Wikipedia says, In computer security, identity and access management (IAM) is the security and business discipline that “enables the right individuals to access the right resources at the right times and for the right reasons“.
The above statement is self explanatory, all our data and information in the cloud and web hosting environments are at stake always, from hackers and the frauds. With Internet of Things (IOT) is expected to bloom, our data are at risk, it will be all over the internet including our personal info. Finding a way or an approach to save or protect our data through set of principles/policies with the help of identity and access management so that they can be accessed by the right users.
Many firms provide their own tools and frameworks to provide security to the data and information that are online, among them, WSO2 Identity Server is one, this post is to give a brief overview of Identity Server and its uses/features.
What does it IAM do?
- Provisions you into the system if you opt for one
- Authenticates you, (Verifies who you are and if you are a part of the system)
- Authorizes you, if you are requesting access to the resource to which you have access to
- Provides secured access to the resources
- Controls efficiently and responds fast in terms of managing and setting permissions
- Protects data from unauthorized access
- Revokes permissions, access and identity once the user is no longer valid in the system
The WSO2 Identity Server decreases the identity management and entitlement management administration burden by including the role-based access control (RBAC) convention, fine-grained policy-based access control, and Single-Sign-On (SSO) bridging.
Service Providers are the ones who provide an entity to the users, through which users enter their credentials to access the system and the request will be sent to the Identity server.
Inbound Authentication components in the identity server receives the request in the form of servlets and is met by the request processor, which are SAML SSO, OAuth, Open ID Connect, WS Federation or Open ID. The inbound authentication component then sends the request to the IN channel of the authentication framework. Then the authentication provider maps the claim in the service provider to the claims in the identity server. The authentication framework sends a request to the local auntenticators to check whether we have opted for username/password or Integrated Windows Authentication (IWA).
It also maps the claims in the identity server with the claims in the external applications like Facebook, google, yahoo, Open Id and etc,. when the authentication selected is federated authentication providers. The federated authenticators then sends the authentication requests to the external applications.
When the authentication is done, the response will be sent to the OUT channel of the authentication framework where the claim mappings happen again. This sense the information from the identity providers to the Provisioning framework.
The provisioning framework ensures that the users in the identity providers are provisioned in the user store of the identity server. The user store can be of LDAP, Active Directory or JDBC.
The response of the authentication framework is then sent to the Response Generator to process the response. The authentication life cycle ends when the response is sent back to the service providers.
Identity provisioning lets us to create, manage and delete the user accounts and their related identities in the system. It helps to provision the users in the identity server or the third party identity providers. The inbound provisioning component connects to the user store manager which has a provisioning listener, which adds the user in the user store of the identity server.
PS : This article is a collection of data from various references and framed as per my understandings.
How to set up Identity server to provision a user will be followed in the next article.