The document discusses the role of an identity broker and its key functions. An identity broker acts as a centralized hub that can connect to multiple identity providers and service providers in a protocol-agnostic manner. It allows for identity federation across different protocols and systems. The broker supports important identity management capabilities like claim transformation, home realm discovery, multi-factor authentication, adaptive authentication, identity mapping, attribute aggregation, and just-in-time provisioning in a centralized manner. Fifteen fundamentals of the identity broker pattern are described. The document also discusses the concept of an identity mediation language and seven fundamentals of future identity and access management.
9. Identity Broker Pattern
Fundamental #1:
Federation protocol agnostic :
• Should not couple into a specific federation
protocol like SAML, OpenID Connect.
• Ability to connect multiple identity providers over
heterogeneous identity federation protocols.
• Should have ability transform ID tokens between
heterogeneous federation protocols.
Fifteen Fundamentals
11. Identity Broker Pattern
Fundamental #2:
Transport protocol agnostic :
• Should not couple into a specific transport protocol
– HTTP, MQTT
Fifteen Fundamentals
13. Identity Broker Pattern
Fundamental #3:
Authentication protocol agnostic:
• Should not couple into a specific authentication
protocol, username/password, FIDO, OTP.
• Pluggable authenticators.
Fifteen Fundamentals
15. Identity Broker Pattern
Fundamental #4:
Claim Transformation:
• Should have the ability to transform identity
provider specific claims into service provider
specific claims.
• Simple claim transformations and complex
transformations.
Fifteen Fundamentals
17. Identity Broker Pattern
Fundamental #5:
Home Realm Discovery:
• Should have the ability to find the home identity
provider corresponding to the incoming federation
request looking at certain attributes in the request.
• Filter based routing.
Fifteen Fundamentals
19. Identity Broker Pattern
Fundamental #6:
Multi-option Authentication:
• Should have the ability present multiple login
options to the user, by service provider.
Fifteen Fundamentals
21. Identity Broker Pattern
Fundamental #7:
Multi-step Authentication:
• Should have the ability present multiple step
authentication (MFA) to the user, by service
provider.
Fifteen Fundamentals
23. Identity Broker Pattern
Fundamental #8:
Adaptive Authentication:
• Should have the ability change the authentication
options based on the context.
Fifteen Fundamentals
25. Identity Broker Pattern
Fundamental #9:
Identity Mapping:
• Should have the ability map identities between
different identity providers.
• User should be able to maintain multiple identities
with multiple identity providers.
Fifteen Fundamentals
27. Identity Broker Pattern
Fundamental #10:
Multiple Attribute Stores:
• Should have the ability connect to multiple
attribute stores and build an aggregated view of
the end user identity.
Fifteen Fundamentals
29. Identity Broker Pattern
Fundamental #11:
Just-in-time Provisioning:
• Should have the ability to provision users to
connected user stores in a protocol agnostic
manner.
Fifteen Fundamentals
31. Identity Broker Pattern
Fundamental #12:
Manage Identity Relationships:
• Should have the ability to manage identity
relationships between different entities and take
authentication and authorization decisions based
on that.
Fifteen Fundamentals
33. Identity Broker Pattern
Fundamental #13:
Trust Brokering:
• Each service provider should identify which
identity providers it trusts.
Fifteen Fundamentals
35. Identity Broker Pattern
Fundamental #14:
Centralized Access Control:
• Who gets access to which user attribute? Which
resources the user can access at the service
provider?
Fifteen Fundamentals
37. Identity Broker Pattern
Fundamental #15:
Centralized Monitoring:
• Should have the ability monitor and generate
statistics on each identity transaction flows
through the broker.
Fifteen Fundamentals
40. Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #1:
More than humans - It’s also about Identities of
things, devices, services, and apps
41. Fundamental #2:
Multiple Identity Providers - We will not manage all
identities internally anymore and trust will vary
Seven Fundamental of Future IAM
By Martin Kuppinger
42. Fundamental #3:
Multiple Attribute Providers - There will no longer be a
single source of truth and information on identities
anymore
Seven Fundamental of Future IAM
By Martin Kuppinger
43. Fundamental #4:
Multiple Identities - Many users will use different
identities (or personas) and flexibly switch between these
Seven Fundamental of Future IAM
By Martin Kuppinger
If you look at the history, most enterprises grow today via acquisitions, mergers and partnerships. In U.S only, mergers and acquisitions volume totaled to $865.1 billion in the first nine months of 2013, according to Dealogic. That’s a 39% increase over the same period a year ago — and the highest nine-month total since 2008.
A research done by the analyst firm Quocirca confirms that many businesses now have more external users than internal ones: in Europe 58 percent transact directly with users from other businesses and/or consumers; for the UK alone the figure is 65 percent.
Another analyst firm predicts by 2020, 60% of all digital identities interacting with enterprises will come from external IdPs.
Under today’s context connected business is a very dynamic and complex environment. Your desire is to reach out to your customers, partners, distributors and suppliers and create more and more business interactions and activities, that will generate more revenue. The goal here is not just integrate technological silos, in your enterprise – but also make your business more accessible and reactive.
Having friction to build connections between your business entities - is something that cannot be tolerated. The cost of provisioning a service provider or an identity provider into the system could be high, due to the protocol incompatibilities. Also, building point-to-point trust relationships between service providers and identity providers - does not scale well.