BT

Identity Management on a Shoestring

by Ganesh Prasad and Umesh Rajbhandari on Mar 19, 2012

About the Authors

Ganesh Prasad has been an architect in the Shared Services space for many years and has convinced himself that his brand of pedantry is in fact a long-term and enterprise-wide perspective. He provides nuisance value to project teams that just want to get the job done.

 

 

 

Umesh Rajbhandari is a Java / Web developer who likes to keep abreast of the latest technologies. He has worked in Singapore and Nepal, and is currently based in Sydney.

 

 

 

Print edition coming soon!

This document is aimed at Security and IT practitioners (especially architects) in end-user organisations who are responsible for implementing an enterprise-wide Identity and Access Management (IAM) system. It is neither a conceptual treatment of Identity (for which we would refer the reader to Kim Cameron's excellent work on the Laws of Identity) nor a detailed technical manual on a particular product. It describes a pragmatic and cost-effective architectural approach to implementing IAM within an organisation, based on the experience of the authors.

Starting in early 2009, we built an IAM system for a large and established Australian financial services company, using a rather unconventional approach. While the system has not yet reached its envisioned target state, we have had significant success so far, and we believe our experience carries valuable lessons for others considering a similar journey. Identity Management as an applied practice does not enjoy a rich knowledge base in the public domain, so we are pleased to contribute our experience herewith. Most of what we describe here is from what we have already implemented and proven. Some of it refers to planned designs to meet forthcoming requirements, and some of it reflects (with the benefit of hindsight) the way we wish our solution had been designed! We have distilled these learnings into an architectural approach we call LIMA1.

Our background and experience are largely with Java-based technologies, so Java shops would probably be best positioned to benefit from our suggestions, but we are sure these general principles can be suitably adapted to other technology platforms. As with any piece of unsolicited advice, the usual caveats apply. No guarantees or warranties are provided or implied. The reader is expected to apply commonsense and sound design judgement when developing a solution based on this approach.

Free download

Download PDF

Buy the print version for $ 9.95

If you enjoyed reading the free download version, please support the author and InfoQ's book series by purchasing the print version.

Table of Contents

  • ACKNOWLEDGEMENTS
  • INTENDED AUDIENCE
  • COVER ILLUSTRATION

OVERVIEW – CHARACTERISTICS OF LIMA AT A GLANCE

  • INTRODUCTION

THE MODERN ENTERPRISE – A REALITY CHECK

  • SO YOU THINK YOU'RE GOING TO CHANGE THE WORLD
  • WHO'S YOUR SUGAR DADDY? FUNDING MODELS THAT WORK
  • FIRST THINGS FIRST – OBJECTIVES OF IDENTITY AND ACCESS MANAGEMENT
  • THE TROUBLE WITH BRAND-NAME PRODUCTS
  • MISCONCEPTIONS ABOUT SECURITY
  • AUDITORS, SECURITY AND WORDS OF WISDOM

INTRODUCING LIMA – A DIFFERENT ARCHITECTURE FOR IAM

  • LOOSE COUPLING – A FIRM FOUNDATION FOR IAM
  • SNEAK PREVIEW – WHAT A LIMA IMPLEMENTATION LOOKS LIKE

ACCESS MANAGEMENT, LIMA-STYLE

  • ACCESS MANAGEMENT CONCEPTS
  • HOW SINGLE SIGN-ON WORKS
  • THE BEST THINGS IN LIFE (AND IN IAM) ARE FREE
  • CENTRAL AUTHENTICATION SERVICE AND THE CAS PROTOCOL
  • SHIBBOLETH'S FEDERATED IDENTITY MODEL
  • CAS SERVER CONFIGURATION AND THE “TWO-LAYER PROTOCOL ARCHITECTURE”
  • ENHANCING ACCESS MANAGEMENT FUNCTIONALITY INCREMENTALLY
  • EXTENSION CASE STUDY 1: LAN SSO INTEGRATION WITH SPNEGO
  • EXTENSION CASE STUDY 2: TWO-FACTOR AUTHENTICATION WITH SMS ONE-TIME TOKENS
  • EXTENSION CASE STUDY 3: FEDERATED IDENTITY WITH SAML TOKENS
  • LIMITS TO THE TWO-LAYER PROTOCOL ARCHITECTURE
  • MISCELLANEOUS TOPICS IN ACCESS MANAGEMENT
  • PROTECTING NON-WEB APPLICATIONS
  • IMPLEMENTING “SINGLE SIGN-OUT”
  • IAM AND CLOUD COMPUTING
  • WHAT DO WE DO WITH ACTIVE DIRECTORY?
  • TAILORING COARSE-GRAINED ACCESS CONTROL
  • USING CAS TO CENTRALISE ENFORCEMENT OF AUTHORISATION RULES
  • USING A REVERSE-PROXY DEVICE AS A COMMON INTERCEPTOR
  • ACCESS MANAGEMENT FOR “PORTAL” APPLICATIONS

IDENTITY MANAGEMENT, LIMA-STYLE

  • IDENTITY MANAGEMENT CONCEPTS
  • SEPARATING CHURCH AND STATE – THE ROLES OF DIRECTORY AND DATABASE
  • DESIGNING THE IAM DIRECTORY
  • USER UUID – THE ONE RING TO RULE THEM ALL
  • DECOUPLING AUTHENTICATION, COARSE-GRAINED AND FINE-GRAINED AUTHORISATION REALMS
  • PERSON UUID – THE ULTIMATE IDENTITY REFERENCE
  • DATA REPLICATION AND MASTER DATA MANAGEMENT
  • DESIGNING THE IAM DATABASE
  • REST EASY WITH REST SERVICES
  • IAM REST SERVICE INTERFACE AT A GLANCE
  • AUTOMATED USER PROVISIONING – INVOCATION OF REST SERVICES
  • USER ADMINISTRATION
  • IAM, PROTECT THYSELF
  • PROVISIONING USERS TO DOWNSTREAM SYSTEMS
  • DESIGNING USER PROVISIONING MESSAGES

IMPLEMENTING LIMA

  • TRANSITIONING TO THE TARGET STATE
  • HARMONISING DATA
  • MANAGING SSO REALMS
  • MANUAL PROVISIONING
  • THE BAU OF IAM – A “COOKIE-CUTTER” IMPLEMENTATION
  • DEVELOPMENT TASKS
  • PROVISIONING TASKS

CONCLUSION

  • APPENDIX A – TYPICAL SECURITY REQUIREMENTS FROM AN IAM SYSTEM
  • APPENDIX B – MAPPING THE LIMA DESIGN TO THE OASIS MODEL OF IAM
  • APPENDIX C – SPECIAL CASE EXAMPLE 1 (MULTIPLEXING USER IDS)
  • APPENDIX D – SPECIAL CASE EXAMPLE 2 (RESETTING LAN PASSWORDS)
  • APPENDIX E – A SAMPLE PHASED ROLL-OUT PLAN
General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT