Identity Management for the Cloud

motif

I spent 2 years of my life working as an () consultant a long time ago, when clouds were related to weather and SAAS sounded like the Scandinavian Airlines. The environment changed an now more and more companies are moving to the cloud relying on applications living outside their firewalls, but there’s something that didn’t change: The need to provision user accounts. This is the main reason why I will like to spend some of my free time the next months trying to build an IdM solution for the cloud on the cloud.

The origin of the problem

Let me give you an easy example. I can bet that you have accounts in one or more of the following applications: email (google, yahoo, hotmail), Facebook, Twitter, Amazon, eBay, etc. In all those applications at least you provided your email address, username, first name, last name, password, etc. What will happen if you want to change your name? You will need to go to each application and change it. This is not a real world example as it doesn’t cover not even 10% of what IdM is meant for (It doesn’t make too much sense using IdM for personal use), but the fact is that people use different applications and have different accounts in each of them.

The real problem

Companies have employees, customers and providers and in many cases each of them need access to different applications in order to be able to do their work. The challenges the company then face are:

  • How to manage the lifecycle of these accounts (create, update, delete) together with approvals and notifications
  • How to give each user the correct profile (permissions, groups) on each application
  • How to keep track when, what and why a user was given a specific access (audit)
Without & With IDM

Image 1. With IdM, the user accounts management is centralized

These are only some of the problems IdM applications address, and in order to make things more clear, let me provide some examples of things you can do with them:

  • Onboarding of new employees
    • Provide an interface to create new employees
    • Poll updates in the Human Resources database and if a new employee is found, have all his/her user accounts created on every application (email, sales app, corporate directory, etc). Also based on his job title determine the role the user will have in each application.
  • Updating employees information
    • Have the user password reset on every application at the same time
    • Modify personal information or role in the company
  • Off-boarding of employees
    • If an employee is no longer working for the company, then all the user accounts can be deleted or disabled. This can be done automatically polling updates from the Human Resources application or manually from an administration console.
  • Audit all the changes to user accounts (who created them, when, who change them, why the now have access to certain application, who approved that)

The solution

At this point I highly recommend reading the great post William Brant wrote about “ESB and Identity Management, a perfect match“. Most of the effort in an IdM solution resides on integration (connecting to each “external” application to provision user accounts), data mapping and, in some cases, workflows (approvals, notifications). With this in mind, this is the architecture I have in mind to start working on an IdM solution on the cloud and for the cloud.

 

Cloud IDM

The most important components are:

  • Mule iON: Mule ESB on the cloud, almost a perfect fit: Connectors to many SaaS applications (and many more on the way), integration ready (data mapping, HTTP, XML, etc), workflow capabilities (Activiti BPM Transport or jBPM Transport), integration with e-mail and much more…
  • Mongo HQ: Data store for the  accounts shared information

It’s just a matter of getting started. Lots of work to do (for example building the IDM application and creating more cloud connectors), but I enjoy working on these kind of projects. If you like the idea or have comments to make, please contact me. Also feel free to contribute with your own “Cloud Connectors” (and don’t forget to implement the APIs for user account provisioning!)


We'd love to hear your opinion on this post

4 Responses to “Identity Management for the Cloud”

  1. Hello,
    Interesting article. At OpenIAM (www.openiam.com) we have been building and deploying an IDM solution that leverages the Mule ESB and several other components. The solution has both an open source and commercial component.

    As you mentioned there is more to this problem such as synchronization, reconcilation, role based provisioning, etc and we are addressing these.

    Drop me a note if you would like to discuss.

    Agree(0)Disagree(0)Comment
  2. Hi Suneet

    Thanks for your comment and mainly for your offer. I will like to discuss in the future as when in the IDM world I was really expectant of OpenIAM.

    Agree(0)Disagree(0)Comment
  3. […] Identity Management for the Cloud… From the Mules Mouth blog […]

    Agree(0)Disagree(0)Comment
  4. At Directory Services, Inc., we have come along way with this vision and we have developed Cloud Identity Management on MuleiON using SCIM called GreyTower Cloud Identity. This is in addition to our on premise GreyTower solution.

    We also are making Identity APIs available to license for web developers. Keep an eye out for us, we are also looking for more input from end users. http://www.directoryservicesinc.com

    MuleiON is a game changer, and GreyTower on MuleiON will in my opinion be a key part of that.

    Agree(0)Disagree(0)Comment