Identity Agent

An Identity Agent is a software application for user-centric identity management. It

• Manages a consistent user experience for authentication (and in some cases other kinds of interactions) with a Service Provider (also known as a Relying Party)
• Provides a user interface called an "i-card selector" which displays a set of alternative i-card icons from which the users selects their preferred i-card when authentication is required by a local application or Service Provider (e.g. a web site's sign-in page)
• Provides a user interface to create new personal i-cards and/or manage them. This interface is sometimes called an "i-card manager"
• Provides a local Security Token Service that is used to provide the security tokens for personal (self-issued) i-cards
• Provides a user interface to import and export personal or managed i-card files in standard file formats
• Is invoked by a browser extension or by a local rich client application

An Identity Agent may also allow the user to manage (e.g. create, review, update and delete cards within) their portfolio of i-cards.

IDM Solutions

Solutions which fall under the category of Identity Management:

• Management of Identities
  
  Provisioning/De-provisioning of accounts
  Workflow automation
  Delegated administration
  Password synchronization
  Self Service Password Reset
  


• Access Control
  
  Policy based access control
  Enterprise/Legacy Single Sign On (SSO) and Single Signout
  Web Single Sign On (SeoS)
  Reduced Sign On



• Directory Services
  
  Identity Repository (directory services for administration of user account attributes)
  Metadata Replication/Synchronization
  Directory Virtualization (virtual directory)
  e-business scale directory systems
  Next generation systems - CADS and CADS SDP



• Other categories
  
  Role-based access control (RBAC)
  Federation of user access rights on web applications across otherwise untrusted networks
  Directory enabled networking and 802.1X EAP



• Standards Initiatives
  
  SAML - An industry consortium
  Project Liberty - An industry consortium
  Shibboleth - Identity standards targeted towards educational environments.

Definition of Identity Management

Identity management (ID management) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity. The driver licensing system is a simple example of identity management: drivers are identified by their license numbers and user specifications (such as "can not drive after dark") are linked to the identifying number.

In an IT network, identity management software is used to automate administrative tasks, such as resetting user passwords. Enabling users to reset their own passwords can save significant money and resources, since a large percentage of help desk calls are password-related. Password synchronization (p-synch) enables a user to access resources across systems with a single password; a more advanced version called single signon enables synchronization across applications as well as systems.

In an enterprise setting, identity management is used to increase security and productivity, while decreasing cost and redundant effort. Standards such as Extensible Name Service (XNS) are being developed to enable identity management both within the enterprise and beyond.

In a wider context, industry groups such as the World Wide Web Consortium (W3C) and The Open Group are developing standards that would enable global identity management, in which each individual would be uniquely identified, and all applicable data would be linked to that identity. A position paper on the W3C Web site, Requirements for a Global Identity Management Service, maintains that establishing global identity management is crucial for the development of the Web and Web services. The W3C position paper stipulates, among other things, that such a system that must be universally portable and interoperable; that it must support unlimited identity-related attributes; that it must provide adequate mechanisms for privacy and accountability; and that it must be overseen by an independent governing authority.

Emerging Fundamental Points of IDM

IdM provides a significantly greater opportunity to an online business beyond the process of authenticating and authorizing users via cards, tokens and web access control systems.

User-based IdM is evolving from username/password and web access control systems to those that embrace preferences, parental controls, entitlements, policy-based routing, presence and loyalty schemes.

IdM provides the focus to deal with system-wide data quality and integrity issues often encountered by fragmented databases and workflow processes.

IdM embraces what the user actually gets in terms of products and services and how and when they do that. Therefore IdM applies to the products and services of an organization such as health, media, insurance, travel or government services, as well as how these products are provisioned and assigned to (or removed from) "entitled" users.

IdM can deliver a single customer view that includes their presence and location, single product and services and single IT infrastructure and network views to the respective parties and therefore IdM is related intrinsically to information engineering and information security and privacy.

IdM covers the machinery (system infrastructure components) that delivers such services because a user's service could be assigned to: a particular network technology; content title; usage rights; media server; mail server; soft switch; voice mail box; product catalogue set; security domain; billing system; CRM or help desk and so on.

Critical to IdM projects are considerations of the online services of an organization (what are the users logging on to) and how are they managed from an internal perspective and the customer self care perspective.

IDM - Three Perspectives

In the real world context of engineering online systems, identity management can be given three perspectives:

• The pure identity paradigm - creation, management and deletion of identities without regard to access or entitlements;
  


• The user access (log-on) paradigm - a smart card and its associated data that a customer uses to log on to a service or services (a traditional view);
  


• The service paradigm - a system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.

-The User Access Paradigm-

Identity Management in the user "log on" perspective would be an integrated system of business processes, policies and technologies that enable organizations to facilitate and control their users' access to critical online applications and resources — while protecting confidential personal and business information from unauthorized access. It represents a category of interrelated solutions that are employed to administer user authentication, access rights, access restrictions, account profiles, passwords, and other attributes supportive of users' roles/ profiles on one or more applications or systems.

-The Service Paradigm-

In the service paradigm perspective, where organizations are evolving their systems to the converged services world, the scope of identity management becomes much larger and its application more critical. The scope of identity management includes all the resources of the company that are used to deliver online services. This includes devices, network equipment, servers, portals, content, applications and products as well as a user's credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service.

Today many organizations are facing a major clean-up in their systems to bring identity coherence to their world. This coherence is required in order to deliver unified services to very large numbers of users on demand - cheaply and with security and single customer view facilities.

Identity management

In information systems, identity management, sometimes referred to as identity management systems, is the management of the identity life cycle of entities (subjects or objects) during which:

1. the identity is established:

• a name (or number) is connected to the subject or object;



• the identity is re-established: a new or additional name (or number) is connected to the subject or object;

2. the identity is described:

• one or more attributes which are applicable to this particular subject or object may be assigned to the identity;



• the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;

3. the identity is destroyed.