top of page

Identity And Access Management

Updated: Sep 21, 2021

Have you ever heard about Identity and Access Management?

Have you ever wondered why it is not required to type your credentials every time you access different applications in your organization?

Several resources today are in use in the enterprises to serve their business and each of them need to be accessed by the right people who have specific roles to accomplish their tasks.

Having a high number of users who need to access different applications, systems and services can expose the organizations to severe risks.

Identity and Access Management, well known as IAM, along with single-sign-on (SSO) make all these things possible with lowest risk.

What are these technologies and how do they work?

Let’s answer these questions in the following.

IAM is essentially organizational and technical processes for registering and authorizing access rights at first, then identifying, authenticating and controlling users, or groups who have access to applications, systems and networks.

There are four basic functions involved:

  1. Identity - creation and management of a user identity in the domain: personal information, roles, tokens, keys, emails.

  2. Access - where and how the user accesses: permissions, grants.

  3. Service - applications, systems, hardwares used by the identity: tools, servers, handheld, laptop, phone, sharepoint, meeting room.

  4. Federation - more systems that share users' access across the domain and allow users to login based on authenticating against one of the systems that is in the federation.

Let's see how the authenticating can be obtained in such, as it is called, 'circle of trust'.

One system works as Identity Provider IdP and other as Service Provider SP.

The user who accesses a service, or a system, or a network, at first he authenticates himself against IdP.

After successful authentication IdP sends secure assertion then the SP allows the user to use the service. One of the protocols to describe and exchange secure assertion between these parties is the Security Assertion Markup Language (SAML).

SSO combines the described technologies to allow the users to access independent systems with a unique pair of user id and password.

Single-sign-on flow with SAML 2.0.

  1. The user through a HTTP web browser (user agent) sends a request to access a resource protected by SP.

  2. SP redirects the web browser to the SSO service at IdP.

  3. The web browser sends a HTTP GET request to the SSO service at the IdP that in turn checks if a security context exists, else the IdP identifies the user.

  4. The SSO service validates the request and sends a response in XHTML form to the web browser.

  5. The web browser makes a HTTP POST request to the assertion consumer service running at the SP with the value taken in the response received at point 4.

  6. The assertion consumer service after it processes the request and creates the security context at SP redirects the web browser to the target resource.

  7. The web browser makes a new request to get the same resource.

  8. The SP returns the resource to the web browser.

When the same user will try to access a different resource protected by the same SP the SSO flow will restart from step 1, but as a security context already exists the steps from 2 to 7 will be skipped, hence according the step 8 SP will return the resource to the web browser and the user will be able to access the requested resource without to log in again.

All the messages described above are exchanged through HTTP protocol.

The SAML protocol depicted in this post is the 2.0.

Top 5 Identity Management Software

If you like the post please give a like and if you have doubts or questions just reach out.



bottom of page