Introduction to Identity Management

Introduction to Identity Management Identity Management (IM) is the set of practices and tools that an organization uses to keep track of who its users are. In today's digital workplace, where employees access dozens of applications and services, organizations need robust systems to manage user identities securely and efficiently. Identity Management sits at the intersection of security and usability—it ensures that only the right people can access the right resources, while making legitimate access straightforward. The diagram above illustrates the two key phases of Identity Management. During the configuration phase, the system registers user identities and provisions credentials. During the operation phase, the system authenticates users and controls their access to resources. These phases work together to create a complete identity management lifecycle. Core Functions of an Identity Management System A complete Identity Management system performs five essential functions that work together to protect organizational resources while enabling productivity. Authentication: Verifying User Identity Authentication is the process of verifying that a user is who they claim to be. Think of authentication as the security check at an airport—you present a credential (your passport) to prove your identity. In practice, authentication uses one or more of the following: Passwords: Knowledge-based proof ("something you know") Biometrics: Physical proof such as fingerprints or facial recognition ("something you are") One-time codes: Time-sensitive codes from authenticator apps or sent via SMS ("something you have") When a user attempts to access a system, authentication verifies their claimed identity before allowing any further access. Authorization: Controlling Resource Access Authorization is the process of determining what resources an authenticated user is permitted to access. This is distinct from authentication—authentication confirms who you are, while authorization determines what you can do. For example, after a user is authenticated, the system might check: Can this user read files in the HR department folder? Can this user edit the company budget spreadsheet? Can this user access the payroll database? Authorization operates on the principle of least privilege, meaning users should only have access to the minimum resources needed for their role. Provisioning and De-provisioning: Automating Account Lifecycle Provisioning automatically creates and updates user accounts based on organizational changes: When a new employee joins, provisioning automatically creates their user account with appropriate initial permissions When an employee changes roles, provisioning automatically updates their access rights to match their new responsibilities When an employee receives a promotion, provisioning updates their permissions accordingly De-provisioning is the reverse process—it automatically disables user accounts when employees leave the organization. This is critical for security, as it ensures departing employees cannot access company resources. Credential Management: Protecting Authentication Data Credential Management securely stores and protects the authentication data needed to verify user identities, including: Passwords (stored using cryptographic hashing, never in plain text) Authentication tokens and certificates API keys and secrets Biometric templates Credential Management also enforces password policies (minimum length, complexity requirements) and handles credential rotation to reduce the risk of compromised credentials. Auditing and Reporting: Maintaining Accountability Auditing creates detailed logs of who accessed what resources and when. For example, an audit log might record: "User Jane Smith accessed the customer database on March 15 at 2:47 PM." Reporting uses these audit logs to support: Security reviews and incident investigations Compliance with regulatory requirements (such as HIPAA or SOX) Detection of suspicious access patterns Accountability for data access Central Directory Concept: The Hub of Identity Management Rather than storing user information separately in each application, modern organizations use a central directory—a single, authoritative source of user information that all applications can query. This diagram shows how a central directory works: entities (people and resources) correspond to identities in the directory, which consist of various attributes and identifiers (such as name, email, and role). What Information Does a Central Directory Store? A central directory maintains user attributes including: Name and email address Department and job title Organizational role Phone number and office location Group memberships (e.g., "Finance Team", "Marketing Department") Manager information Permissions and access rights Directory Technologies Two common technologies implement central directories: Lightweight Directory Access Protocol (LDAP) is a widely-used standard protocol for accessing directory information. LDAP directories are commonly used in enterprise environments for storing and retrieving user information. Azure Active Directory (Azure AD) is Microsoft's cloud-based identity service. Organizations using Microsoft 365 or cloud applications typically use Azure AD as their central directory. How Applications Use the Central Directory When a user attempts to access an application, the application queries the central directory to: Confirm the user's identity during authentication (verifying their password against stored credentials) Retrieve the user's permissions to determine what resources the user can access Obtain user attributes needed by the application (such as department or manager name) This architecture means applications don't need to manage their own user databases—they rely on the central directory as the source of truth. Policy Enforcement Through Centralization The key advantage of centralization is consistent policy enforcement. For example: An organization can require that "all finance staff must use multi-factor authentication" and apply this policy organization-wide When a policy changes, administrators update it once in the directory, and all applications immediately enforce the new policy When an employee is terminated, administrators disable their account once in the directory, and the user immediately loses access to all applications Without a central directory, organizations would need to manually update policies and access rights in every individual application—a process that's time-consuming, error-prone, and creates security vulnerabilities. Single Sign-On (SSO): Seamless Access Across Applications Single Sign-On (SSO) lets a user log in once and then access many applications without re-entering their credentials for each application. Here's how SSO improves the user experience: Without SSO, a user might need to log into their email, then their customer relationship management system, then their project management tool—entering their password three separate times. With SSO, the user logs in once, and the identity system grants them access to all three applications. Benefits of Single Sign-On For Users: SSO improves usability by reducing the friction of repeated logins. Users can focus on their work rather than managing multiple credentials. For Security: While SSO makes access easier, security controls are maintained by: Keeping authentication mechanisms (like multi-factor authentication) in place Centralizing credential validation in the identity system rather than scattering it across applications Enabling faster response to security incidents—if credentials are compromised, an administrator can disable access through a single change in the central directory Multi-Factor Authentication (MFA): Defense in Depth Multi-Factor Authentication (MFA) requires users to provide multiple independent proofs of their identity. Rather than relying on a password alone, MFA typically combines: Something the user knows (password) Something the user has (phone, security key, or authenticator app) Something the user is (biometric, such as fingerprint or face) For example, a user might enter their password (something they know) and then approve a login request on their phone via an authenticator app (something they have). Why MFA Is Critical for Security A password alone is vulnerable because it can be: Guessed if weak Compromised through phishing or data breaches Stolen through keyloggers or shoulder surfing MFA dramatically reduces the risk of compromised accounts because an attacker would need to steal multiple independent factors. Even if a password is breached, the attacker cannot access the account without the second factor. Organizations typically require MFA for: Administrative accounts with high-level privileges Sensitive roles (finance, human resources) Remote access and cloud applications Users with access to regulated data Identity Federation: Trusting Identities Across Organizational Boundaries Identity Federation enables a user's identity from one domain to be trusted and used by another domain. This is essential for scenarios where organizations need to grant access to external partners, contractors, or customers. For example, imagine two companies merging. Rather than creating duplicate user accounts in each company's directory, identity federation allows the companies to trust each other's identities. A user authenticated by Company A's directory can be granted access to Company B's applications. Standards for Identity Federation Two main standards enable identity federation: Security Assertion Markup Language (SAML) is an XML-based standard that allows organizations to exchange authentication and authorization information. One organization (the identity provider) asserts that a user is authenticated, and another organization (the service provider) trusts that assertion. OpenID Connect is a modern standard built on top of OAuth 2.0 that provides authentication and some identity information. OpenID Connect is commonly used with web and mobile applications. Both standards follow the same principle: one trusted organization vouches for a user's identity, allowing other organizations to grant access without requiring a separate login.