Identity Management: Centralized User and Access Control
Identity Management (IdM) is the framework of policies, processes, and technologies for managing digital identities, authentication, and authorization across systems. It includes user provisioning, single sign-on (SSO), directory services, and identity federation.
Identity Management: Centralized User and Access Control
Identity Management (IdM) is the comprehensive framework of policies, processes, and technologies used to manage digital identities, control authentication, and enforce authorization across an organization's systems and applications. It provides a centralized approach to creating, maintaining, and revoking user identities, ensuring that the right individuals have appropriate access to the right resources at the right time.
To understand identity management properly, it helps to be familiar with authentication mechanisms, authorization concepts, and directory services.
Identity management architecture:
┌─────────────────────────────────────────────────────────────────────────┐
│ Identity Management Architecture │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ Users ──→ ┌─────────────────────────────────────────────────────────┐ │
│ (Human │ Identity Provider │ │
│ & Non- │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ Human) │ │ Directory │ │ AuthN │ │ AuthZ │ │ │
│ │ │ (LDAP/DB) │ │ Service │ │ Engine │ │ │
│ │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │
│ │ │ │ │ │ │
│ │ └────────────────┼────────────────┘ │ │
│ │ │ │ │
│ └──────────────────────────┼───────────────────────────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ SSO / Proxy │ │
│ └────────┬────────┘ │
│ │ │
│ ┌─────────────────────────────┼─────────────────────────────┐ │
│ │ │ │ │
│ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐│
│ │ App 1 │ │ App 2 │ │ App 3 ││
│ │ (SAML) │ │ (OIDC) │ │ (LDAP) ││
│ └─────────┘ └─────────┘ └─────────┘│
│ │
│ Lifecycle Management ──→ HR Sync → Auto Provision → SCIM → Deprovision │
│ Governance ──→ Access Reviews → SOD Controls → Audit Logs → Compliance │
│ │
└─────────────────────────────────────────────────────────────────────────┘What Is Identity Management?
Identity Management is the discipline of managing digital identities throughout their lifecycle. It encompasses the creation, maintenance, and deletion of user accounts, the management of authentication methods, the enforcement of authorization policies, and the governance of access rights. Modern identity management solutions provide centralized control over who can access what across an organization's entire technology ecosystem.
- Digital Identity: The set of attributes that uniquely describe a user or system in digital context, including username, email, roles, and permissions.
- Identity Provider (IdP): Service that creates, maintains, and authenticates digital identities, such as Azure AD, Okta, Auth0, or Google Identity.
- Service Provider (SP): Application or service that relies on an identity provider for authentication and authorization.
- Identity Lifecycle: The stages of identity from creation (joiner), through changes (mover), to removal (leaver).
- Identity Governance: Policies and processes for access reviews, compliance auditing, and risk management.
Why Identity Management Matters
Without centralized identity management, organizations struggle with password fatigue, inconsistent access controls, security gaps from orphaned accounts, and poor user experience.
- Improved Security: Centralized identity management enables consistent security policies, stronger authentication methods (MFA), and rapid revocation when employees leave. Eliminates orphaned accounts that attackers exploit.
- Better User Experience: Single Sign-On (SSO) allows users to access many applications with one credential, eliminating password fatigue and reducing help desk password reset requests.
- Operational Efficiency: Automated provisioning and deprovisioning saves IT time. Users get access quickly when hired, lose access immediately when terminated. No manual account creation across dozens of systems.
- Regulatory Compliance: Identity management provides audit trails of access, automated access recertification, and segregation of duties controls required by SOX, HIPAA, GDPR, and PCI DSS.
- Scalability: As organizations grow and adopt more applications, centralized identity management scales without proportional administrative overhead.
- Merger and Acquisition Integration: Identity federation enables trusted access between organizations during M&A integration, allowing users access to acquired company applications without new accounts.
Core Identity Management Components
Identity Repository (Directory)
The identity repository stores user identities, attributes, credentials, and group memberships. LDAP directories like Microsoft Active Directory and OpenLDAP have been traditional solutions. Modern cloud identity providers store identities in highly available, globally distributed databases.
Authentication Service
Authentication service verifies user identity through passwords, biometrics, or security keys. It supports standard protocols including OAuth 2.0, OIDC (OpenID Connect), SAML 2.0, and LDAP. Service enforces authentication policies like password complexity, MFA requirements, and risk-based step-up authentication.
Authorization Engine
Authorization engine determines what authenticated users can do. It evaluates policies based on user attributes, resource attributes, and environmental conditions. It then grants or denies access requests accordingly.
Provisioning System
Provisioning automates user account creation, updates, and deletion across connected systems. Just-in-Time (JIT) provisioning creates accounts on first login. SCIM (System for Cross-domain Identity Management) is the standard for automated provisioning.
