Model
Each
services shares single IdP. This is most ideal model. End user can log in and
access with single user identity.
All
of access controls in all Service Provides are controlled by single ACL. It is
consistent.
But
it is hard to meet in real world. Product (open source or solution) already has
it own Idp internally. If all of Service Providers are built from scratch, it
can support this model.

Federated IDM Model
End
user perspective, it is same to centralized IDM model. End user logs in Service
Provider with single user identity. But each Service Provider has different IdP
in backend.
This
is common use case in IDM area. Authentication is integrated by SSO
(Federation) and Authorization is covered by Entitlement (XACML etc)

Here
is reference architecture of federation model

User management system create & update user
profile. The profile is propagated to each IdP servers thru provisioning
components. Service Provider has recent version of user profile.
End user logs in Service provider. It is
federated by using SSO.
댓글을 달아 주세요
GPU, TPU 지원되는 VM 이나, privilege 설정없이 TPU를 사용할수있는 docker는 없나요?