This document lays out best practices for identity and access
management systems. These systems may be deployed in a variety
of contexts -- corporate, customer-facing, partner-facing, etc.
These deployment patterns are also described.
Identity and Access Management
Identity and access management is a term often used by different
industry participants -- software vendors, integrators,
customers and analysts -- to mean different things. It makes
sense, therefore, to start with some definitions:
Following are the most basic definitions relating to
identity and access management systems:
Identity -- A digital representation of a person or a
purely virtual entity which is managed similarly to a person.
Account -- The representation of an identity on a single
system or application.
Credential -- Something used by a person or virtual entity
to prove his identity to a system or application. For example,
a password, answers to security questions, a hardware token,
a soft token, etc.
Entitlement -- An access right assigned to an account,
typically within the context of a single system or application.
Most commonly entitlements are group memberships or application roles.
Account repository -- A database, either published (e.g.,
as a directory) or internal to a single system or application, which
enumerates accounts, along with related credentials and entitlements
for each account.
An identity and access management system (IAM for short) is a system
which automates the management of identities, accounts, entitlements
and credentials. These artifacts are managed where they already
exist, on one or more account repositories. Automation in the context
of IAM refers to the execution of clearly defined business processes,
which have inputs -- data feeds or user requests; implement policies;
execute workflows to interact with people and have outputs --
integrations to account repositories.
Identity management is prerequisite to account management, which
in turn is prerequisite to the management of entitlements and
credentials. In most cases, it is the management of entitlements
and credentials that is of interest and which yields value to
an organization. The management of identities and accounts is a
necessary prerequisite, but not very valuable in and of itself.
Other names for the same type of system
Just as the term identity and access management is sometimes
used to refer to other types of systems, so too are other
terms sometimes used to refer to IAM. These include:
Identity management (as though access rights are not also managed).
User provisioning (as though onboarding, but not change management
or deactivation, is the only objective).
Access governance (as though routine administration is excluded).
Identity and access governance.
Technically, products in this space are used for administration
and governance of identities, entitlements and credentials, but
nobody calls these systems "identity, entitlement and credential
administration and governance."
Related, but distinct types of systems
People new to IAM systems sometimes confuse them with
related, but nonetheless distinct types of systems:
Directories -- Contain lists of users and other objects,
such as groups and computers. Publish this information via a standard
interface, such as the Lightweight Directory Access Protocol (LDAP).
Directories do not embody any business process -- they simply house
and make accessible a set of data.
Authentication systems -- Used to provide either more
convenient or more secure mechanisms for users to sign into systems,
as compared to the passwords built into most account repositories.
They may include hardware tokens, biometrics, smart cards or apps
on mobile phones. Authentication systems do not manage any existing
identities, credentials or entitlements. Rather, an IAM system should
manage the directory that underpins each authentication system,
and users should be able to sign into the IAM system itself using
business-appropriate authentication methods.
Federated access -- A form of single sign-on where
a user is authenticated by one service (the identity provider or IdP)
before being able to interact with another service (the service
provider or SP). Typically based on an XML document standard for
assertions about user identities and entitlements, such as the
security assertion markup language (SAML). IAM systems should
manage the directory that underpins the IdP and users should be
able to sign into the IAM system using federated assertions.
Web single sign-on (Web-SSO) -- Older forms of single sign-on,
strictly into web applications, which either install an agent
on each web application or proxy connections between users and
web sites. Just like federated IdPs, Web SSO systems normally
rely on a directory, which should be managed by the IAM system.
Password management -- Self-service systems allowing
users to synchronize multiple passwords to a single value,
clear intruder lockouts and reset forgotten passwords. Some IAM
systems incorporate self-service password management, while
others may integrate with (e.g., to share integrations to account
repositories) or simply co-exist. Whereas an IAM system mainly
manages identities, accounts and entitlements, password management
systems mainly manage credentials.
Enterprise single sign-on (E-SSO) -- Systems which detect login
IDs and passwords typed by users, store these and replay them on
subsequent logins to the same application. Normally based on "screen
scraping" technology on the user's endpoint device. Require a secure
way to store credentials (a password wallet) and may integrate with
authentication systems prior to unlocking this storage. IAM systems
may have to inject passwords for newly created accounts into