This article will take you to understand IAM (Identity and Access Management)

This article will take you to understand IAM (Identity and Access Management)

When we entered the new company, the leader asked us to use IAM for resource management after the revision. What? What is IAM? Sorry for my ignorance. I found out later after checking the relevant information.

• IAM is not only a product, but also a common basic function in most products (especially B-side products and cloud products).
• After understanding IAM, you will be more comfortable designing the account system and permission system.

1 scene

Before introducing what IAM is, please think back to whether you have encountered these scenarios.

1.1 As an employee/user: multiple sets of account passwords, repeated registration and login

• Multiple sets of account passwords: in CRM it is Lao Yang/password 1234, in OA it is Xiao Yang/password 9527. Due to too many accounts, I often forget my account number and password, or simply set the same or simple password.
• Repeated registration and login: You need to repeatedly enter your account and password to log in to different systems/APPs, or register and apply for approval repeatedly.

1.2 As an enterprise administrator: unable to manage employee permissions and track employee behavior well

• Managing employee accounts/permissions is time-consuming and laborious: it is impossible to uniformly manage employee accounts/permissions in different systems within the company, resulting in employees lacking accounts or having too many accounts/permissions; employees need to manually open/retract employee accounts when joining, transferring, or resigning. .
• Unable to track employee behavior: Employee activities are scattered across various systems within the enterprise, making it impossible to detect and count employee behavior tracks in a timely manner and prevent risky behaviors.

1.3 As a developer: It is difficult to access user data and reinvent the wheel repeatedly

• Repeatedly reinventing the wheel: Regular and basic functions such as account system, registration and login, third-party login, and user independent services need to be developed repeatedly.
• User data is difficult to connect: Even within a company, the design and caliber of the account system between different systems are prone to be inconsistent, making it difficult to connect user data between systems.

1.4 IAM solution

IAM can solve the above problems very well. For example:

1. Lao Wang joined a new company, scanned the QR code on corporate WeChat to join the company, filled in relevant information, and joined the back-end group.
2. Lao Wang turns on his computer, enters the address of the application portal, logs in using his account and password or scans the QR code. In the workbench, he can see Alibaba Cloud, Enterprise WeChat, Gitlab, ZenTao, OA and other applications that he needs to use daily.
3. Click the application icon to automatically log in to the application and use the automatically authorized functions.
4. Managers can count employees' login status and usage in the management background.

2 IAM definition (Identity and Access Management): Identity and Access Management

IAM is the abbreviation of Identity and Access Management, which is identity and access management, or identity management and access control.

2.1 Goal: Let the right people and things have the right permissions to access the right resources

IAM mainly aims to achieve one purpose: to allow the right people or things to have the right permissions and access the right resources. Among them, "people or things" are called subjects, and "resources" are called objects.

2.2 Composition: 4A or 5A

2.2.1 Account (Account)

The account is the digital carrier of the user in the system, used to identify the user and access protected resources. Generally, each system will have an account, and the account data structures of different systems are different.

①Problem: Identity source, upstream account synchronization, unified identity source, downstream account synchronization

1. Which accounts/fields represent users? Where are these accounts scattered? (identity source)
2. How do I (IAM) get these accounts? (Upstream account synchronization)
3. How do I (IAM) associate, map, and use these account data? (Unified Identity Source)
4. Which systems require these accounts? How do I give them my account? (Downstream account synchronization)

②Includes: submodules & protocols

Account modules generally include the following sub-modules and protocols.

1 Sub-module: account and user group management; account life cycle management, identity source integration and synchronization

• Account management: including adding, deleting, modifying, checking, enabling and disabling accounts, resetting passwords, unlocking accounts, etc.
• Organization/user group management: Used to associate users and permissions to reduce the operations of assigning permissions.
• Account life cycle management: Manage the entire life cycle of employees such as entry, promotion, transfer, and resignation.
• Identity source integration synchronization: Obtain account data from upstream applications, associate, map and convert accounts and fields, and synchronize them to downstream applications as the user's only standard data.

2 Protocols: AD/LDAP (Lightweight Directory Access Protocol), SCIM (Cross-Domain Identity Management)

• AD/LDAP: LDAP (Lightweight Directory Access Protocol) is a protocol used to maintain tree directory information and provide access control. Generally speaking, AD/LDAP refers to Windows AD and Linux. OpenLDAP is a tree-shaped database that is often used within enterprises to manage user data and user authentication.
• SCIM: SCIM (System for Cross-domain Identity Management) is a protocol that simplifies the synchronization and management of identity data and is commonly used in public cloud applications.

