Identity management systems are the technical implementations that empower your applications with your identity data. Connecting your people and services right requires reconciliation the different points of view and concerns of organizations, applications, and users.
Identity providers foremost have to meet the business requirements of an organization, which implies data protection, access to resources, and more. Your operations should constrain your software choice, not the opposite.
Functionally, you will require a database or directory of users that can be used both for authentication of users and retrieving attributes about users, although there is no presumed relationship between any of these data sources.
You also need an SSO system, which can be your IdP itself or something external. These come in many flavors. Some were designed with the smaller enterprise in mind, while others are social, while others were designed to scale globally.
The user data and SSO system must then be integrated and you will have a functional IdP. We prefer to leverage existing infrastructure when it’s serviceable.
Beyond that, there are endless policy, attribute source reconciliation, data registry and other issues that an identity system serving a major enterprise might wish to tackle.
Service providers have to work federated identity concepts and code into applications. Identity and security are often introduced to an application late in the game, and retrofitting is hard. The choice of leveraging, enhancing, or just replacing the application’s native authentication, session management, and access control is more art than science.
Building a quality federated identity interface is another challenge, and multiple studies have demonstrated this along with some best practices. There are many approaches you can take to get users to login safely. We understand that incorporation of new functionality needs to be done carefully so users aren’t confused and get properly routed.
Partners expect you to protect their users and data. Request and retain as little information as possible about users, limiting your own exposure as well. Respecting the scope of attributes is necessary to ensure only authorized access occurs. In general, implementing the specification in the application yourself is a poor choice, and a dedicated identity implementation should be used.
All providers need to understand the functionality expected of the entire system to complete integration. Prevent or limit concessions in meeting the surprisingly variable requirements of counterparties by retaining Signet as independent experts. We can identify whether a compromise is reasonable and constrain its consequences or serve as your advocates in discussions with relying parties.