But coming up with a global view of users from across a diverse, distributed architecture is not a quick or simple task for most large organizations. What you need is some form of integration layer that can also federate your identity sources -- as SAML and the other federation protocols federate access itself. All of these sources have to be federated because each one contains attributes or pieces of identity information that need to be reconciled out of existing data. After all, no Fortune 1000 company began its business yesterday.
Integrate and orchestrate identity with a federated layer.
While federation funnels access to an identity provider, identity integration is often required to feed your identity provider with cohesive views of identity that match the needs of consuming applications.
Instead of imposing one unique centralized system on top of all of this complexity, a federated integration of your identity sources should offer a rationalized view of the entire system, with all of the flexibility needed to respond to new demands and opportunities. By integrating identity and attributes from across data silos, this federated identity layer builds and maintains a global list of users that is curated dynamically across all enterprise systems, then maps that data to meet the unique expectations of each consuming application.
With a federated identity layer, your identity provider can authenticate against a rational, common view of identity, while each user store maintains autonomy over its own data. Of course, any changes would need to be synchronized automatically, in as close to real time as possible. By keeping track of all users and their associated identity information, including multiple or overlapping usernames, this layer should enable fast, accurate authentication and authorization for all your applications.
These are the essential steps to keep in mind when building a federated identity layer.
1. Inventory your current data sources, and extract and unify the metadata
The first step in building an identity integration layer is gaining an understanding of all of your endpoints. You need to inventory all of the user stores to which you're extending access, as well as understand how each application interacts with these underlying stores, including how they authenticate and gather authorization information, what queries they send, and what kind of hierarchy they're expecting. Once this is complete, your integration layer can begin to understand the relationships in the data (such as whether there are same-users across the stores, and how these duplicate accounts can be reconciled), enabling it to provide complete identity information from across the enterprise to every application in the manner it requires.
Larger organizations often store identity and attributes across an array of repositories, each using different protocols and data models. A smart federated identity system should be able to bridge these diverse systems to create a common object model. Such a system must be able to discover and extract the metadata, or identity representations, from each source and map this information to a common naming. This is critical for being able to correlate identities and represent the unique identity in a format that's consumable by applications.
Sign up for CIO Asia eNewsletters.