Open in app

Sign in

Write

Sign in

Identity and Access Management Components

Bojitha Piyathilake
8 min readMar 6, 2022

--

What is IAM?

IAM is an abbreviation which stands for Identity and Access Management. The identity referred to here is a user’s digital identity, which is how they are represented online. This may be through a social login, personal / work email or even an application. Having the right person gain access to the right resource securely, without interference, using the devices they want is the purpose of Identity and Access Management. Aspects that an IAM provider addresses:

  • Password Management
  • Alleviating Identity Silos
  • Securing APIs
  • Regulatory Compliance
  • Access Control
  • Multi-factor Authentication

Before we get into the components, some important terms:

  • User — A digital representation of a physical user who interacts with the system
  • User Claims — Anything uniquely identified with the user — Name, date of birth, email, country, etc.
  • User Store — A repository which stores information about the users and user roles.
  • Permissions — Actions a user can perform based on their job profile.

Traditional IAM vs Centralized IAM;

An organization may have a number of internal apps from HR, to Accounts, to Sales, etc. Traditionally, the user details would be managed on each app separately. Therefore when a new employee joins the organization, an employee account would need to be created in each application.

With Centralized Access Management, instead of each individual application managing user identities, there would be one centralized application, typically called the Identity Provider (IdP) which is responsible for this task. The user will log into the identity provider and it manages authentication and authorization for the other applications, APIs and resources.

Centralized IAM | Source: https://www.pingidentity.com/en/resources/blog/posts/2021/centralized-decentralized-identity-management.html

Identity Federation

Allowing users to use a single identity across different enterprises in different trust domains based on a trust factor. Businesses are growing and need to connect with external users and it’s not efficient to create that user again in your own identity provider. Instead we can create a trust relationship between identity providers where they can communicate with each other. For example with BYOID (Bring Your Own Identity), users can use their Facebook or Google account to login to multiple applications and that is known as identity federation with social login. This makes access easy, as users are not required to remember a different set of credentials for every application they use. However, the users still have to provide their credentials to each application separately although the credentials used are the same. This can be solved using single sign on.

Federated Identity | Source: https://wso2.com/identity-and-access-management/identity-federation/

Single Sign On (SSO)

Typical enterprise ecosystems have multiple applications which may follow a traditional identity management structure or more likely, follow a centralized access management structure as discussed above. Although the user’s identity details are maintained centrally, they would still need to login to each application separately, which not only creates a poor user experience but also increases the cost of development. The solution to this is to use an identity provider which supports SSO (Single Sign On). The user will initially login to an application through the identity provider by entering their credentials. Then whenever they attempt to login to another application which also uses that identity provider, it will send the user’s authenticated details from the currently established session. For example, when using Google applications, as long as a user is logged into their Gmail account, they can access all other Google applications without having to re-enter their credentials.

Common open standards used for SSO include SAML (Security Assertion Markup Language), OIDC (Open ID Connect) and WS-Federation.

Some key advantages to using SSO;

  • Users need not remember multiple username/password pairs to access different services.
  • A user only needs to be authenticated once at the identity provider, then they are automatically logged into all the services within that trust domain.
  • The applications which use the identity provider (aka service providers) do not have the overhead of managing user identities.

Multi-factor Authentication

Authentication is verifying that the user is who they say they are. Typically this would be done using a username and a password, but with the increase in digital crimes and internet fraud, the traditional factors are insufficient to provide strong security. Using more than one factor of authentication to distinctly identify a user is called Multi-factor authentication. For example, using a username and password followed by confirming your identity through email or an SMS OTP. This creates a layered defense, where even if one factor is broken the attacker has multiple other factors they need to get through.

These multiple factors can be;

  • Something the user knows / Knowledge factor — Pin / Password / Security Question
  • Something the user has / Ownership factor — Token / Phone (SMS OTP) / ATM card / ID card
  • Something the user is / Inheritance factor — Biometrics
Multi-factor Authentication | Source: https://www.business2community.com/cybersecurity/why-multi-factor-authentication-mfa-is-a-must-have-in-the-microsoft-world-and-beyond-02245731

Adaptive Authentication

A system has to strike a balance between security and convenience. Having to validate multiple factors of authentication every single time a user logs into their account can be a hassle. The solution to this is to adjust the authentication strength based on the user’s risk profile and behavior which is known as adaptive Authentication. By investigating the user account and the risk probability associated with the particular user access request, the system may ask for more factors of authentication if the user is determined to pose a risk.

