BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Guides Identity Management on a Shoestring

Identity Management on a Shoestring

Bookmarks

This document is aimed at Security and IT practitioners (especially architects) in end-user organisations who are responsible for implementing an enterprise-wide Identity and Access Management (IAM) system. It is neither a conceptual treatment of Identity (for which we would refer the reader to Kim Cameron's excellent work on the Laws of Identity) nor a detailed technical manual on a particular product. It describes a pragmatic and cost-effective architectural approach to implementing IAM within an organisation, based on the experience of the authors.

Starting in early 2009, we built an IAM system for a large and established Australian financial services company, using a rather unconventional approach. While the system has not yet reached its envisioned target state, we have had significant success so far, and we believe our experience carries valuable lessons for others considering a similar journey. Identity Management as an applied practice does not enjoy a rich knowledge base in the public domain, so we are pleased to contribute our experience herewith. Most of what we describe here is from what we have already implemented and proven. Some of it refers to planned designs to meet forthcoming requirements, and some of it reflects (with the benefit of hindsight) the way we wish our solution had been designed! We have distilled these learnings into an architectural approach we call LIMA1.

Our background and experience are largely with Java-based technologies, so Java shops would probably be best positioned to benefit from our suggestions, but we are sure these general principles can be suitably adapted to other technology platforms. As with any piece of unsolicited advice, the usual caveats apply. No guarantees or warranties are provided or implied. The reader is expected to apply commonsense and sound design judgement when developing a solution based on this approach.

Free download

Buy the print version for $ 9.95

If you enjoyed reading the free download version, please support the author and InfoQ's book series by purchasing the print version.

Table of Contents

  • ACKNOWLEDGEMENTS
  • INTENDED AUDIENCE
  • COVER ILLUSTRATION

OVERVIEW – CHARACTERISTICS OF LIMA AT A GLANCE

  • INTRODUCTION

THE MODERN ENTERPRISE – A REALITY CHECK

  • SO YOU THINK YOU'RE GOING TO CHANGE THE WORLD
  • WHO'S YOUR SUGAR DADDY? FUNDING MODELS THAT WORK
  • FIRST THINGS FIRST – OBJECTIVES OF IDENTITY AND ACCESS MANAGEMENT
  • THE TROUBLE WITH BRAND-NAME PRODUCTS
  • MISCONCEPTIONS ABOUT SECURITY
  • AUDITORS, SECURITY AND WORDS OF WISDOM

INTRODUCING LIMA – A DIFFERENT ARCHITECTURE FOR IAM

  • LOOSE COUPLING – A FIRM FOUNDATION FOR IAM
  • SNEAK PREVIEW – WHAT A LIMA IMPLEMENTATION LOOKS LIKE

ACCESS MANAGEMENT, LIMA-STYLE

  • ACCESS MANAGEMENT CONCEPTS
  • HOW SINGLE SIGN-ON WORKS
  • THE BEST THINGS IN LIFE (AND IN IAM) ARE FREE
  • CENTRAL AUTHENTICATION SERVICE AND THE CAS PROTOCOL
  • SHIBBOLETH'S FEDERATED IDENTITY MODEL
  • CAS SERVER CONFIGURATION AND THE “TWO-LAYER PROTOCOL ARCHITECTURE”
  • ENHANCING ACCESS MANAGEMENT FUNCTIONALITY INCREMENTALLY
  • EXTENSION CASE STUDY 1: LAN SSO INTEGRATION WITH SPNEGO
  • EXTENSION CASE STUDY 2: TWO-FACTOR AUTHENTICATION WITH SMS ONE-TIME TOKENS
  • EXTENSION CASE STUDY 3: FEDERATED IDENTITY WITH SAML TOKENS
  • LIMITS TO THE TWO-LAYER PROTOCOL ARCHITECTURE
  • MISCELLANEOUS TOPICS IN ACCESS MANAGEMENT
  • PROTECTING NON-WEB APPLICATIONS
  • IMPLEMENTING “SINGLE SIGN-OUT”
  • IAM AND CLOUD COMPUTING
  • WHAT DO WE DO WITH ACTIVE DIRECTORY?
  • TAILORING COARSE-GRAINED ACCESS CONTROL
  • USING CAS TO CENTRALISE ENFORCEMENT OF AUTHORISATION RULES
  • USING A REVERSE-PROXY DEVICE AS A COMMON INTERCEPTOR
  • ACCESS MANAGEMENT FOR “PORTAL” APPLICATIONS

IDENTITY MANAGEMENT, LIMA-STYLE

  • IDENTITY MANAGEMENT CONCEPTS
  • SEPARATING CHURCH AND STATE – THE ROLES OF DIRECTORY AND DATABASE
  • DESIGNING THE IAM DIRECTORY
  • USER UUID – THE ONE RING TO RULE THEM ALL
  • DECOUPLING AUTHENTICATION, COARSE-GRAINED AND FINE-GRAINED AUTHORISATION REALMS
  • PERSON UUID – THE ULTIMATE IDENTITY REFERENCE
  • DATA REPLICATION AND MASTER DATA MANAGEMENT
  • DESIGNING THE IAM DATABASE
  • REST EASY WITH REST SERVICES
  • IAM REST SERVICE INTERFACE AT A GLANCE
  • AUTOMATED USER PROVISIONING – INVOCATION OF REST SERVICES
  • USER ADMINISTRATION
  • IAM, PROTECT THYSELF
  • PROVISIONING USERS TO DOWNSTREAM SYSTEMS
  • DESIGNING USER PROVISIONING MESSAGES

IMPLEMENTING LIMA

  • TRANSITIONING TO THE TARGET STATE
  • HARMONISING DATA
  • MANAGING SSO REALMS
  • MANUAL PROVISIONING
  • THE BAU OF IAM – A “COOKIE-CUTTER” IMPLEMENTATION
  • DEVELOPMENT TASKS
  • PROVISIONING TASKS

CONCLUSION

  • APPENDIX A – TYPICAL SECURITY REQUIREMENTS FROM AN IAM SYSTEM
  • APPENDIX B – MAPPING THE LIMA DESIGN TO THE OASIS MODEL OF IAM
  • APPENDIX C – SPECIAL CASE EXAMPLE 1 (MULTIPLEXING USER IDS)
  • APPENDIX D – SPECIAL CASE EXAMPLE 2 (RESETTING LAN PASSWORDS)
  • APPENDIX E – A SAMPLE PHASED ROLL-OUT PLAN
BT