Identity and Access Management - Reference Scenario

IAM Scenario

The picture above shows the tecnologies involved in a complete IAM solution:

  • Identity Store
    (as RDBMS, LDAP, Active Directory, meta- and virtual-directories), the repository for account data
  • Provisioning Engine
    synchronizes account data across identity stores and a broad range of data formats, models, meanings and purposes
  • Access Manager
    access mediator to all applications, focused on application front-end, taking care of authentication (Single Sign-On), authorization (OAuth, XACML) and federation (SAML, OpenID Connect).

Aren't Identity Stores enough?

One might suppose that a single identity store can solve all the identity needs inside an organization, but few drawbacks are just around the corner:
  1. Heterogeneity of systems
  2. Lack of a single source of information (HR for corporate id, Groupware for mail address, ...)
  3. Often applications require a local user database
  4. Inconsistent policies across the infrastructure
  5. Lack of workflow management
  6. Hidden infrastructure management cost, growing with organization