DAASI International offers comprehensive services in the field of federated Identity & Access Management (IAM). To understand federated IAM in its full complexity and to get a first impression, this page provides you with fundamental information about the three individual components: Identity Management, Access Management and Federations.
What is Identity Management?
Identity Management (IdM) are IT systems and applications that administrate information about the identities of users – if required, completely automatized.
Complexity and risk without Identity Management
You know one or more of the following problems?
- It takes very long until a new employee gets his or her own e-mail account.
- A former employee still has access to your systems.
- You have to remember several passwords for every application or service.
- There are no or only inconvenient processes for creating a user account.
- The system administration or helpdesk is overextended by the administration of the many user accounts (e.g. setting new passwords etc.)
Conventional user management stores user accounts and staff data redundantly in different databases and applications, which leads to additional administrative expense.
If a new employee (in our example Mrs. Smith) arrives in an organization without an Identity Management system, she has to contact a number of different administrative staff members or admins to be registered into various data bases and to get new accounts and access to certain resources.
If an information of Mrs. Smith changes, e.g. her position, name or address, she has to contact all admins again. When Mrs. Smith leaves the organization, all concerned staff members will have to change the respective access rights immediately to prevent security risks.
In summary, missing Identity Management leads to
- much more administration expense (and thus, more costs),
- redundant and inconsistent amount of data and
- risks in security and data privacy.
More efficiency and security with Identity Management
Identity Management uses several technologies to automatically synchronize the individual systems and databases. This often happens by a central database that is administrated in a directory service (in this case called metadirectory).
With a metadirectory, the data only have to be entered and administered in one place. The metadirectory automatically updates and synchronizes the data among all connected databases and target systems.
In this way, Mrs. Smith can conveniently have her data changed at a helpdesk or by the HR staff. When she is leaving the organization, some clicks are enough to securely delete her data and access rights.
Advantages: In short, Identity Management helps to
- reduce administration expense and costs and increase efficiency
Time is money. Due to optimized workflows the effectiveness of your staff will be increased, time will be saved, and thus costs will be reduced.
- establish consistent data and data structures, and ensure a high level of security and data privacy
Administrating data at a central place will ensure clear structures and up-to-date data. Therefore, possible (addressing) errors will be prevented, the understanding of your systems will be facilitated, and storage capacity will be deallocated.
- increase Employee satisfaction
Your administrative staff will be relieved by automatic and clear processes. Additionally, your employees will be thankful that they only have to approach a central office, if accounts are created quickly and automatically, and if they only have to login once a day to access all necessary services.
Identity Management is recommended to all organizations that work with many identity information: universities, authorities, institutions, large-scale and midsize companies etc.
Depending on the organization, identities are for example employees, members, guests, customers, students, or in the case of Internet of Things (IoT) and Industry 4.0 every ‘thing’ that communicates via the network.
DAASI International is experienced in working together with all organizational forms and in flexibly integrating Identity Management systems into various IT structures.
What is Access Management?
The term Access Management comprises IT systems that administrate access to resources of all kind. Thus, Access Management is an electronically processed access control for data, computational power, software services or applications.
Access Management from an organizational perspective
Besides a technical implementation, organizational considerations are decisive for a successful Access Management: security relevancies and regulations, responsibilities, role concepts, data privacy etc.
Therefore, following rules should be established:
- Who has,
- to what resources,
- what access
- under which circumstances.
It has to be defined, which person or identity has access and how he or she can authenticate him- or herself.
A user is assigned with certain attributes, group memberships or roles, that enable him or her the respective digital (access) rights.
Different secure methods are suitable for the authentication, e.g. passwords, X.509 certificates, hardware or SMS tokens, biometric procedures or independent values like IP addresses or IP ranges.
2. Which resources?
The possibilities of Access Management are diverse and refer to…
- … digital resources, like data, directories, software services, applications, databases etc.
- … physical resources, like electronically secured doors, computers, hard-disc drives etc.
3. What access?
The potential access method is depending on the resource. Basically, there are different
- rights, like reading or writing permissions, and
- authorizations to run different operations, e.g. creating or deleting a user, or opening an electronically secured door.
4. Under which circumstances?
These rules determine further restrictions of the access rights, for example:
- Access is only possible on working days between 8 am and 6 pm.
