Identity management system
An identity management system refers to an information system, or to a set of technologies that can be used for enterprise or cross-network identity management
Additional terms are used synonymously with "identity management system" including;
- Access governance system
- Identity and access management system
- Entitlement management system
- User provisioning system
Identity management (IdM) describes the management of individual identities, their authentication, authorization, roles and privileges[1] within or across system and enterprise boundaries[2] with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks.[3]
"Identity management" and "access and identity management" (or AIM) are terms that are used interchangeably under the title of identity management while identity management itself falls under the umbrella of IT security.[4]
Identity management systems, products, applications, and platforms are commercial Identity management solutions implemented for enterprises and organizations.
Technologies, services, and terms related to identity management include active directories, service providers, identity providers, Web services, access control, digital identities, password managers, single sign-on, security tokens, security token services (STS), workflows, OpenID, WS-Security, WS-Trust, SAML 2.0, OAuth, and RBAC.[5]
Electronic identity management
In general, electronic IdM can be said to cover the management of any form of digital identities. The focus on identity management goes back to the development of directories, such as X.500, where a namespace serves to hold named objects that represent real-life "identified" entities, such as countries, organizations, applications, subscribers or devices. The X.509 ITU-T standard defined certificates carried identity attributes as two directory names: the certificate subject and the certificate issuer. X.509 certificates and PKI systems operate to prove the online "identity" of a subject. Therefore, in IT terms, one can consider identity management as the management of information (as held in a directory) that represents items identified in real life (e.g. users, organizations, devices, services, etc.). The design of such systems requires explicit information and identity engineering tasks.
The evolution of identity management follows the progression of Internet technology closely. In the environment of static web pages and static portals of the early 1990s, corporations investigated the delivery of informative web content such as the "white pages" of employees. Subsequently, as the information changed (due to employee turnover, provisioning and de-provisioning), the ability to perform self-service and help-desk updates more efficiently morphed into what became known as Identity Management today.
Typical identity management functionality includes the following:
- Access control
- Cloud computing
- Digital identity management
- Password manager
- Workflow automation
- Provisioning
- Single sign-on
- Security Token Service
- Role based access control
- Risk management
Identity management also addresses the age-old 'N+1' problem — where every new application may entail the setting up of new data stores of users. The ability to centrally manage the provisioning and de-provisioning of identities, and consolidate the proliferation of identity stores, all form part of the identity management process.
Solutions
Solutions which fall under the category of identity management may include:
Management of identities
- Provisioning/De-provisioning of accounts
- Workflow automation
- Delegated administration
- Password synchronization
- Self-service password reset
Access control
- Password manager
- Single sign-on (SSO)
- Web single sign-on (Web SSO)
- Role-based access control (RBAC)
- Attribute based access control (ABAC)
Directory services
- x.500 and LDAP
- Microsoft Active Directory
- NetIQ eDirectory
- Identity repository (directory services for the administration of user account attributes)
- Metadata replication/Synchronization
- Directory virtualization (Virtual directory)
- e-Business scale directory systems
- Next-generation systems - Composite Adaptive Directory Services (CADS) and CADS SDP
Other categories
- Federation of user access rights on web applications across otherwise untrusted networks
- Directory-enabled networking and 802.1X EAP
Standards initiatives
- SAML 2.0
- OAuth
- OpenID
- Liberty Alliance — A consortium promoting federated identity management
- Shibboleth (Internet2) — Identity standards targeted towards educational environments
- Global Trust Center
- Central Authentication Service
See also
- Light-Weight Identity (LID)
- Metadirectory and Virtual directory
- Network Information Service (NIS)
- Privacy enhancing technologies (PET)
- User profile
- Windows CardSpace
- XML Enabled Directory
- Yadis