③Three household model: customer, user, account

Personally, I think of Account as an "account number". In this article, "account" refers to the "user" in the three-household model, and "user" refers to the "customer" in the three-household model.

The definition of "three households" is as follows, for reference:

1 customer

Refers to natural persons or legal persons. Legal persons are generally referred to as corporate customers. Unless otherwise specified, general customers refer to individual customers. The business primary key of this object is the document number (for example, ID card)

2 users

Refers to the entity that enters the system through registration and uses the services provided by the system. It is also called a login account, that is, the user logs in credentials and personal information in the system. Correspondingly, after a legal person customer registers in the system, he is called a merchant.

3 accounts

This refers specifically to the payment account, which refers to the certificate of ownership rights of the funds used by the user for transactions in the payment system.

Customers reflect information in the social domain, users reflect information in the business domain, and accounts reflect information in the financial domain.

2.2.2 Authentication

Certification in a broad sense is a form of credit guarantee, which refers to the recognition by a third-party notary agency of the identity, ability, qualifications, etc. of an organization/individual.

• Authentication in the narrow sense refers to proving “who the subject is”. Authentication in IAM refers to authentication in a narrow sense, which is commonly seen when a subject applies to access resources.

1 Authentication scenarios: SSO when logging in, jumping to other applications, secondary authentication when accessing sensitive resources

There are three main scenarios in IAM:

1. Unauthenticated subjects require authentication - login
2. Automatic authentication when authenticated subjects jump to other applications - SSO, single sign-on
3. Authenticated subjects require secondary authentication when accessing sensitive resources - MFA, multi-factor authentication

2 Authentication method: password, verification code

Authentication methods are the means for the subject to prove "I am who I am", and there are three main categories of authentication methods: "what I know, what I have, and what I am".
(1) Known: Information known to the subject, such as passwords, security questions, etc.
(2) All: items owned by the subject, such as SMS verification codes, digital certificates, OTP, etc.
(3) What it is: The biological characteristics possessed by the subject, such as face, fingerprint, signature, etc.

Authentication methods are closely related to MFA. MFA (Multi-Factor Authentication, multi-factor authentication) refers to using more than two authentications for identity verification to improve account security.

3 Authentication protocols/schemes: Cookie, JWT, SAML, etc.

The authentication protocol is mainly used to transfer user information between users, business systems, and identity authentication services, telling the business system "who this user is."

Mainstream authentication protocols/single sign-on solutions include Cookie, JWT, SAML, CAS, OIDC, etc. There is a lot of information on the Internet, so I won’t go into details here.

Authentication protocols are usually closely related to single sign-on. Single sign-on (SSO) means that in multiple application systems, users only need to log in once to access all mutually trusted application systems.

4 certification sources

The authentication source refers to the authentication service provided by a third party when the user logs in to the current system, and the system trusts the authentication results of the third party. For example, using WeChat to log in to an APP uses WeChat as the authentication source.

IAM generally provides different authentication source solutions such as AD/LDAP, Enterprise WeChat/DingTalk, and OA based on the scenario.

2.2.3 Authorization

Authorization is the transfer of power to a user or organization to exercise on their behalf, allowing the user or organization to gain access to resources.

1 Authorization scope (We take the RBAC model as an example. Authorization actually requires three things:)

• Operations and objects (also called resources) are packaged as permissions, that is, permissions (PRMS, Pemission) in the diagram, including operations (OPS, Operations) and objects (OBS, Objects).
• Assign permissions to subjects (narrow authorization), namely Permission Assignment and User Assignment in the figure.
• When the subject accesses resources, it is authenticated to identify the user's identity and determine permissions.
  

2 Permission classification: application, page, operation, data permissions

Permissions actually package operations and objects. There are different solutions according to different scenarios and different requirements.
Personal habits divide permissions into the following four types, and the intensity and granularity of control gradually increase:

• Application permissions: Control whether a subject can access an application. With permissions, you can access all content of the application. It is the most coarse-grained access control.
• Page permissions: Control whether page-level elements are visible, including pages, menus, buttons, etc. Good page permissions can generally meet most of the needs within the enterprise.
• Operation permission: Controls whether the subject can perform a certain operation, such as adding, modifying, deleting, etc. It generally corresponds to an interface and is judged when the subject requests the interface. Page permissions and operation permissions are also collectively referred to as functional permissions.
• Data permissions: Control the query and display of data. Different subjects see different data, including row permissions and column permissions. If functional permissions control “whether you can”, data permissions control “how much” you have.

