I spent 2 years of my life working as an Identity Management (IdM) consultant a long time ago, when clouds were related to weather and SAAS sounded like the Scandinavian Airlines. The environment changed an now more and more companies are moving to the cloud relying on applications living outside their firewalls, but there’s something that didn’t change: The need to provision user accounts. This is the main reason why I will like to spend some of my free time the next months trying to build an IdM solution for the cloud on the cloud.
The origin of the problem
Let me give you an easy example. I can bet that you have accounts in one or more of the following applications: email (google, yahoo, hotmail), Facebook, Twitter, Amazon, eBay, etc. In all those applications at least you provided your email address, username, first name, last name, password, etc. What will happen if you want to change your name? You will need to go to each application and change it. This is not a real world example as it doesn’t cover not even 10% of what IdM is meant for (It doesn’t make too much sense using IdM for personal use), but the fact is that people use different applications and have different accounts in each of them.
The real problem
Companies have employees, customers and providers and in many cases each of them need access to different applications in order to be able to do their work. The challenges the company then face are:
- How to manage the lifecycle of these accounts (create, update, delete) together with approvals and notifications
- How to give each user the correct profile (permissions, groups) on each application
- How to keep track when, what and why a user was given a specific access (audit)
These are only some of the problems IdM applications address, and in order to make things more clear, let me provide some examples of things you can do with them:
- Onboarding of new employees
- Provide an interface to create new employees
- Poll updates in the Human Resources database and if a new employee is found, have all his/her user accounts created on every application (email, sales app, corporate directory, etc). Also based on his job title determine the role the user will have in each application.
- Updating employees information
- Have the user password reset on every application at the same time
- Modify personal information or role in the company
- Off-boarding of employees
- If an employee is no longer working for the company, then all the user accounts can be deleted or disabled. This can be done automatically polling updates from the Human Resources application or manually from an administration console.
- Audit all the changes to user accounts (who created them, when, who change them, why the now have access to certain application, who approved that)
The solution
At this point I highly recommend reading the great post William Brant wrote about “ESB and Identity Management, a perfect match“. Most of the effort in an IdM solution resides on integration (connecting to each “external” application to provision user accounts), data mapping and, in some cases, workflows (approvals, notifications). With this in mind, this is the architecture I have in mind to start working on an IdM solution on the cloud and for the cloud.
The most important components are:
- Mule iON: Mule ESB on the cloud, almost a perfect fit: Connectors to many SaaS applications (and many more on the way), integration ready (data mapping, HTTP, XML, etc), workflow capabilities (Activiti BPM Transport or jBPM Transport), integration with e-mail and much more…
- Mongo HQ: Data store for the accounts shared information
It’s just a matter of getting started. Lots of work to do (for example building the IDM application and creating more cloud connectors), but I enjoy working on these kind of projects. If you like the idea or have comments to make, please contact me. Also feel free to contribute with your own “Cloud Connectors” (and don’t forget to implement the APIs for user account provisioning!)