The fundamental of Identity and Access Management
Have you ever heard of words like IAM, Authentication, Authorization or user management in software development? Are you curious to know how these words are related to core concepts of software engineering? If yes, this article briefs you about the fundamental of IAM along with examples.
What is IAM?
IAM stands for Identity and Access Management. It is used to add one extra layer of security on enterprise applications. It enable administrators to control resources using features like authentication, authorization, user management and many others.
IAM can control the user or role based access to enterprise applications and enable single sign in for seamless user authentication with enterprise applications integrated with IAM. It verifies the user requests and can either grant or deny permission to protected resources. This way IAM also enables the trust with external entities such as cloud solutions or any third party applications. In above, you see words like authentication, user/role based access (authorization). Let’s understand what exactly it is.
What is Authentication and Authorization?
When it comes to security, both these terms are generally used in conjunction with each other. In simple words, Authentication means validating users identity while accessing protected resource and Authorization means allowing or denying access to protected resource for that user. Authorization occurs only after user’s identity is successfully authenticated by the system, which therefore gives full access to resources like files, databases. However authorization verifies your right to grant access to the resources only after determining your ability to access the system. Let’s take an example of leave application portal to understand better.
Robert, Smith and Mark works in same organisation where Robert is IT administrator, Smith is Software developer and Mark is Tech lead. When Smith and Mark joined the organisation, Robert has created their profiles in employee database using IAM system. Robert has also internally assigned lead role to Mark and user role to Smith. When Smith wants to apply leave, he goes to portal (that means Smith is trying to access protected resource on portal) and login using credentials given to him. If credentials are correct and login is successful that is an example of successful authentication. Now he applies for leave and try to approve by himself. But since Robert has assigned user role to Smith, he is not authorised to approve. So in that case authorization will fail. If Marks logins to portal and approve Smith’s leave, thats an example of successful authentication and authorization.
Authentication factors determine the many different elements that system uses to verify one’s identity before granting the individual access to anything. Based on security level, authentication factors can also vary. There are single factor, two factor and multi factor authentication mechanism available as of now which is listed below.
Now since we understood what authentication and authorization is, let’s understand logical view of IAM using below diagram.
Identity Management Layer includes User provisioning and de-provisioning. User Provisioning means Creating user profile and IDs, Defining user roles, Defining accessible systems for that user. User de-provisioning means Revoking permissions, unauthorizing user identities and systems.
Authentication Layer includes validating user identity using services like OKTA, Oauth2, Oauth, SAML. Authorization Layer includes grant or deny of resources after successful authentication
Single Sign On layer includes Services from IAM provider to enable user’s access in multiple application. Applications can be under same domain or multi domain. It should also provide services to make user attributes in sync with other applications in system. Service features generally includes user related APIs, roles related APIs and Provisioning/ De-provisioning related APIs.
Apart from above layers, there has to be common layer for self services like reset password, forgot password, change password, updating personal info and admin common layer for defining rules and guidelines, enabling password policies etc.
Basic Architecture flow diagram for IAM also helps us to understand how system works.
As shown, IAM administrators manages IAM services which is build under one separate module. This module can be used as plug and play module or independent service under microservice architecture. Data is stored inside LDAP or other directory databases. Data will be accessed by Enterprise applications which in turn accessed only when sign in is successful via sso services.
Where is IAM being used?
The answer is “in almost every enterprise application”. The most common applications which we use in day to day life use IAM services. Switching to google drive/calendar from gmail, login to any portal (including medium) using twitter/facebook/google sso are some examples.