Identity Bridge

This article explains new concept in Identity Management called Identity Bridge.

Identity Management solution is provided as a new cloud service known as IDaaS.

Identity Bridge is technology used in IDaaS solution.

Need of Identity Bridge -

Enterprise organizations already have existing user stores with their identities.A new architectural component is needed to manage the flow of identity information between cooperating organizations.

Enterprise identity stores and cloud identity stores are two mutually exclusive services that do not communicate, forcing organizations to spend double the time managing and aligning two disparate data sources. 
 

Challenges -

Most companies have on- premise IAM solutions which makes it difficult for software-as-a-service (SaaS) providers offering hosted services.

Organization want to utlize their on premise Active directory asset to manage cloud applications. There are two challenges while integration with organization active directory to make identity management simple and secure

1. Employees must be provisioned into the SaaS application at administrative time.
2. The business must authenticate employees and securely transition users from their enterprise login into the SaaS session at runtime.

Moving identity management to the cloud involves risks of auditing, ensuring compliance of regulations and what happens if disclosures occur. There is no insight into how Identity is managed in cloud.

Identity Management Process were previously behind a firewall and most likely always inside the network become exposed to the Internet via IdaaS.

What is an Identity Bridge?

Identity Bridge is a communication medium between enterprise identity store and cloud identity store. Identity Bridge is introduced to securely extend corporate identity beyond company firewall so users can seamlessly log on to cloud services - and has control over its access. It allows to manage identities for adoption and transition to cloud services while leveraging current investment in identity and access management technologies.

Identity Bridge accelerates cloud service adoption by automating the addition of new users and streamlining the onboarding process.

Identity Bridge is a new emerging technology in IDaaS where identity is managed by thirdparty resources .Outsourcing the most critical function of business to third party is not secure. Identity Bridge is an on-premise appliance can be hosted in cloud, enterprise premise or at service provider. Its a new customizable on-premises appliance offered to cloud service providers to seamlessly integrate the user identities of their enterprise customers with the cloud services.

Identity Bridge Services - 

Federation -

Identity federation provides secure authentication for cloud services. Identity bridge offers Idp and SP federation. It transform security tokens from a standard accepted in one realm (e.g., Kerberos tickets in an AD environment) to a standard accepted in another realm (e.g., SAML tokens in a web service environment or OAuth tokens in a mobile environment). federated single sign-on to recognize users across company systems, and real-time synchronization of user identities, making end-to-end user management across enterprise, cloud, and mobile environments instantaneous.

Directory synchronization – 

It provides various features for user sync between two disapparate entities. Identity synchronization is done from the identity provider (e.g., company’s AD implementation) to the service provider (the target cloud service) to ensure that changes made to the identity provider, such as disabling an account, are immediately replicated to the service provider.

Just-in-Time(JIT) provisioning -

A JIT provisioning ensures an account is created at the service provider only when a user first attempts to access the service. however, that JIT provisioning covers only the creation of the account.

Authorization (AuthZ) services - 

It determine who can access which services.

Password vaulting -  

Software as a Service (SaaS) providers doesnot set up to support federation. Instead, they rely on inputting a user ID and password to authenticate users to their service. Password vaulting stores a user’s credentials in the identity service and retrieves it to the SaaS website as if the user was directly logging on.

Provisioning - 

User provisioning refers to the creation, maintenance and deactivation of user objects and user attributes, as they exist in one or more systems, directories or applications, in response to automated or interactive business processes.

Auditing and Reporting -

Provide audit trail of user activity such as user and group authentication data and federation events across enterprise, cloud and mobile environments to meet compliance reporting requirements.

In addition, the bridge leverages caching, automation and transformation to ensure an efficient use of information and resources.

Identity Bridge Use Cases

To the Cloud -

Organizations that want to extend their existing identity management processes to manage users in SaaS or partner applications.

eg. Larger established companies which have significant on-premises IT infrastructure.

In the Cloud -

Organizations that want off-premise Identity management solutions for users and applications in the cloud.

eg. Smaller organizations whose core IT functions are delivered via SaaS applications. Or

Larger organizations for a specific user population.

From the Cloud -

Organizations want to leverage off-premises IDaaS for on-premises identities and applications. Many organizations aren’t comfortable yet with storing user information in an IDaaS application. A hybrid solution that stores user information on-premises.

Examples -

McAfee CloudSSO Identity Bridge
ForgeRock Bridge
Ping IdentityBridge