IAM Basics

What is Identity and Access Management
Deals with the management of electronic identities
IAM helps organizations with
Identity life cycle management
Centralized User Management
Role Based Access control
It helps in automating process ( for example user provisioning )
It helps you stay compliant with audits with features such as certification , report generation
It helps reduce overall cost ( Employee Self-serve , Eliminates errors )
Define rules and policies
IDM should govern the Access Approval Work flow after which it will take care Provisioning and DE-provisioning without manual intervention.

Framework
Is a system framework that helps with the management of electronic identities

Access Management
Authentication : is the process of confirming the identity.
Once a user is authenticated, a session is created and referred during the interaction between the user and the application system until the user logs off or the session is terminated by other means
Authorization : is the process of determining if the user is allowed or permitted to access a particular resource of system

Role Based Access Control is a method of restricting access to system/ application based on the role. There are 3 approaches bottom up - roles assigned based on existing entitlement top down - roles are created to match the skill
Role life cycle role assignment ---- role entitlement provisioning ----- user attestation ---- remediation ------ modify / delete role

Identity Life Cycle Management
Deals with a user who joins the organization , how he is provisioned , authentication , authorization , how his roles change
Request of access
Self service etc

Provisioning is the process of creating and managing user accounts
Certification
Certification is the process of periodically reviewing user / role/ account entitlements , sign off the ones that seem to be reasonable and flag / highlight those the questionable ones . The access would then be revoked. Certification scheduled based on company rules and policies
Reconciliation
Reconciliation automatically detects and repairs access policy violations that may occur through manual creation, modification or deletion of accounts in a managed resource. Reconciliation also eliminates dormant or orphaned accounts.
Single Sign On :
Is the process that allows the users to enter the user name and pwd once to access multiple applications
Federation
Identity federation is like an amusement park. With Enterprise SSO (ESSO), you get into the amusement park but still need a ticket for each ride (think Santa Cruz Beach Boardwalk). With federation, you get into the amusement park but have a wristband that every ride operator recognizes and lets you on (think Disneyland).
Differences between SSO and Federation
SSO is an umbrella term for any time a user can log in to multiple applications while only authenticating once. It covers both federation and password vaulting which is more commonly known as “Enterprise SSO”. The main difference is that federation eliminates the requirement to use and remember passwords and Enterprise SSO doesn’t.
Federation allows single sign-on (SSO) without passwords – the federation server knows the user name for a Person in each application and presents that application with a token that says, " this Person is domain\johndoe or johndoe@example.com". No password is required for the user to log in to each system. Because of the trust between the two systems, the target application accepts this token and authenticates the user
The federation server passes that token using one of the standard identity protocols: SAML, OpenID, WS-Trust
Active Directory
Is a directory service provider where you add new users to directory,
LDAP ( lightweight Directory access protocol ) is a access protocol used for querying or modifying items in an active directories