Identity Management Protocols and Standards
| Protocol | Purpose | Common Use Case |
|---|---|---|
| SAML 2.0 | Security Assertion Markup Language for identity federation | Enterprise SSO, especially for legacy applications |
| OAuth 2.0 | Authorization framework for delegated access | API access, grant permissions without sharing password |
| OIDC (OpenID Connect) | Identity layer on top of OAuth 2.0 | Modern SSO, social login (Sign in with Google) |
| LDAP / LDAPS | Directory access protocol | On-premise directory services like Active Directory | SCIM 2.0 | User provisioning automation | Sync identities between IdP and applications |
Single Sign-On (SSO)
Single Sign-On allows users to authenticate once and gain access to multiple applications without re-entering credentials. SSO dramatically improves user experience and security by reducing password fatigue and enabling centralized MFA enforcement across all applications.
SSO authentication flow:
┌─────────┐ ┌─────────────┐ ┌─────────────┐
│ User │ │ Service │ │ Identity │
│ │ │ Provider │ │ Provider │
│ │ │ (SP) │ │ (IdP) │
└────┬────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
│ 1. Access SP │ │
│─────────────────→│ │
│ │ │
│ 2. Redirect to IdP │
│←─────────────────│ │
│ │ │
│ 3. Authenticate │ │
│──────────────────────────────────────→│
│ │ │
│ 4. AuthN (MFA/Password) │
│←──────────────────────────────────────│
│ │ │
│ 5. AuthN Response │
│──────────────────────────────────────→│
│ │ │
│ 6. Redirect to SP with assertion │
│←──────────────────────────────────────│
│ │ │
│ 7. Access SP with assertion │
│─────────────────→│ │
│ │ │
│ 8. Validate assertion │
│ │ │
│ 9. Access Granted │
│←─────────────────│ │
│ │ │
SSO Benefits
- User Experience: One login for all applications, no multiple passwords to remember.
- Security: Centralized MFA enforcement, strong password policies applied once to all apps, fewer passwords to steal.
- IT Efficiency: No password resets for individual applications, centralized user management.
- Faster Onboarding: New users access all needed applications immediately after IdP account creation.
Identity Federation
Identity federation extends SSO across organizational boundaries, establishing trust between independent identity domains. Users from one organization can access applications in another organization using their home credentials.
Identity federation architecture:
┌─────────────────┐ ┌─────────────────┐
│ Organization A │ │ Organization B │
│ │ │ │
│ ┌────────────┐ │ │ ┌────────────┐ │
│ │ Users │ │ │ │ Users │ │
│ └─────┬──────┘ │ │ └─────┬──────┘ │
│ │ │ │ │ │
│ ┌─────▼──────┐ │ │ ┌─────▼──────┐ │
│ │ IdP (A) │ │ Trust │ │ IdP (B) │ │
│ │ SAML/OIDC │◄─┼───────┼───────────►│ │ SAML/OIDC │ │
│ └─────┬──────┘ │ │ │ └─────┬──────┘ │
│ │ │ │ │ │ │
│ ┌─────▼──────┐ │ │ │ ┌─────▼──────┐ │
│ │ App (B) │◄─┼───────┘ │ │ App (A) │ │
│ │ (SP) │ │ │ │ (SP) │ │
│ └────────────┘ │ │ └────────────┘ │
│ │ │ │
└─────────────────┘ └─────────────────┘
Users from Org A can access App B using Org A credentials
Users from Org B can access App A using Org B credentialsIdentity Lifecycle Management
Identity lifecycle stages:
┌─────────────────────────────────────────────────────────────────┐
│ Identity Lifecycle │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Joiner (Onboarding) Mover (Changes) │
│ ┌─────────────────────┐ ┌─────────────────────────────┐ │
│ │ • Create identity │ │ • Role change │ │
│ │ • Assign roles │ │ • Permission updates │ │
│ │ • Provision accounts│────→│ • Transfer access │ │
│ │ • Issue credentials │ │ • Re-certify access │ │
│ └─────────────────────┘ └─────────────────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────┐ ┌─────────────────────────────┐ │
│ │ Leaver (Offboarding)│ │ Governance │ │
│ │ • Disable account │ │ • Periodic access reviews │ │
│ │ • Deprovision access│ │ • Compliance reporting │ │
│ │ • Archive/delete │ │ • Audit log review │ │
│ │ • Certificate revoke│ │ • SOD violation detection │ │
│ └─────────────────────┘ └─────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘Privileged Identity Management (PIM)
Privileged Identity Management focuses on securing administrative and high-privilege accounts, the most attractive targets for attackers. PIM provides just-in-time access, approval workflows, and extensive auditing.
- Just-in-Time Access: Admins request elevation only when needed rather than always having privileged access. Request requires justification, may need approval.
- Time-Bound Access: Privileged access automatically expires after configured duration (hours or days). Reduces window of exposure.
- Approval Workflows: Sensitive role activation requires manager or security team approval. Supports multi-stage approval for critical roles.
- Privileged Access Workstations (PAW): Dedicated hardened workstations for administrative tasks. Separate from daily productivity systems.
- Session Recording: Administrative sessions recorded for audit and incident investigation. Keystroke logging and screen capture for sensitive operations.
- Emergency Break-Glass Accounts: Limited, audited emergency accounts for when normal PIM unavailable. Usage triggers immediate alerts.
