By Rajat Bhargava Posted August 11, 2016
The IT landscape has adopted a fancy new phrase: federated identity management.
It essentially means an identity that can be used by multiple organizations. However, in many cases, the use of the phrase refers more to taking an identity and exporting it to many different types of third party, external solutions.
While the first use case made a great deal of sense in an earlier time when each organization’s infrastructure was a silo, now, with modern cloud infrastructure and web applications becoming the norm, it is easier than ever to provide access to individuals from various different firms. Even more importantly, many organizations, for obvious security reasons, are seeking to limit access by third parties into their network.
The other use case of federating identities to third party solutions is much more common and is happening every day. For both of these federated identity management definitions, a cloud-based directory platform can serve as the best solution.
Making Sense of Federated Identity Management
Federated identities are, basically, those that are portable and exported to a variety of different systems and applications. This can include IT resources within your organization and those external to it. Additionally, they may be at a third party IT provider.
In any of these scenarios, the process starts with a user’s identity stored within a directory service. That directory service will then export, authenticate, or assert that the user’s identity is valid when requested by a third party.
The key problem this scenario creates is that IT resources leverage different protocols and approaches to federated identities. Some leverage the LDAP protocol, others SAML, and still others security tokens. The challenge for IT organizations is how to manage a person’s identity for all of the IT resources they require on a day to day basis.
How it Used to Work
Legacy identity management solutions solved this problem in the past using a collection of solutions and translation services. The core on-premises user directory – often the commercial Microsoft Active Directory or the open source OpenLDAP – would house the authoritative user credentials. Multiple solutions would interface with the legacy identity provider including web applications single sign-on solutions, directory extensions (in order to manage Macs and Linux machines), LDAP integrations, and more. All of these solutions would work together, albeit not without difficulty, to federate an identity. This in turn allowed access to all of the applications and/or resources users needed to access. This approach was cumbersome and expensive, not to mention fraught with many security risks.
The Future of Federated Identity Management
An identity can be federated to a wide variety of IT services including systems, applications, and networks. Third party users can be easily granted permanent or temporary access to any of the resources through a central management console. IT resources can operate using platforms including any Windows, Mac, and Linux device, hosted on-premises applications, or any in the cloud applications as well. The core cloud-based directory service can also act as a virtual RADIUS or LDAP server for authentication into the WiFi network.
The Directory-as-a-Service platform serves as a central user data store, but also provides the right amount of integration and portability for a wide variety of IT resources. If you would like to learn more about how Directory-as-a-Service can be your federated identity management platform, drop us a note. We’d be happy to help you understand the solution’s capabilities.