Identity and Access Managment Basics

Mastering the terminology, starting with "IAM":

Identity and Access Management (IAM) refers to the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM involves the management of digital identities and the control of access to systems, applications, and resources through authentication and authorization processes.

IAM is a critical component of any organization's security strategy, as it helps protect sensitive information and resources from unauthorized access and can help mitigate the risk of security breaches. IAM solutions typically include a centralized repository for storing and managing identities, a set of processes for enrolling and verifying identities, and a range of tools for controlling access to resources and managing permissions.

IAM solutions often include features such as single sign-on (SSO), multi-factor authentication (MFA), role-based access control (RBAC), and directory services. These features help organizations manage identities and access to resources in a secure and efficient manner, while also improving the user experience by reducing the number of usernames and passwords that users need to remember.

Let's take a look at some additional terminology and examples that are used when talking about Identity and Access Management, starting with SSO:

Single Sign On

Single Sign-On (SSO) is a technology that allows a user to log in to multiple systems or applications with a single set of credentials, eliminating the need to remember multiple usernames and passwords. The goal of SSO is to simplify the authentication process for users and to improve the overall user experience when accessing multiple services and applications.

In a SSO system, a user logs in to an identity provider (IdP), which acts as a centralized system for authenticating and managing user identities. The identity provider verifies the user's credentials and, if the user is authenticated, issues a digital identity token that can be used to access multiple services and applications without requiring additional authentication.

SSO can improve security by reducing the risk of weak passwords and reducing the number of authentication points, as well as improving the user experience by reducing the burden of remembering multiple usernames and passwords. It can also help organizations to meet regulatory and compliance requirements by providing a secure and centralized authentication solution.

What is an Identity Provider?

An identity provider (IdP) is a system or service that is responsible for verifying a user's identity and issuing a digital identity token that can be used to access other systems or applications. In the context of federated identity management, the identity provider acts as a central point of control for managing user identities and authentication across multiple systems and applications.

The identity provider verifies a user's credentials, such as a username and password, and if the user is authenticated, the identity provider issues a digital identity token that can be used to access other systems or applications without requiring additional authentication. This digital identity token is typically based on a technical standard such as SAML, OAuth, or OpenID Connect.

The identity provider is typically a trusted third-party service, and its role is to securely manage user identities and authentication information. By using an identity provider, organizations can simplify the authentication process for users, improve the security and privacy of personal information, and enhance the efficiency of managing user identities across multiple systems and applications.

Some popular Identity Providers include: Okta, Microsoft Active Directory, Auth0, or Google's Social Sign-on, to name a few.

What does Role-Based Access Control mean?

RBAC (Role-Based Access Control) is a security model that is used to control access to resources based on the roles assigned to users. In RBAC, roles are used to define the privileges or permissions that are required to perform specific tasks, and users are assigned to one or more roles based on their job responsibilities or functions.

For example, a system administrator of a school might define a role called "Professor" and assign the permission to access and modify certain resources, such as learning materials available to a university course. Another role, called "Student," might have fewer permissions, such as the ability to view but not modify the course material.

The goal of RBAC is to simplify the management of user permissions and to provide a flexible and scalable mechanism for controlling access to resources. RBAC is widely used in enterprise systems, cloud computing, and other applications where access control is important.

What is Security Assertion Markup Language?

SAML (Security Assertion Markup Language) is a standard for exchanging authentication and authorization information between parties, such as between an identity provider and a service provider (SP). SAML is used in single sign-on solutions, where a user logs in to a central identity provider and then gains access to multiple systems and applications without being prompted to log in again.

SAML provides a secure and standardized way for an identity provider to assert a user's identity to a service provider. When a user attempts to access a service or application, the service provider sends a request to the identity provider for authentication. If the user is authenticated, the identity provider returns a SAML assertion that includes information about the user's identity, such as the user's name, attributes, and any authorizations or roles assigned to the user.

What is OAuth?

OAuth is an open-standard authorization protocol that provides a secure and simplified way for users to grant access to their resources, such as their data stored on a third-party service, without having to share their passwords. OAuth is widely used in web and mobile applications to allow users to authenticate and authorize applications to access their data on other systems, such as social media platforms, cloud storage, and online productivity tools.

OAuth works by allowing users to grant access to their resources to an application (known as a client) without sharing their credentials, such as their username and password. Instead, the user is redirected to the service that holds their resources (known as the resource owner) and asked to grant permission to the client to access their data. If the user grants permission, the resource owner returns an access token to the client, which the client can use to access the user's resources on the resource owner's behalf.

We wrote a complete guide describing the distinction between SAML and OAuth, which you can find here.

What is Authentication?

Authentication is the process of verifying the identity of a user, system, or device before granting access to resources or information. Authentication is a critical component of security for many systems and applications, as it ensures that only authorized individuals or entities can access sensitive information or resources.

There are several methods for performing authentication, including the use of passwords, security tokens, biometrics, smart cards, and digital certificates. In most cases, authentication is performed by providing a username and password, which the system uses to verify the identity of the user. If the username and password are valid, the user is granted access to the requested resources or information.

What is Authorization?

Authorization is the process of determining whether an authenticated user, system, or device has the appropriate permissions or rights to access a specific resource or perform a specific action. Authorization is a critical component of security for many systems and applications, as it helps ensure that users only have access to the resources and information that they need to perform their job or task.

In general, authorization is performed by comparing the permissions or rights of the authenticated user against a set of rules or policies that define who is allowed to access a specific resource or perform a specific action. If the user's permissions match the rules or policies, the user is granted access to the resource or allowed to perform the action. If the user's permissions do not match the rules or policies, the user is denied access to the resource or prevented from performing the action.

You can find a more in depth discussion with examples of the differences between Authentication and Authorization here.