Identity Administration

Identity administration models include centralized, delegated, and self-service administration; delegated administration with workflow approval; public key infrastructure (PKI)-based administration; federated IdM; and automated administration. The identity of the person who is being allowed to administer designated IdM stores, functions, and data is often the principal difference among the models:

• Manual: Administration of identity data and functions by IT personnel or LOB representatives; identity data may be entered directly into application environments that don’t source identity information from a shared service or into a user provisioning system that distributes identity data to multiple applications.
• Automated: Administration based on rules according to business, security, or regulatory policies—accounts are created or access is granted based on the value of certain attributes (e.g., “if cost center is xyz, then permit access to procurement system”); these rules are evaluated and processed without human intervention or workflow approval:
  >>Workflow approval: A subset of automated administration requires the review and approval of system, resource, or application owner.

>>Federated: In federated models, identity attributes are sourced from partner systems in an automated fashion at runtime. This is also known as just in time provisioning of access.

• Self-service: Administration of selected user-specific identity data by the users to whom the data pertains. Self-service interfaces are increasingly required to allow internal or external users, who are often the best information source, to update and manage a subset of data about their identities and therefore shoulder a portion of the administrative cost. Self-service capabilities can include self-registration, subscribing to published services, maintaining personal data, and self-help such as password resets.

Federation : The Empire Strikes Back

What is Federation?

Let us discuss the challenges of Identity Silos.

Enterprise IAM suites provide a tightly coupled integration with managed resources.

This is better than having indipendent ID's on individual systems. But falls short of the ideal solution where we can maintain the unified identity outside the enterprise domain.

With increasingly collaborative environment being enabled by online communities there is a need for a loosely coupled system providing a way to identitify users accross domains which collaborate frequently.

This is what Federation addresses.

So to summarize technically, Federation is:
1.A set of technical, legal, and operations agreements that facilitate distributed identification, authentication & authorization across boundaries (security, departmental, organizational or platform).
2.A model based upon trust in which user identities and security are individually managed and distributed by the service providers or member organizations.
3.The individual organization is responsible for vouching for the identity of its own users and the users are able to transparently interact with other trusted partners based on this first authentication

The figure below depicts a typical Federated environment: