Identity and Access Management - Reference Scenario
The picture above shows the tecnologies involved in a complete IAM solution:
-
Identity Store
(as RDBMS, LDAP, Active Directory, meta- and virtual-directories), the repository for account data
-
Provisioning Engine
synchronizes account data across identity stores and a broad range of data formats, models, meanings and
purposes
-
Access Manager
access mediator to all applications, focused on application front-end, taking care
of authentication
(Single Sign-On),
authorization
(OAuth,
XACML) and federation
(SAML,
OpenID Connect).
As you can notice,
Apache Syncope is primarily a provisioning engine
.
Aren't Identity Stores enough?
One might suppose that a single identity store can solve all the identity needs inside an organization, but few
drawbacks are just around the corner:
- Heterogeneity of systems
- Lack of a single source of information (HR for corporate id, Groupware for mail address, ...)
- Often applications require a local user database
- Inconsistent policies across the infrastructure
- Lack of workflow management
- Hidden infrastructure management cost, growing with organization