Identity management systems
Encyclopedia
An identity management system refers to an information system, or to a set of technologies that can be used to support the management of identities
.
An identity management system:
industry. Computer scientists
traditionally associate the phrase with the management
of user credentials and the means by which users might log on to an online system. With the emergence of phishing
attacks it became obvious that service provider identities also need to be managed. Phishing precisely exploits the difficulty of properly identifying and authenticating service providers on the web due to poor management of service provider identities .
With relation to online government services the term National Identity Management has been used. In general, electronic IdM can be said to cover the management of any form of digital identities.
The focus on identity management goes back to the development of directories, such as X.500
, where a namespace
serves to hold named objects that represent real-life "identified" entities, such as countries, organizations, applications, subscribers or devices. The X.509
ITU-T
standard defined certificates carried identity attributes as two directory names: the certificate subject and the certificate issuer. X.509 certificates and PKI
systems operate to prove the online "identity" of a subject. Therefore, in IT terms, one can consider identity management as the management of information (as held in a directory) that represents items identified in real life (e.g. users, organisations, devices, services, etc.). The design of such systems requires explicit information and identity engineering tasks.
The evolution of identity management follows the progression of Internet
technology closely. In the environment of static web pages and static portals of the early 1990s, corporations investigated the delivery of informative web content such as the "white pages" of employees. Subsequently, as the information changed (due to employee turnover, provisioning and de-provisioning), the ability to perform self-service and help-desk updates more efficiently morphed into what became known as Identity Management .
Typical identity management functionality includes the following:
Identity management also addresses the age-old 'N+1' problem — where every new application may entail the setting up of new data stores of users. The ability to centrally manage the provisioning and de-provisioning of identities, and consolidate the proliferation of identity stores, all form part of the identity management process.
The term identity engineering refers to putting engineering effort into managing large numbers of interrelated items that have identifiers or names.
Management of identities
Access control
Directory services
Other categories
Standards initiatives
Identity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
.
An identity management system:
- Establishes the identity
- Links a name (or number) with the subject or object;
- Re-establishes the identity (i.e. links a new or additional name, or number, with the subject or object);
- Describes the identity:
- Optionally assigns one or more attributes applicable to the particular subject or object to the identity;
- Re-describes the identity (i.e. changes one or more attributes applicable to the particular subject or object);
- Follows identity activity:
- Record and/or provide access to logs of identity activity
- Optionally auto-analyze behaviour patterns of the identity
- Destroys the identity
Electronic identity management
Several interpretations of identity management (IdM) have been developed in the ITInformation technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
industry. Computer scientists
Computer science
Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...
traditionally associate the phrase with the management
Management
Management in all business and organizational activities is the act of getting people together to accomplish desired goals and objectives using available resources efficiently and effectively...
of user credentials and the means by which users might log on to an online system. With the emergence of phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
attacks it became obvious that service provider identities also need to be managed. Phishing precisely exploits the difficulty of properly identifying and authenticating service providers on the web due to poor management of service provider identities .
With relation to online government services the term National Identity Management has been used. In general, electronic IdM can be said to cover the management of any form of digital identities.
The focus on identity management goes back to the development of directories, such as X.500
X.500
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and...
, where a namespace
Namespace
In general, a namespace is a container that provides context for the identifiers it holds, and allows the disambiguation of homonym identifiers residing in different namespaces....
serves to hold named objects that represent real-life "identified" entities, such as countries, organizations, applications, subscribers or devices. The X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
ITU-T
ITU-T
The ITU Telecommunication Standardization Sector is one of the three sectors of the International Telecommunication Union ; it coordinates standards for telecommunications....
standard defined certificates carried identity attributes as two directory names: the certificate subject and the certificate issuer. X.509 certificates and PKI
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
systems operate to prove the online "identity" of a subject. Therefore, in IT terms, one can consider identity management as the management of information (as held in a directory) that represents items identified in real life (e.g. users, organisations, devices, services, etc.). The design of such systems requires explicit information and identity engineering tasks.
The evolution of identity management follows the progression of Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
technology closely. In the environment of static web pages and static portals of the early 1990s, corporations investigated the delivery of informative web content such as the "white pages" of employees. Subsequently, as the information changed (due to employee turnover, provisioning and de-provisioning), the ability to perform self-service and help-desk updates more efficiently morphed into what became known as Identity Management .
