This article explains new
concept in Identity Management called Identity Bridge.
Identity Management
solution is provided as a new cloud service known as IDaaS.
Identity Bridge is
technology used in IDaaS solution.
Need of Identity Bridge
-
Enterprise
organizations already have existing user stores with their
identities.A new architectural component is needed to manage the flow
of identity information between cooperating organizations.
Enterprise
identity stores and cloud identity stores are two mutually exclusive
services that do not communicate, forcing organizations to spend
double the time managing and aligning two disparate data sources.
Challenges -
Most
companies have on- premise IAM solutions which makes it difficult for
software-as-a-service (SaaS) providers offering hosted services.
Organization
want to utlize their on premise Active directory asset to manage
cloud applications. There are two challenges while integration with
organization active directory to make identity management simple and
secure
Employees
must be provisioned into the SaaS application at administrative
time.
The
business must authenticate employees and securely transition users
from their enterprise login into the SaaS session at runtime.
Moving
identity management to the cloud involves risks of auditing, ensuring
compliance of regulations and what happens if disclosures occur.
There is no insight into how Identity is managed in cloud.
Identity
Management Process were previously behind a firewall and most likely
always inside the network become exposed to the Internet via IdaaS.
What is an Identity
Bridge?
Identity
Bridge is a communication medium between enterprise identity store
and cloud identity store. Identity Bridge is introduced to securely
extend corporate identity beyond company firewall so users can
seamlessly log on to cloud services - and has control over its
access. It allows to manage identities for adoption and transition to
cloud services while leveraging current investment in identity and
access management technologies.
Identity
Bridge accelerates cloud service adoption by automating the addition
of new users and streamlining the onboarding process.
Identity
Bridge is a new emerging technology in IDaaS where identity is
managed by thirdparty resources .Outsourcing the most critical
function of business to third party is not secure. Identity Bridge is
an on-premise appliance can be hosted in cloud, enterprise premise or
at service provider. Its a new customizable on-premises appliance
offered to cloud service providers to seamlessly integrate the user
identities of their enterprise customers with the cloud services.
Identity Bridge
Services -
Federation -
Identity federation provides secure authentication for cloud
services. Identity bridge offers Idp and SP federation. It transform
security tokens from a standard accepted in one realm (e.g., Kerberos
tickets in an AD environment) to a standard accepted in another realm
(e.g., SAML tokens in a web service environment or OAuth tokens in a
mobile environment). federated
single sign-on to recognize users across company systems, and
real-time synchronization of user identities, making end-to-end user
management across enterprise, cloud, and mobile environments
instantaneous.
Directory
synchronization –
It provides various features for user sync
between two disapparate entities. Identity synchronization is done
from the identity provider (e.g., company’s AD implementation) to
the service provider (the target cloud service) to ensure that
changes made to the identity provider, such as disabling an account,
are immediately replicated to the service provider.
Just-in-Time(JIT)
provisioning -
A JIT provisioning ensures an account is created
at the service provider only when a user first attempts to access the
service. however, that JIT provisioning covers only the creation of
the account.
Authorization (AuthZ)
services -
It determine who can access which services.
Password vaulting -
Software as a Service (SaaS) providers doesnot set up to support
federation. Instead, they rely on inputting a user ID and password to
authenticate users to their service. Password vaulting stores a
user’s credentials in the identity service and retrieves it to the
SaaS website as if the user was directly logging on.
Provisioning -
User provisioning refers to the creation, maintenance and
deactivation of user objects and user attributes, as they exist in
one or more systems, directories or applications, in response to
automated or interactive business processes.
Auditing and Reporting -
Provide audit trail of user activity such as user and group
authentication data and federation events across enterprise, cloud
and mobile environments to meet compliance reporting requirements.
In addition, the bridge
leverages caching, automation and transformation to ensure an
efficient use of information and resources.
Identity Bridge Use
Cases
To the Cloud -
Organizations that want
to extend their existing identity management processes to manage
users in SaaS or partner applications.
eg. Larger established
companies which have significant on-premises IT infrastructure.
In the Cloud -
Organizations that want
off-premise Identity management solutions for users and applications
in the cloud.
eg. Smaller organizations
whose core IT functions are delivered via SaaS applications. Or
Larger organizations for a
specific user population.
From the Cloud -
Organizations want to
leverage off-premises IDaaS for on-premises identities and
applications. Many organizations aren’t comfortable yet with
storing user information in an IDaaS application. A hybrid solution
that stores user information on-premises.
Examples -
McAfee CloudSSO Identity Bridge
ForgeRock Bridge
Ping IdentityBridge