Digital identities – the duties of an enterprise
As anticipated in the Digital transformation – the impact on the market section, before the cloud era, tech giants dealt with technology within their own data centers. Identity management is not new for enterprises; historically, IdPs such as Active Directory or SiteMinder worked inside the network perimeter of enterprises with protocols such as Kerberos and NTLM.
Having an identity directory in the enterprise is paramount to managing users, computers, and enterprise assets in general that belong to the organization and configuring access to the company’s assets. The evolution of identity in the consumer and in the enterprise led to most IdPs supporting OAuth, and they typically work as SaaS outside the network perimeter of the enterprise (that is, they are exposed to the internet, not the intranet). This has several benefits because users can now log in to the enterprise’s services even outside the intranet and the VPN, improving the company’s productivity. This also brings security implications into play, which will be covered in detail in Chapter 5, Exploring Identity Patterns.
What companies tend to underestimate is that cloud IdPs nowadays take advantage of the OAuth protocol, which is very different from the previous protocols as it takes into account new concepts such as delegation across different services, app registration within the enterprise, and new authentication flows, which, in turn, can impact the way enterprises develop services and APIs.
In an enterprise, user information, identity, and access are managed by the company, which deals with the life cycle of the digital identities of its employees (at a minimum, some companies even host external identities as vendors and/or contractors in their IdP). Companies typically have processes to onboard the employee’s digital identity when hired (provisioning). The identity is then used to enable the user to access the company’s tools, services, and websites and, finally, when the user leaves the company, there is a process to delete/disable (deprovision) the user’s digital identity to prevent unwanted access to company resources.
From our experience in enterprises, we can certainly state that the concept of the user-centric approach is not yet widely adopted. IT departments and project teams are not able to collaborate efficiently with each other while working on projects/apps because they are not organized properly. Sometimes, different teams inside the organization use different IdPs, which makes the user-centric approach complicated. As a result, it often results in a very bad practice of managing user identity consistently. This outlines the importance of an organization having a clear strategy in this domain. As we are going to see in the rest of this book, it’s important to develop a strategy not only to ease the life of the users but also to handle everything that requires authentication, including service-to-service authentication.
If a bad strategy or no strategy is in place, then some applications are even developed without any IdP. When no IdP is used in an application, then the user management feature is usually developed within the application itself with further effort, using independent and custom-developed logic, which is a model that was followed in the past (before 2000) when IdPs didn’t exist at all. When this happens, users need to use a different set of credentials according to the application they need to log in to. This scenario is also known as the distributed identity problem and was common in the early 2000s. The following diagram shows the distributed identity problem:
Figure 1.5 – Distributed identity problem example
The consequence of such a model is having less productivity for the following reasons:
- Users need to remember different sets of credentials
- More lines of code have to be written for an application to handle the authentication logic, typically offloaded to an IdP, which results in increased maintenance and more time to market to develop a single application
- User information is not centralized, which might result in users wasting time enriching their profiling information for each application
- Identity needs to be managed by custom implementations, which may lead to security issues
These are the typical scenarios and the duties an enterprise needs to accomplish to manage its digital identities. If we look deeper, there are important implications for an architect to consider, as we will discuss in the upcoming section.