4. Rationalize groups
Instead of having to search across multiple sources to find groups and members, the identity provider should need only to search against the integration layer to check for group membership, speeding logins and access. If your existing groups are sufficient for enforcing your policies today, you shouldn't have to redo any work when you deploy a federated identity layer. That layer should virtualize your existing groups, with the translation and DN (Distinguished Name) remapping happening automatically.
When basing authorization on group membership, the federated identity layer should be able to rationalize and aggregate existing groups, flatten nested groups if needed, and even compute dynamic groups with members across multiple sources. It should also allow you to compute "member of" values that define the relationship between the group and the user entry itself.
5. Cache resulting views for speed and scalability
An advanced identity integration layer sits between your current directory infrastructure and the applications that access it, isolating them from changes on the back end. This layer needs to be highly available, scalable, and fast -- sometimes even faster than the underlying back ends, in order to provide quick and reliable access to applications for all users no matter where or how they are stored.
Such a layer should also offer a choice of persistent caching options based on your deployment requirements and environment, so entries, queries, or modeled views can be cached for higher performance and availability, in real time or on a scheduled basis. The persistence of materialized hierarchical views means query performance would no longer be constrained by complex joins and searches across multiple data sources.
A proposed architecture for how a federated identity layer fits within the federation landscape.
With a federated identity layer, large enterprises can streamline their identity infrastructure while respecting existing investments, making it far easier to feed their identity provider and securely deliver on the promise of federation. But such a layer also provides a flexible infrastructure and architecture pattern that goes beyond the immediate challenge of federation, enabling many other use cases, such as authentication for Web access management, finer-grained authorization for highly secure data or apps, complete customer profiles, faster application deployment, and even easier M&A integrations. Building an identity integration layer can solve federation challenges today, while enabling companies to tackle any new challenges that arise tomorrow.
Sign up for CIO Asia eNewsletters.