This is the fifth post in my series:
Now that we have the identity data in a central vault, we are able to connect the Identity Management platform with the end target systems. The most obvious target system is the authentication domain, but many other target systems can exist within an organisation that would benefit from the integration with the Identity Management system. A target systems can be defined as any application in use by the organisation that requires a user account to be created so as to access the information and capability of the system. Applications are generally industry-specific, however, there are many applications that are used across a number of organisations including email, Active Directory, collaboration systems such as SharePoint and finance systems that can be considered as target systems.
Why integrate with IdM?
Identity Management provides a number of key benefits that encourage organisations to adopt this service. These include:
- automated account provisioning.
- centralised account management
- development and application of organisation policies across applications
- A centralised security and access management for accounts accessing each application.
Each application has specific requirements for the creation of a new user account. In some instances an account may just require a first name, last name and date of birth. The Identity Management system requires a unique identifier to ensure each identity can be identified and matched with the identity in the vault. The specific needs for each application will typically be provided by the application vendor themselves. The Identity Management system will automate the creation of these accounts and synchronise future changes that originate from the source of truth. It is likely that specific customisation for each target application will be required to ensure that the desired attributes flow through from the Vault.
In addition, connectivity requirements for the the target application are needed with sufficient rights to create, modify and delete accounts. Where appropriate, the rights will also need to be sufficient to assign suitable access or authorisation entitlements within the application for the identities.
Traditionally, target applications were on-premise, however targets are becoming increasingly more common in the cloud arena. Requirements to deploy Identity Management to cloud based applications remain the same as those for on-premise applications. Communication security is maintained between the Identity Management platform and the target systems via a wide range of secure protocols.
Integrating an application with Identity Management services is typically undertaken to improve the security of the system through consistent processes applied to new and existing accounts, and enable more rapid provisioning for new users to the system.
While Identity Management may create the account in the target system, it is often also required to enable the account with a temporary password as well for the user. In most cases this temporary password will be changed on first login. A number of methods are used to ensure the right user is accessing the account / system for the first time. These may range between using specific user details to create the account, such as date of birth combinations, or specific third party devices such as mobile phones to verify the account on first login.
Single Sign On
In the case of cloud based applications, we more commonly see the new cloud based application using federated authentication services with the organisations on-premise authentication directory. Federation enables an application to pass off the authentication request from the user to an approved authentication store. This ensures that only one username and password is ever required to provide a successful login to all applications. This is commonly referred to as Single Sign On and is accompanied by a number of other services that provide a more simple management of user credentials or improved security through centralised credential management, multi factor authentication and even contextual authentication.
Identity Management is an enabler for cloud adoption. As more and more target systems are provided as a service offering to organisations, we are required to enable identity services for the provisioning and management of identities to these cloud services. Accompanying this is a raft of Single Sign On and user self-service capabilities. These ensure greater security and more rapid adoption of the cloud services making the organisation more agile and able to adopt new capabilities faster.