Identity Management Anti-Patterns
- Siloed Identity Stores: Each application has its own user database with no integration. Users have separate passwords for each system. Security and user experience suffer dramatically.
- Manual Provisioning: IT creates accounts manually in each system when employees join. Delays access, error-prone, leaves orphan accounts on departure.
- Orphaned Accounts: Accounts remain active after employee departure because offboarding not automated. Attractive target for attackers.
- Overly Permissive Default Access: New employees receive excessive permissions by default. Violates least privilege principle.
- No Access Recertification: Permissions accumulate over years without review. Former employees and contractors retain access long after departure.
- Shared Admin Accounts: Multiple administrators share same privileged account without individual accountability. Impossible to audit who performed which action.
- Federation Without Governance: Trusting external IdP without appropriate controls and monitoring. External compromise becomes internal compromise.
Identity Management Best Practices
- Centralize Identity Management: Use single identity provider for all applications. Eliminate siloed identity stores. Connect existing on-premise directories via synchronization or federation.
- Enforce Strong Authentication: Require MFA for all users, especially administrators. Implement risk-based authentication for sensitive access (unusual location, new device).
- Automate Lifecycle Management: Integrate IdP with HR system. Automate joiner, mover, leaver processes with SCIM provisioning. Eliminate manual account management.
- Implement Least Privilege: Begin with minimal access. Add permissions based on business need with justification. Regularly review and remove unnecessary access.
- Use Privileged Access Management: Just-in-time elevation for administrative access. Require approval and justification. Record privileged sessions for audit.
- Regular Access Reviews: Quarterly or semi-annual recertification of access rights. Manager confirms business need for each subordinate's access. Enforce remediation of stale access.
- Enable SSO Where Possible: Maximize SSO coverage across all applications. Reduce password usage to minimum. Prioritize SAML or OIDC capable applications.
- Monitor Identity Events: Log all authentication attempts, privilege changes, role assignments, and access reviews. Alert on suspicious patterns (MFA fatigue, impossible travel, excessive failed logins).
Identity management maturity model:
Level 1: Basic
• Siloed application identities
• Manual account provisioning
• No SSO (separate passwords per app)
• Basic password policies
Level 2: Centralized Identity
• Central identity provider (IdP)
• SSO for some applications
• Basic automated provisioning
• MFA for privileged accounts only
Level 3: Integrated Identity
• SSO for all modern applications
• Automated lifecycle management (HR integration)
• MFA required for all users
• Basic access recertification
Level 4: Advanced Governance
• Privileged access management (PIM/PAM)
• Automated access recertification
• Segregation of duties controls
• Risk-based authentication
Level 5: Zero Trust Identity
• Continuous access evaluation
• Just-in-time privileged access
• Identity threat detection and response
• Passwordless authentication (passkeys)Identity Management Providers and Solutions
| Provider | Type | Best For |
|---|---|---|
| Microsoft Entra ID (Azure AD) | Cloud identity provider | Microsoft shops, Office 365 integration, Windows environments |
| Okta | Cloud identity provider | Multi-cloud, large application ecosystems, developer-friendly |
| Auth0 (Okta) | CIAM (Customer Identity) | Customer-facing applications, B2C, developer experience |
| Ping Identity | Enterprise federation | Complex federation requirements, on-premise integration |
| SailPoint | Identity governance | Large enterprise governance, compliance, access certifications |
| CyberArk | PAM (Privileged Access) | Privileged account management, session recording |
Frequently Asked Questions
- What is the difference between identity management and access management?
Identity management focuses on managing user identities, attributes, credentials, and lifecycle (who users are). Access management focuses on controlling what authenticated users can do (authorization). Together they form Identity and Access Management (IAM). Identity management establishes the identity; access management uses it for decisions. - What is the difference between SSO and identity federation?
SSO enables users to access multiple applications within same organization using single authentication. Identity federation extends SSO across organizational boundaries, allowing users from partner organizations to access applications using their home credentials. Federation establishes trust between independent identity domains. - Should I use SAML or OIDC for SSO?
Use OIDC for modern applications, mobile apps, APIs, and consumer identity. OIDC is simpler, uses JSON, works well with modern web and mobile. Use SAML for enterprise applications, especially legacy systems requiring SAML support. SAML more mature in enterprise but more complex. New applications should implement OIDC. - What is SCIM and why is it important?
SCIM (System for Cross-domain Identity Management) is standard API for automating user provisioning between identity provider and applications. Creates, updates, deletes user accounts automatically without manual IT work. Critical for automated joiner and leaver processes, ensures timely access and removal. - How does identity management improve security?
Centralized identity management enables consistent security policies, MFA enforcement, rapid account revocation for departures, no orphaned accounts, privileged access controls, and comprehensive auditing. Also reduces password reuse and phishing risk through SSO. Without IdM, each application has separate security posture. - What should I learn next after identity management?
After mastering identity management, explore SSO implementation patterns, OIDC and OAuth 2.0 deep dive, SAML protocol, SCIM provisioning, zero trust identity, and IAM architecture patterns.