If there is no user overlap across the data sources, an aggregation of all identities is typically sufficient. If the same user is located in multiple sources, correlation logic is required to link these common accounts so that they are represented only once in the virtual view.
2. Aggregate and correlate identities to build a unique reference list
One of the main challenges large organizations face when attempting a move to the cloud is not only multiple user stores, but user overlap across those stores. This is a major roadblock to federating identity. The ideal foundation for authentication is a single global user list where each user is represented only once, not many different lists across which users might be scattered. You'll want all of a user's attributes located in one logical location for authorization as well.
The solution is to create that single list of user profiles containing all of their information, and the best way to do that is by integrating identity from across all identity stores. Once your inventory is complete, you can start extracting the schemas from your back ends, then correlate same-users to create the global list.
For the most flexible system, it's essential to map all identity schemas to a common naming structure, correlating same-user accounts across identity silos, so that there are no duplicate identities in the global list. In cases where the user is located in more than one source, the system should maintain the links to the local identifiers. This enables the system to function more efficiently during the credentials checking step of authentication -- key for speeding up the authentication process and enabling SSO. Instead of performing a time-consuming, round-robin search of all of the data sources, the system would check only those repositories in which the user has an account.
3. Join identities to create global profiles
Once the global list is created, you can enrich the users' profiles with attributes from all of their local accounts through the join operation. Different applications require different aspects of a user's identity, so it's important to combine every aspect of that identity from across all sources into a rich global profile for authentication and authorization.By federating all of your identity sources, you can join these aspects into one global profile, easily accessed by the identity provider to package into security tokens for consuming applications.
For each user with overlapping identities, the integration layer should be able to pull all attributes from the original identity sources and include them in the global profile. Credentials should be kept in the original data source, with identity correlation ensuring that users with similar names are not given inappropriate authorization.
Sign up for CIO Asia eNewsletters.