Book Solving Identity Management in Modern Applications by Yvonne Wilson and Abhishek Hingnikar
Design Questions
- Who are your users: employees (B2E), consumers (B2C), or a business (B2B)?
- How will users log in? Is there an existing account available to them that they would like to reuse?
- Can your application be used anonymously or is authentication needed?
- What kind of delivery - Web or native - does your application intend to provide?
- Will your application need to call any APIs? If so, who owns the data that your application will retrieve?
- How sensitive is the data that your application handles?
- What access control requirements are needed?
- How long should a user’s session last?
- Is there more than one application in your system? If so, will users benefit from single sign-on? (Don’t forget a support forum!)
- What should happen when users log out?
- Are there any compliance requirements associated with this data?
Events in the Life of an Identity
- Provisioning
- Authorization
- Authentication
- Access Policy Enforcement
- Sessions
- Single Sign-On
- Stronger Authentication
- Logout
- Account Management
- Deprovisioning
Levels of Authorization and Access Policy Enforcement
- Level 1 - Whetever an entity can access an application ir API at all
- Level 2 - What functions an entity can use in an application or API
- Level 3 - What data and entity can access or operate on
- Account - A construct withing a software application or service that usually contains or is associated with identity information
and optionally privileges and which is used to access features within the application or service.
- Identifier - A single identifying attribute that points to a unique individual user or entity, within a particular context.
- Identity - A set of attributes, including one or more identifiers, associated with a specific user or entity, in a particular context.
- Identity Repository - A collection of users stored in a computer storage system, such as a database or directory service.