- Access on a (text) resource is only possible, if the release date was more than 70 years ago.
- Access on an application resource (saved as an object) is only possible, if the user has not both the roles application approver and application filer (separation of duty).
- Access to the server room is only possible, if the system has not noticed a fire alarm.
Access Management from a technical perspective
What are Federations?
A federation in the IT is an incorporation of organizations based on trust. Every organization keeps its own structure, while certain accounts, services and resources are shared with the partnered organization.
Characteristics of a federation
If two or more organizations decide to establish a federation, it is important to understand and consider following aspects:
- Every individual organization has its own internal structure.
- The organizations occupy a position of trust, secured by contracts.
- The participating organizations agree upon standards for the data sharing.
- A central position is monitoring the compliance of the standards and and, if applicable, the creation of positions of trusts by the administration of contracts and lists of federation members and certificates of involved servers.
The technical aspect: Authentication and Authorization Infrastructures
In technical terms, an IT federation is a cross-organizational Authentication and Authorization Infrastructure (AAI).
An AAI enables users the access to services and resources of several organizations without the need to create an account for each of these organizations. The user authenticates him- or herself at his or her home organization.
A good solution for a secure authentication of the users is the OASIS standard SAML (Security Assertion Markup Language). DAASI International implements SAML with the open source technologies Shibboleth and SimpleSAMLphp, which make it possible that a user has to login only once per day to authenticate him- or herself for all connected services (called Single Sign-On). Besides SAML, DAASI International also integrates other protocols and modern AAI technologies like OpenID Connect and OAuth2.
The user data arrive from the home organization to the resource provider via secure communication channels, i.e. encrypted and signed.
The biggest German IT federation is the AAI of the ‘Deutsches Forschungsnetz’ (German Research Network): DFN-AAI. DAASI International is experienced in connecting various customers to the DFN-AAI and will gladly help you in case of questions.
Learn more about the service spectrum DAASI International has to offer in the fields of Federated Identity & Access Management.
What is Federated Identity & Access Management?
Federated Identity & Access Management (FIAM) unites all three above mentioned disciplines.
The (automatized) administration of identities (Identity Management) is assisted by the security sensitive technologies of Access Management – and if requested, all that among the IT structures of several organizations (Federation).
Federated Identity Management is recommended, if...
- … users from Organization A should have access to resources from Organization B.
- … Organization B therefore does not want to create and administrate new accounts to prevent additional effort.
- … it is suffice for Organization B to have an assurance that the users are members of Organization A.
Smooth and productive cooperation will be made possible.
Federated Identity & Access Management is able to prevent the insecurities, frictions or contractual gaps that can appear if two or more organizations work together, and can lead to following virtues:
- Regulated structures – Uncertainty regarding the further procedures can be a major obstacle at the development of a federation. A clear (legal) structure and process definition will regulate all next steps and standards among the organizations.
- Relationship of trust – Agreed rights management facilitates that the cooperation partners can trust each other without worries, and thus can concentrate on the productive aspects of the collaboration.
- Simplification for all employees – Because the organizations keep their own IT structures, your employees do not have to be introduced to new IT systems. Additionally, they do not need to memorize further logins and passwords, because they authenticate themselves with the accounts of their home organization. So there are no reasons for your employees to disagree with the (legal and technical aspects of the) federation.
DAASI International will help you to establish a (federated) Identity & Access Management system.
DAASI International is an expert for lasting Identity & Access Management systems, and helps you to
- establish a new and strong IAM system in your organization.
- improve, extend and optimize your existing IAM system.
- solve problems or prevent them by monitoring as a reliable support partner.
- increase security and privacy protection in your organization.
- build a federation together with other organizations.
- integrate your organization into an already existing federation.
- train you and your employees in IAM.
Besides open source technologies like Shibboleth, SAML and OpenLDAP, DAASI International uses her own developed software suite didmos. Consisting of five flexible modules, didmos connects state-of-the-art open source technologies of Identity & Access Management to a strong software package, that can fully be adapted to all your needs and IT structures. Learn more about didmos here.
DAASI International works for customers from the fields of research, economy and administration, i.e. universities, research institutes, large- and medium-sized companies as well as authorities. You can find an overview of the customers of DAASI International here. If you would like to get more information about the services of DAASI International, take a look here.