Decision Factors

  • Request or environment factors
  • User attributes and roles
  • The required Level of Assurance LoA
  • User behavior
  • Analytics and ML

Scenarios

1. Role based adaptive authentication

If a particular role (such as admin or manager) has access to sensitive data, then add more authentication steps.

2. Device based adaptive authentication

More authentication steps when accessing from a less secure device such as a mobile phone.

3. IP-based or location based adaptive authentication

If the request is coming from a foreign country which the user hasn’t accessed from before, then add more authentication factors.

4. Level of Assurance based adaptive authentication;

In a bank application, for balance inquiry the assurance needed is less than that of a fund transfer. Add more authentication factors depending on the level of assurance required.

5. Analytics based adaptive authentication;

Based on event analysis. Uses a risk analysis engine to identify high risk users based on their behavior and add additional authentication factors as required.

Access Control

Access control is a method of limiting access to resources. Access is determined by the system after the user’s identity is authenticated. The system will have different types of resources with different levels of users. Some users are prevented from accessing sensitive information/resources through access control. There are different types of access control with the 4 main types being;

1. MAC — Mandatory Access Control

A central authority like a system administrator defines different access levels and each user is linked with a particular access level. So even if a user is the owner of a resource, they might not have access to it.

2. DAC — Discretionary Access Control

The system administrator has a list of users who can access a particular resource. DAC provides access based on the user’s identity and not based on the permission level.

3. RBAC — Role Based Access Control

Authorization decisions are made based on the user role.

4. ABAC — Attribute Based Access Control

Also known as fine grained access control. Considers attributes related to the application and the environmental conditions when making authorization decisions

Example: SEs from team A can read and write to codebase x during office hours on the office network. If any of those conditions are not met, then access will not be granted.

  • Attributes: SEs, team A, office hours, office network
  • Subject: codebase x
  • Permissions: read and write

User Provisioning

The process of creating, maintaining and deleting digital IDs / user accounts, in a system and assigning the right privileges to them in the form of roles and rules is user provisioning. Identity provisioning is the key to identity federation. When using a centralized user management system, there is no need to create user accounts for separate apps. Users are created in the identity provider.

User provisioning features include;

  • Audit trails and reports — To track who changed what, when and why. To create reports on user privileges used for security audits
  • Workflow management
  • Notifications — Notify users about changes to their accounts and privileges.
  • Self service operations — User can reset passwords, view access, change personal details, update preferences, etc.
  • Creating groups
  • Replicating organizational structure
  • Provisioning and de-provisioning services

User Provisioning Methods

1. Inbound User Provisioning

Provisioning users/groups to your Identity Provider from external applications which are also called service providers.

2. Outbound User Provisioning

Provisioning users/groups from your Identity Provider to a trusted external Identity Provider, which is basically another Identity Provider who supports Inbound provisioning.

3. JIT (Just In Time) User Provisioning

Provisioning users to the internal system at the time of federated authentication.

Access Delegation

Allowing a third party application to access your resources and perform limited actions on your behalf. For example, think of your Airbnb apartment, the landlord has the keys to access all premises, but you as a tenant may only receive the key to the front door but not the tool shed, basement or attic. Here the landlord is the resource owner and you are the delegated party. Similarly, a user can delegate access of some files in their Google Drive account to be used by a third party application such as a photo editor. That application will only be able to access the files allowed and perform the actions allowed.

An industry standard lightweight protocol used for secure access delegation is OAuth 2.0. It generates tokens with limited access to facilitate third parties accessing your resources securely. OAuth 2.0 is actually a framework where we can implement new access delegation use cases.

Regulatory Compliance

Using consent management to ensure the systems and clients comply with regulations such as the GDPR (General Data Protection Regulation), CCPA (California Consumer Protection Act) and the eIDAS (electronic Identification, Authentication and Trust Services Regulation). Consent management makes it easy to check the rights granted to users and prove to auditors that they are legitimate.

While a considerable emphasis is placed on security, IAM also aims at elevating user experience.

I hope this article has been able to give you a brief idea into various Identity and Access Management components. Thanks for reading.

References

What is Identity and Access Management : https://www.youtube.com/watch?v=vFB2CR7xCOM

Identity Server Documentation: https://is.docs.wso2.com/en/latest/learn/tutorials/

Sso
Access Delegation
Access Management
Identity Management
Identity And Access

--

--

Bojitha Piyathilake

Written by Bojitha Piyathilake

26 Followers

I am an undergraduate at the University of Moratuwa following a degree in Information Technology and Management.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams