What is Identity and Access Management?
An organization can have multiple systems like Active Directory, SharePoint, Oracle, Outlook, Teams or simply web applications and they may have hundreds or thousands of employees or outside organization users that can access these systems. Managing accounts of every user and allowing proper access to their respective system is called Identity and Access Management (IAM).
Now imagine maintaining user details, login credentials, and access information for every single user on every different system the organization uses. This process is dreary and tiresome for the organization, as they will have to maintain credentials and user access information separately to each system. This approach is traditional and still used by some organizations.
But when the users grow day by day, handling and managing them becomes a difficult task and cannot be overlooked. The main problem in this traditional approach is huge investment and time consuming to set up initially, then to speed up.
How Identity Management Solves this Problem
Now imagine all the user credentials and access management in one central place for all the applications that the organization’s users use. We can now manage users centrally in one database which our identity management system will use to get the information about each single user.
Now, because they have already verified themselves with the identity system, all the user has to do is simply tell the identity system who they are. And once they are authenticated, they can access all the applications. One big advantage of this approach is that the various applications do not have to worry about the user’s authentication and authorization functionality because the identity management system takes care of all of this. Some of the top commonly used identity management systems include Microsoft Azure Active Directory, Microsoft Identity Manager, and Oracle Identity Management.
What are the Key Benefits for Organizations to use Identity and Access Management (IAM) Systems?
- Improved security. IAM solutions help identify and mitigate security risks. There is no doubt, giving employees or customers secure access within an organization can be a daunting task. Using identity management software protects organizations against all types of identity theft, like credit fraud.
- Ease of use. IAM core features can come in the form of single sign-on, multi-factor authentication, and access management, or as a directory for identity and profile data storage. IAM simplifies signup, sign-in and user management processes for application owners, end-users and system administrators.
- Productivity. IAM centralizes and automates the identity and access management lifecycle, creating automated workflows for scenarios, like new hire sor a role transition. This can improve processing time for access and identity changes and reduce errors.
- Reduced IT Costs. IAM services can lower operating costs. Using federated identity services means you no longer need local identities for external uses; this makes application administration easier. Cloud-based IAM services can reduce the need to buy and maintain on-premise infrastructure.
One of the booming identity management systems today is Microsoft Azure Active Directory. Azure Active Directory provides secure and seamless access to cloud and on-premises applications. Also, there’s no need for organizations to manage passwords. Their end-users can sign in once to access Office 365 and thousands of other applications. Let’s have a look how identity management works.
Commonly Used Protocols by Identity Management Systems
Generally known as Authentication, Authorization, Accounting, or AAA, these identity management protocols provide standards for security to simplify access management, aid in compliance, and create a uniform system for handling interactions between users and systems.
SAML. The Security Assertion Markup Language (SAML) protocol is most often used in systems employing the Single Sign-On (SSO) method of access control. In SSO, one set of credentials allows users to access multiple applications. This method is most beneficial when users must move between applications during sessions. Instead of requiring individual logins for each application, SSO makes use of data already authenticated for the session to streamline the switch between applications. The resulting increase in efficiency helps prevent bottlenecks in the authorization process. The Dotcom-Monitor platform supports SSO using SAML 2.0
OpenID. Like SAML, OpenID is used for web applications and can be seen in practice when interacting with products from Google and Yahoo! Implementation of this protocol is less complicated than implementation of SAML, making it more accessible for a variety of applications.
OAuth. Large customer-facing platforms like Facebook, Google, and Twitter rely on OAuth to connect third-party applications with the permission of users. OAuth works by allowing approved applications to use login credentials from one service or platform to provide access to additional applications without requiring separate logins. Authorization may be granted or revoked by the user at any time.
Let’s see how some of these protocols work in most commonly used identity management system these days Microsoft Azure Active Directory.
Identity Management with Azure Active Directory
Azure Active Directory (Azure AD) simplifies the way you manage your applications by providing a single identity system for your cloud and on-premises applications. You can add your software as a service (SaaS) applications, on-premises applications, and line of business (LOB) apps to Azure AD. Then users sign in once to securely and seamlessly access these applications, along with Office 365 and other business applications. The Dotcom-Monitor platform supports integration with Azure ADFS to set up user authentication and access.
SAML 2.0 Protocol
Azure Active Directory (Azure AD) provides SAML 2.0 protocol enabling applications to provide a single sign-on experience to their users. The SAML protocol requires the identity provider (Azure AD) and the application to exchange information about themselves.
The Application uses an HTTP redirect binding to pass an authentication request element to Azure AD (the identity provider). Azure AD then uses an HTTP post binding to post a response element to the cloud service.
Authentication flow in SAML authentication:
- User tries to access the application by entering the application URL in the browser.
- The application then looks for the Identity Provider configured with it, which is SAML in this case.
- The application generates a SAML authentication request and user’s browser is redirected to Azure AD SAML single sign-on URL where user logs-in with credentials.
- Azure AD checks the valid credentials, authenticates the user, and generates a SAML token.
- Azure AD posts the SAML response containing the token and digitally signs the response, which is posted back to the application through the browser.
- The application verifies the response using the certificate provided to it and confirms the source.
- The application understands that the user is valid and completes the authentication allowing user inside the application.
OAuth 2.0 and OpenID Connect Protocols on the Microsoft Identity Platform
In nearly all OAuth 2.0 and OpenID Connect flows, there are four parties involved in the exchange:
- Authorization Server. It is Microsoft’s Identity system and manages each user’s identity, granting and revoking access to resources, and issuing tokens. The authorization server also known as the identity provider. It securely handles anything to do with the user’s information, their access, and the trust relationships between parties in a flow.
- Resource Owner. It is the end user. It’s the party that owns the data and has the power to allow third parties to access that data or resource.
- OAuth Client. It is your application, identified by its unique application ID. The OAuth client is usually the party that the end user interacts with, and it requests tokens from the authorization server. The client must be granted permission to access the resource by the resource owner.
- Resource Server. Where the resource or data resides. It trusts the Authorization Server to securely authenticate and authorize the OAuth Client, and uses Bearer access tokens to ensure that access to a resource can be granted.
Authentication flow in OpenID:
- User enters the application URL in the browser.
- The application is registered with Azure AD and has a unique application ID. The application redirects the user to Azure AD with the application ID so that the AD can identify the application and provides user with login screen.
- The user enters credentials to authenticate and consents to permissions. OAuth validates the user and returns a token to user’s browser.
- The user’s browser redirects the provide token to Redirect URI registered in Azure AD for their respective application.
- The application validates the token and sets the session, hence completing the authentication for the user.
- The user is securely signed in and allowed to access the application.
In Summary: Identity and Access Management
The objective of IAM is to ensure that authorized users have secure access to the necessary resources, like databases, applications, and systems. IAM simplifies processes for application owners, end users, and system administrators, ensuring they can carry out their essential duties quickly and effectively. Learn more about how Dotcom-Monitor supports IAM with third-party services integrations and SSO set up within the Dotcom-Monitor platform.