Design Questions

  • Who are your users: employees (B2E), consumers (B2C), or a business (B2B)?
  • How will users log in? Is there an existing account available to them that they would like to reuse?
  • Can your application be used anonymously or is authentication needed?
  • What kind of delivery - Web or native - does your application intend to provide?
  • Will your application need to call any APIs? If so, who owns the data that your application will retrieve?
  • How sensitive is the data that your application handles?
  • What access control requirements are needed?
  • How long should a user’s session last?
  • Is there more than one application in your system? If so, will users benefit from single sign-on? (Don’t forget a support forum!)
  • What should happen when users log out?
  • Are there any compliance requirements associated with this data?

Events in the Life of an Identity

  • Provisioning
  • Authorization
  • Authentication
  • Access Policy Enforcement
  • Sessions
  • Single Sign-On
  • Stronger Authentication
  • Logout
  • Account Management
  • Deprovisioning

Levels of Authorization and Access Policy Enforcement

  • Level 1 - Whetever an entity can access an application ir API at all
  • Level 2 - What functions an entity can use in an application or API
  • Level 3 - What data and entity can access or operate on
  • Account - A construct withing a software application or service that usually contains or is associated with identity information and optionally privileges and which is used to access features within the application or service.
  • Identifier - A single identifying attribute that points to a unique individual user or entity, within a particular context.
  • Identity - A set of attributes, including one or more identifiers, associated with a specific user or entity, in a particular context.
  • Identity Repository - A collection of users stored in a computer storage system, such as a database or directory service.