src/site/xdoc/iam-scenario.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

-->
<document xmlns="http://maven.apache.org/XDOC/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">

  <properties>
    <title>IAM Scenario</title>
    <author email="dev@syncope.apache.org">Apache Syncope Documentation Team</author>
  </properties>

  <body>    
    <section name="Identity and Access Management - Reference Scenario">
      
      <p style="text-align:center;">
        <img src="docs/images/iam-scenario.png" alt="IAM Scenario" width="700"/>
      </p>
      
      <p>
        The picture above shows the tecnologies involved in a complete IAM solution:
        <ul>
          <li>
            <strong>
              <em>Identity Store</em>
            </strong>
            <br/>
            (as RDBMS, LDAP, Active Directory, meta- and virtual-directories), the repository for account data
          </li>
          <li>
            <strong>
              <em>Provisioning Engine</em>
            </strong>
            <br/>
            synchronizes account data across identity stores and a broad range of data formats, models, meanings and 
            purposes
          </li>
          <li>
            <strong>
              <em>Access Manager</em>
            </strong>
            <br/>
            access mediator to all applications, focused on application front-end, taking care
            of <u>authentication</u>
            (<a href="https://en.wikipedia.org/wiki/Single_sign-on" target="_blank">Single Sign-On</a>),
            <u>authorization</u>
            (<a href="https://oauth.net/" target="_blank">OAuth</a>, 
            <a href="https://en.wikipedia.org/wiki/XACML">XACML</a>) and <u>federation</u>
            (<a href="https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language" target="_blank">SAML</a>, 
            <a href="https://openid.net/connect/" target="_blank">OpenID Connect</a>).
          </li>
        </ul>
      </p>

      <hr/>
      
      <subsection name="Aren't Identity Stores enough?">
        One might suppose that a single identity store can solve all the identity needs inside an organization, but few
        drawbacks are just around the corner:
        
        <ol>
          <li>Heterogeneity of systems</li>
          <li>Lack of a single source of information (HR for corporate id, Groupware for mail address, ...)</li>
          <li>Often applications require a local user database</li>
          <li>Inconsistent policies across the infrastructure</li>
          <li>Lack of workflow management</li>
          <li>Hidden infrastructure management cost, growing with organization</li>
        </ol>
      </subsection>
    </section>
  </body>
</document>