5.2 Manage identification and authentication of people, devices, and services
- Identity management (IdM) implementation
- Single/multi-factor authentication (MFA)
- Session management
- Registration, proofing, and establishment of identity
- Federated Identity Management (FIM)
- Credential management systems
- Single Sign On (SSO)
- Just-In-Time (JIT)
IdM is a concept that refers to Identity Management. Some ideas that we will discuss further
- We should enforce multi factor authentication for all logins
- We need a way to create new user accounts and accurately link them to actual human beings. We need to verify that each user is the person he says he is.
- We need to be able to keep track of the credentials in a central system
- We need to keep track of what each user does
- We need to be able to keep track of each user “session”. We don’t want to force the user to keep entering their username/password every five minutes. Once a user is logged in, they should stay logged in.
Now that we covered user credentials, how do we validate them? What is the mechanism that compares what the user provided against what is correct? There are several ways
- Single Sign-On. Single Sign-On uses a central system to authenticate users across multiple applications.
For example, a user logs in to his computer via his Windows Active Directory password. He is then able to access the corporate intranet, procurement application, online library, payroll, and e-mail without having to re-enter a username or password.
Once logged in, the remaining applications understand that the user is already authenticated. In the background the applications receive authorization from the Active Directory server.
A user (and the organization) does not have to maintain separate usernames/passwords for each application.
If the single sign on system fails, then the user will not be able to access any of the applications.
Increasingly, social media sites such as Google and Facebook provide SSO services to other websites. For example, a user can use their Facebook account to log in to another site. Using Facebook for Single Sign On is a bad idea because Facebook will collect data about your visits to other websites and the websites will collect data from your Facebook account.
When two systems trust each other, we say that they are federated. In a large organization, where users must access many applications, federation is important. We can give each user a single profile that permits them to access any resources they require.
- A new idea is called Just In Time. When we create the user account, we do not provision access to every application. Instead, we create the user account with specific roles and privileges.
When a user needs access to a specific application, the system recognizes that he does not have access. It verifies that he has the right to access the application, and provisions the access, just in time. The user is granted access to the applications only when he needs it and only for the time that he needs it.