3 Permission models: ACL, MAC, RBAC, ABAC

When it comes to authorization, the most talked about is the permission model. However, it should be noted that the permission model is only an idea and solution for allocating permissions. It solves the problem of "how to assign certain permissions to certain subjects", and is not the whole "authorization".

The specific permission model to use needs to be determined based on the scenario and needs. Do not stick to the permission model and ignore the actual business.

The following introduces several common permission models:

• ACL (Access Control Lists) controls which resources the subject can access by directly associating the subject (user or user group) with permissions (including operations and resources) into a list.
• DAC (Discretionary Access Control, Discretionary Access Control) can be implemented through ACL or ACM. Its characteristic is that the subject with permissions can grant or withdraw its permissions to other subjects, which is common in operating systems.
• MAC (Mandatory Access Control), which determines whether the subject can perform relevant operations on the object by marking the subject and object with security (confidentiality levels), is common in the military industry.
• RBAC (Role Based Access Control) decouples the relationship between subjects and permissions by introducing the concept of "role" and is a common, mature and effective permission model.
• ABAC (Attribute Based Access Control) performs authorization judgment by dynamically calculating whether an attribute or a group of attributes meets certain conditions. It is often used in public clouds and has different forms in different scenarios.

4 Authentication

The "authorization module" in IAM also includes the "authentication" part, which corresponds to "assignment" (also often called authorization).

Authentication is to verify whether the subject has the authority to access the object. Complete authentication should include identity authentication and authority decision-making.

In most cases, completing the identity authentication completes the authentication. This part belongs to the "authentication" module (Authentication also means authentication in English).

However, in more complex scenarios, such as when using ABAC and zero trust, when a subject accesses resources, the decision point PDP needs to dynamically calculate whether the subject has sufficient permissions based on attributes or policy rules, and release or intercept access based on the calculation results. This section It should also belong to authentication.

2.2.4 Application

• Application in a narrow sense is just the mapping of business systems in IAM, that is, APP ID and APP Secret.
• Broadly speaking, applications are the interactive objects and carriers of accounts, authentication, and authorization mentioned above, and are generally used as objects.

1 Pre-integrated application

Due to differences in specifications and protocols between applications, IAM often pre-integrates some applications and connects their account, authentication, authorization and other modules in advance to facilitate customers to use them out of the box.

For ordinary users, IAM generally provides a unified application portal (dashboard) that displays all the applications that they have permissions in the enterprise. They can also manually add their own applications to facilitate users' daily use.

2.2.5 Audit: Record user operations and divide different logs according to operations

Audit logs need to record all user operations, including subjects, operations, objects, types, times, locations, results, etc.

According to different dimensions, it can be divided into different operation logs, such as operation logs and login/logout logs, user logs and administrator logs, business system logs and IAM system logs, etc.

Audit-related functions have different requirements for different scales and industries. Generally, foreign countries are stricter and emphasize compliance more than domestic ones.

2.3 Classification

①EIAM: Employee Identity and Access Management (IAM within the enterprise)

EIAM is the abbreviation of Employee Identity and Access Management, which refers to the IAM that manages employees within the enterprise. It mainly solves problems related to the convenience of employee use and the security of enterprise management.

In terms of product form, EIAM has the following characteristics:

• Need to integrate enterprise cloud applications and local applications
• Need to integrate different identity sources
• SSO and MFA are commonly used
• Different enterprises require different levels of access control

②CIAM: Customer Identity and Access Management (user's IAM)

CIAM is the abbreviation of Customer Identity and Access Management, which refers to the IAM that manages external customers/users of the enterprise. It mainly solves problems related to the connection of user data and development costs and standardization.

In terms of product form, CIAM has the following characteristics:

• Commonly seen on the user side are single sign-on and authorized login.
• Provide common components for developers to use directly
• More emphasis on high performance and high availability

③Cloud vendor IAM (also called RAM: Resource and Access Management)

Cloud vendors' IAM, sometimes called RAM (Resource and Access Management), refers to the IAM that manages enterprise cloud resources. It is mainly used to manage access control of cloud resources.

In terms of product form, cloud vendor IAM has the following characteristics:

• Emphasis on authorization flexibility and enterprise management security
• Supports multiple types of accounts for authentication or being called
• Generally, they only focus on managing their own cloud resources.

2.4 Open source IAM recommendation

2.4.1 Open Identity Platform

Open Identity Platform is a complete ecosystem of enterprise IAM solutions.