Typical identity management functionality includes the following:
- User information self-service
- Password resetting
- Management of lost passwords
- WorkflowWorkflowA workflow consists of a sequence of connected steps. It is a depiction of a sequence of operations, declared as work of a person, a group of persons, an organization of staff, or one or more simple or complex mechanisms. Workflow may be seen as any abstraction of real work...
- Provisioning and de-provisioning of identities from resources
Identity management also addresses the age-old 'N+1' problem — where every new application may entail the setting up of new data stores of users. The ability to centrally manage the provisioning and de-provisioning of identities, and consolidate the proliferation of identity stores, all form part of the identity management process.
The term identity engineering refers to putting engineering effort into managing large numbers of interrelated items that have identifiers or names.
Types of Identity management systems
We can distinguish three main types of IMS:- Type 1: IMS for account management
- Type 1 IMS are used within an organization especially for account and access administration for computers and network services (e.g. the Windows-NT-Domain-concept by Microsoft, NIS by SUN etc.).
- Type 2: IMS for profiling of user data by an organization
- Is used for managing and exploiting large amount of statistical user information (for instance in MarketingMarketingMarketing is the process used to determine what products or services may be of interest to customers, and the strategy to use in sales, communications and business development. It generates the strategy that underlies sales techniques, business communication, and business developments...
).
- Is used for managing and exploiting large amount of statistical user information (for instance in Marketing
- Type 3: IMS for user-controlled context-dependent role and pseudonym management
- Type 3 IMS are characterised by the user control as basically decentralised, user and client-oriented (Management done by the user). The data managed are mainly personal data. This kind of IMS can for instance be found with the user profileUser profileA user profile is a collection of personal data associated to a specific user. A profile refers therefore to the explicit digital representation of a person's identity...
in social network serviceSocial network serviceA social networking service is an online service, platform, or site that focuses on building and reflecting of social networks or social relations among people, who, for example, share interests and/or activities. A social network service consists of a representation of each user , his/her social...
s .
- Type 3 IMS are characterised by the user control as basically decentralised, user and client-oriented (Management done by the user). The data managed are mainly personal data. This kind of IMS can for instance be found with the user profile
Solutions
Solutions which fall under the category of identity management may include:Management of identities
- ProvisioningProvisioningIn telecommunication, provisioning is the process of preparing and equipping a network to allow it to provide services to its users. In NS/EP telecommunications services, "provisioning" equates to "initiation" and includes altering the state of an existing priority service or capability.In a...
/De-provisioning of accounts - Workflow automation
- Delegated administrationDelegated administrationDelegated administration describes the decentralization of role-based-access-control systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT teams become burdened with menial role-change requests...
- Password synchronizationPassword synchronizationPassword synchronization is a process, usually supported by software, through which a user maintains a single password across multiple IT systems. Provided all the systems enforce similar password standards Password synchronization is a process, usually supported by software, through which a user...
- Self-service password reset
Access control
- Policy-based access control
- EnterpriseBusinessA business is an organization engaged in the trade of goods, services, or both to consumers. Businesses are predominant in capitalist economies, where most of them are privately owned and administered to earn profit to increase the wealth of their owners. Businesses may also be not-for-profit...
/Legacy single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO) - Web single sign-on (SeoS)
- Reduced sign-on
Directory services
- Identity repository (directory services for the administration of user account attributes)
- MetadataMetadataThe term metadata is an ambiguous term which is used for two fundamentally different concepts . Although the expression "data about data" is often used, it does not apply to both in the same way. Structural metadata, the design and specification of data structures, cannot be about data, because at...
replication/Synchronization - Directory virtualization (Virtual directoryVirtual directoryIn computing, a virtual directory or virtual directory server is a software layer that delivers a single access point for identity management applications and service platforms...
) - e-Business scale directory systems
- Next-generation systems - Composite Adaptive Directory Services (CADS) and CADS SDP
Other categories
- Role-based access controlRole-Based Access ControlIn computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
(RBAC) - FederationFederated identityA federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems....
of user access rights on web applications across otherwise untrusted networks - Directory-enabled networking and 802.1X EAP
Standards initiatives
- Security Assertion Markup Language (SAML)
- Liberty AllianceLiberty AllianceThe Liberty Alliance was formed in September 2001 by approximately 30 organizations to establish open standards, guidelines and best practices for identity management...
