Introduction to IAM Fundamentals with the WSO2 Identity Server
Introduction to Identity and Access Management (IAM)
In this section we are going to discuss how traditional access management services operate and their issues and overview of IAM concepts, it’s benefits and WSO2 identity server features, and it’s benefits.
IAM is identified as a security discipline, that manages user identities and privileges securely, enables the right individuals to access the right resource at the right time. And its provide better user experience and also increases productivity and reduce IT costs.
Issues with Traditional Access Management
Before diving into IAM, let’s look at how traditional organization infrastructure manage identities and access privileges. In the traditional access management approach, identities and privileges are managed within the application premises. And users need to create user accounts for each application that they want to access. For an example, if person X need to access 5 different applications, he should create 5 separate accounts for each application and maintain the corresponding credentials separately. So this traditional access management approach is not capable for modern security challenges. So we can find below drawbacks in traditional access management system,
· Higher chances of data breaching
· Minimum user experience
· Difficulty in governance
· High IT cost
Identity and Access Management Concepts
Let’s discuss basic IAM concepts and how they help to overcome the challenges we discuss so far.
Centralized Access Management — Handling user authentication and account management at a central system.
This is an aspect of the IAM system. The users are centrally managed in a component called the identity provider. All the applications trust this identity provider and users login via identity provider. This eliminates the need to maintain multiple passwords and identity mismanagement issues in the application layer. With this if you want to introduce a new app there is no need to create user accounts in the application and the developer not need to worry about the user management. They can simply integrate the central identity provider. The process of managing user accounts or identity information within the system is identified as user provisioning. With Single Sign-ON (SSO) the users not need to enter the user credentials every time they log in to the application(s). In this approach, when a user tries to log in to an application, the application redirects the user to the identity provider. The user then provide credentials to the identity provider and get authenticated. After success, authentication identity provider send back the authenticated user information to each application. There are standards such as SAML, OIDC, WS Federation that define this request and responses in advance.
Multi-Factor Authentication (MFA)
Password bases authentication no longer secure to protect your user accounts. The attacks can easily break the password based authentication. MFA is an answer to this question. Authentication Factors in MFA on two or more independent credentials of below categories.
Knowledge Factors (Something user knows, such as a password)
Possession Factors (Something that user has, such as mobile phone)
Inherence Factors (Something that user is, such as fingerprint)
With the combination of two or more of these factors, the user is authenticated. For an example, the user is first authenticated with the user credentials, which can be considered as a knowledge factor. This is followed by SMS based authentication is a possession factor.
Even though MFA provides better security, it’s not perfect. There are some practical problems. Users don’t like to use MFA all the time. Similar to the password bases authentication, MFA authentication are also acceptable for attacks. In Adaptive Authentication, authentication steps can be configured and deployed in a way that system would decide which steps to prompt during the authentication process depending on users risk profile and behavior.
Identity Federation enables access to multiple systems across different organizations. In some cases, you will have to grant permissions to users from other organizations to your applications. It’s not practical to create all users. We can create trust relationship within the identity providers. A user from one organization wants to access an application in another organization, the request will first come to the identity provider of the own organization, and then it’s forwarded to the identity provider of the next organization. Then the user can access the application. This is called as identity federation.
Identity Federation with Social Logins
In modern society most users has account in well known identity providers such as Facebook, Google and GitHub.
WSO2 Identity Server
This is a 100% open source IAM solution which is under the Apache 2.0 license. And globally operating platform and also 24*7 support for the production customers.
· Web Single Sign-On (SSO) and Identity Federation
· Identity Bridging
· Adaptive and Strong — Multi-Factor Authentication (MFA)
· Account Management and Identity Provisioning
· API Security
Let’s discuss how to Manage Users and Credentials using WSO2 Identity Server in my next article.