| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| --> |
| <document xmlns="http://maven.apache.org/XDOC/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd"> |
| |
| <properties> |
| <title>IAM Scenario</title> |
| <author email="dev@syncope.apache.org">Apache Syncope Documentation Team</author> |
| </properties> |
| |
| <body> |
| <section name="Identity and Access Management - Reference Scenario"> |
| |
| <p style="text-align:center;"> |
| <img src="docs/images/iam-scenario.png" alt="IAM Scenario" width="700"/> |
| </p> |
| |
| <p> |
| The picture above shows the tecnologies involved in a complete IAM solution: |
| <ul> |
| <li> |
| <strong> |
| <em>Identity Store</em> |
| </strong> |
| <br/> |
| (as RDBMS, LDAP, Active Directory, meta- and virtual-directories), the repository for account data |
| </li> |
| <li> |
| <strong> |
| <em>Provisioning Engine</em> |
| </strong> |
| <br/> |
| synchronizes account data across identity stores and a broad range of data formats, models, meanings and |
| purposes |
| </li> |
| <li> |
| <strong> |
| <em>Access Manager</em> |
| </strong> |
| <br/> |
| access mediator to all applications, focused on application front-end, taking care |
| of <u>authentication</u> |
| (<a href="https://en.wikipedia.org/wiki/Single_sign-on" target="_blank">Single Sign-On</a>), |
| <u>authorization</u> |
| (<a href="https://oauth.net/" target="_blank">OAuth</a>, |
| <a href="https://en.wikipedia.org/wiki/XACML">XACML</a>) and <u>federation</u> |
| (<a href="https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language" target="_blank">SAML</a>, |
| <a href="https://openid.net/connect/" target="_blank">OpenID Connect</a>). |
| </li> |
| </ul> |
| </p> |
| |
| <hr/> |
| |
| <subsection name="Aren't Identity Stores enough?"> |
| One might suppose that a single identity store can solve all the identity needs inside an organization, but few |
| drawbacks are just around the corner: |
| |
| <ol> |
| <li>Heterogeneity of systems</li> |
| <li>Lack of a single source of information (HR for corporate id, Groupware for mail address, ...)</li> |
| <li>Often applications require a local user database</li> |
| <li>Inconsistent policies across the infrastructure</li> |
| <li>Lack of workflow management</li> |
| <li>Hidden infrastructure management cost, growing with organization</li> |
| </ol> |
| </subsection> |
| </section> |
| </body> |
| </document> |