— A consortium promoting federated identity management - Shibboleth (Internet2)Shibboleth (Internet2)Shibboleth is an Internet2 project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on Security Assertion Markup Language . Federated identity allows for information about users in one security domain...
— Identity standards targeted towards educational environments - Global Trust CenterGlobal Trust CenterGlobal Trust Center is an international not-for-profit organisation that aims to develop policies to protect the rights and integrity of individual users of digital communications while reaffirming accountability and legal values...
List of Leading Identity management systems
- Sun Identity Manager(will be supported only up to 2014)
- Microsoft Active Directory in Windows Server
- Microsoft Identity Lifecycle Manager 2007 and Microsoft Identity Integration Server
- Microsoft Forefront IM 2010Identity Lifecycle ManagerMicrosoft Forefront Identity Manager is a state-based identity management software product, designed to manage users' digital identities, credentials and groupings throughout the lifecycle of their membership of an enterprise computer system...
- Oracle IM 11g
- IBM Tivoli IM
- Novell IM
- CA Technologies IM
- Courion IM
Comparison of Leading Identity management systems
| System | Provisioning/De-provisioning of accounts | Workflow automation | Delegated administration | Password synchronization | Self-service password reset | Policy-based access control | Enterprise/Legacy single sign-on (SSO) | Web single sign-on (SeoS) | Identity repository (directory services for the administration of user account attributes) | Metadata replication/Synchronization |
|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Active Directory | between AD | |||||||||
| MS FIM 2010 | ||||||||||
| Oracle IM | ||||||||||
| System | Provisioning/De-provisioning of accounts | Workflow automation | Delegated administration | Password synchronization | Self-service password reset | Policy-based access control | Enterprise/Legacy single sign-on (SSO) | Web single sign-on (SeoS) | Identity repository (directory services for the administration of user account attributes) | Metadata replication/Synchronization |
See also
:Category:Identity management systems- Identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
- Lightweight Directory Access ProtocolLightweight Directory Access ProtocolThe Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
(LDAP) - Light-Weight IdentityLight-Weight IdentityLID is a management system for online digital identities developed in part by . It was first published in early 2005, and is the original URL-based identity system, later followed by OpenID. LID uses URLs as a verification of the user's identity, and makes use of several open-source protocols...
(LID) - MetadirectoryMetadirectoryA metadirectory system provides for the flow of data between one or more directory services and databases, in order to maintain synchronization of that data, and is an important part of identity management systems. The data being synchronized typically are collections of entries that contain user...
and Virtual directoryVirtual directoryIn computing, a virtual directory or virtual directory server is a software layer that delivers a single access point for identity management applications and service platforms... - Network Information ServiceNetwork Information ServiceThe Network Information Service, or NIS is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network...
(NIS) - OpenIDOpenIDOpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...
- Privacy enhancing technologiesPrivacy enhancing technologiesPrivacy enhancing technologies is a general term for a set of computer tools, applications and mechanisms which - when integrated in online services or applications, or when used in conjunction with such services or applications - allow online users to protect the privacy of their personally...
(PET) - Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO) - User profileUser profileA user profile is a collection of personal data associated to a specific user. A profile refers therefore to the explicit digital representation of a person's identity...
- Windows CardSpaceWindows CardSpaceWindows CardSpace , is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual...
- XML Enabled DirectoryXML Enabled DirectoryXML Enabled Directory is a framework for managing objects represented using the Extensible Markup Language . XED builds on X.500 and LDAP directory services technologies....
(XMLED) - YadisYadisYadis is a communications protocol for discovery of services such as OpenID, OAuth, and XDI connected to a Yadis ID. While intended to discover digital identity services, Yadis is not restricted to those. Other services can easily be included....
External links
- FIDIS Database on IMS The FIDIS IMS Database gives a non comprehensive overview and a brief description of identity management systems and tools.
- Identity Management Solutions by Tools4ever
- Access & Identity Management Suite by Avatier