An Overview of Identity and Access Management (IAM) and Identity Provider (IdP)
Identity and Access Management is the security discipline that enables the right individuals to access the right resources at the right time for the right reasons.
In this post, we will cover an overview of the main topics associated with Identity and Access Management.
What is Identity
When a person attempts to access a resource, we need to make sure the user is who the user claims to be.
Identity is the process of assigning a unique identity to every individual user so that they can be identified.
Applications and systems use identification to determine if a user can have access to a resource.
The process of identity management involves creation, management and deletion of identities without having to worry about their access levels.
What is Authentication
Authentication is the process of proving an identity. To do so, the user must submit their credentials to the authentication entity to gain access.
Authentication is often referred to as AuthN.
There are several different forms of authentication:
Multi-factor Authentication (MFA)
Generally, there are three common factors that can be used for authentication:
- Something you know (such as a password)
- Something you have (such as a smart card)
- Something you are (such as a fingerprint or other biometric method)
Multi-factor authentication uses 2 or more of any of those methods.
The purpose of Multi-factor authentication is to add another layer of protection to the authentication process.
Single Sign-On (SSO)
Single Sign-On (SSO) is a property that allows a user to log into one system, and gain access to all other systems associated with it.
An example of SSO is when you login to Google and then you can access gmail, Google Docs, Google Sheets, without having to provide your login details again.
Federation
Federation is simply allowing SSO across multiple domains. Google and Facebook are two of the biggest Federation providers.
This allows our users to authenticate to our systems using their already existing credentials with those providers.
Tokens
Tokens can be hardware or software-based and provide an authentication mechanism around “something you have”.
Hardware tokens can be “smart cards” that you can use to connect to your computer via a card reader that provides authentication.
Software tokens can generally be installed on any device (e.g. mobile phone) and are used to generate a one-time pass code.
Authorization
Authorization is the process of determining which users have access to which resources in a system.
Users are assigned or granted access to specific resources within a system. This access is usually based on the user’s role.
Once a user is authenticated, then they are authorized to access the resources that have been assigned.
Why do we Need IAM
We need IAM for a number of reasons:
First, we need IAM to protect our systems. We don’t want just anyone to access our private or confidential data without having to prove their identity.
Secondly, we need to ensure that only authorized persons can access the resources that they are assigned to.
We also need IAM for accountability. If an action is performed, we need to know who performed that action. We can look at the system logs that are assigned to an identity. Without IAM, we have no way of knowing who performed what action.
Using an Identity Provider (IdP)
In the early days when developers built applications that required user authentication, they had to create a user store within the application in order to identify. On top of that the developers had to create some method of authentication and roles and rights engine.
Each new application required this setup. The problems with this was that when authentication method had to change, the developers had to modify all the applications to cater for the new requirement.
Using a local authentication mechanism is painful for users, developers and administrators:
- Users must enter username and password to access each application, i.e. no SSO capability
- Can often result in using weak passwords or reuse of passwords
- Developers have to manage another service
- No centralized place to manage users
Using an Identity Provider (IdP) solves these problems.
Claim Based Access Model
The modern Identity and Access Management mechanism uses a claim based access model.
In the claim based access the developers replace the authentication logic in the application with a simpler logic that can accept a claim.
A Trust is established between the application and a source of authentication and authorization in this case an identity provider or IdP.
The application will happily accept the claim that is sent from the IdP.
Also the application doesn’t have to handle any passwords since the users never authenticate directly into the application. Instead users authenticate into the identity provider which generates a claim or an access token that is sent to the application.
Using an Identity Provider means:
- Developers don’t have to create strong authentication methods; nor do they have to protect the users passwords
- If a change in authentication method is needed we only change it on the identity provider. The application remains unmodified
- Users are happy - they can be authenticated once into the identity provider and seamlessly access other granted applications, i.e. (SSO)
- Administrators are also happy - if a user leaves the company the administrator can disable the user in the identity provider and immediately revoke all access.
Summary
Id
Identity is the process of assigning a unique identity to every individual user so that they can be identified.
Authentication vs Authorization
AuthN
- The act of proving who you are
- Often referred to as AuthN
- Common methods of AuthN:
- Form based authentication (username and password)
- Multi Factor Authentication (MFA)
- Tokens
AuthZ
- The act of granting someone access
- Often referred to as AuthZ
- Examples of AuthZ
- Your user object is a member of a group. The group is entitled to a folder with specific privileges. You are authorized to interact with the files within the folder.
IdP
- A centralized place to manage users, authentication and authorization
- More secure, enforces industry standards in user and password management
- Provides SSO
- Easier access management and revocation