The project consists of several sub-projects:

OpenAM: Open Access Management

OpenDJ: LDAPv3 compatible directory based on Java technology

OpenIG: Open Identity Gateway. Proxy server designed for session management

OpenIDM: This is a Libre open identity and access management solution

Open ICF; Open Identity Connector Framework: It is a connector framework solution that acts as a bridge between identity management and audit/security management

All projects under Open Identity Platform are released under an open source license on GitHub

2.4.2 Keycloaks

Keycloak is an identity and access management (IDM) solution sponsored by Red Hat. This is a feature-rich project that is ready for enterprise-level applications.

Keycloak supports SSO "single sign-on", OpenID Connect, OAuth 2.0, SAML 2.0, social media login and other protocols, and supports LDAP and Active Directory. It also supports custom password policies.

Keycloak is designed to add new custom features with the help of experienced developers.

Keycloak is the best solution for managing identities, user permissions, and policies for multiple web and mobile applications simultaneously because it scales extremely well.

2.4.3 Apache Syncope

Apache Syncope is a cross-platform solution for managing enterprise digital identities. Developed in Java and released under the Apache 2.0 license.

Apache Syncope provides complete control over the identity management process, including provisioning, auditing, reporting, management, policy management, password management and password policy management, and also provides a rich REST API.

2.4.4 FusionAuth

FusionAuth is a complete multi-platform IAM solution that provides authentication, authorization and user management, including multiple auditing, reporting and configuration tools.

FusionAuth is an open source project that is free to download, install, and use. It has a supportive community and the number of developers and enterprise users is growing steadily.

FusionAuth supports installation on Linux, macOS, Windows or docker.

FusionAuth offers a commercial support plan for its enterprise version, which includes more enterprise features. FusionAuth Company also offers cloud hosting plans under FusionAuth Cloud, starting at $75/month.

FusionAuth is still updating features every day, such as threat detection.

2.4.5 Aerobase IAM Server

Aerobase as an IAM solution is basically forked from Keycloak and some other open source projects, but adds more features. It builds a new IAM framework to support microservices and extend access control capabilities and privacy governance.

The Aerobase Server feature list includes single sign-on (SSO), social login, two-factor authentication, LDAP and Active Directory support, customizable user interface, identity/access management, and identity brokering.

OpenID Connect, OAuth2.0 and SAML 2 are also supported.

2.4.6 midPoint Evolveum

midPoint Evolveum is a complete open source ecosystem for identity and access management and the most GDPR compliant solution on this recommended list.

In addition to similar features to most of the solutions on this list, midPoint Evolveum focuses on data processing, auditing, and provides out-of-the-box data correction and erasure options.

2.4.7 OpenIAM

OpenIAM is an open source enterprise IAM solution, available in community and enterprise editions, with professional commercial support.

OpenIAM provides powerful web access control for identity management, application, SSO (single sign-on), desktop SSO, API integration control. Two-factor/multi-factor authentication and role-based access control management.

OpenIAM also provides additional features such as SSH key management, session management, password vault and privileged account security, as well as custom extensions for healthcare, finance, education and insurance.

OpenIAM can be seamlessly integrated with Microsoft Office 365, G Suite, ServiceNow and Salesforce.

Although OpenIAM is a free project, registration is required to download the community version.

2.4.8 Glue

Gluu provides scalable self-hosted IAM solutions. Their products include:

Gluu Server, an IAM solution

Gluu Gateway (authentication and authorization solution for APIs and websites)

Gluu Casa, Super Gluu (IAM system built for mobile applications)

oxd (client application that uses OAuth and OpenID to secure applications)

Gluu is customized for dozens of web and mobile applications because of its scalability and clustering capabilities.

oxTrust is a web application from Gluu for managing authentication, authorization and users.

Super Gluu 2FA is a mobile authentication system for mobile users with a Gluu server on the backend. It is available for Android and iOS devices.

2.4.9 ORY

ORY is a company focused on developing open source identity and authentication management systems. Products include:

Explore ORY/Kratos: User and identity management solution.

Hydra: OAuth 2.0 and OpenID Certified OpenID Connect Server. Secure access to applications and APIs.

Oathkeeper: Identity and Access Proxy (IAP).

Keto: Access control and rights management server.

ORY: Released as an open source solution, easy to integrate and supports multiple languages. Written in Go language ensuring optimal performance and easy integration with web and mobile applications.

Ory offers an enterprise license with support (service fee).

2.4.10 Soffid

Soffid is a converged IAM platform that integrates Access Management (AM), Identity Governance (IGA), Identity Risk and Compliance (IRC), and Privileged Account Management (PAM) into one comprehensive platform.

Soffid is a complete solution that grows with your business. Enterprises can start with the simplest access management (AM) and single sign-on (SSO) capabilities and expand their IAM environment as their needs mature.