Identity Broker Pattern : 15 Fundamentals

A recent research done by the analyst firm Quocirca confirms that many businesses now have more external users than internal ones: in Europe 58 percent transact directly with users from other businesses and/or consumers; for the UK alone the figure is 65 percent. If you look at the history, most enterprises grow today via acquisitions, mergers and partnerships. In U.S only, mergers and acquisitions volume totaled to $865.1 billion in the first nine months of 2013, according to Dealogic. That’s a 39% increase over the same period a year ago — and the highest nine-month total since 2008.

Gartner predicts by 2020, 60% of all digital identities interacting with enterprises will come from external identity providers.

I have written two blog posts in detail highlighting the need for an Identity Broker.
The objective of this blog post is to define fifteen fundamentals that should be ideally supported by an Identity Broker to cater future Identity and Access Management goals.

1st Fundamental 

Federation protocol agnostic :

  • Should not be coupled into a specific federation protocol like SAML, OpenID Connect, OpenID, WS-Federation, etc.
  • Should have the ability to connect to multiple identity providers over heterogeneous identity federation protocols. 
  • Should have the ability to connect to multiple service providers over heterogeneous identity federation protocols.
  • Should have the ability transform ID tokens between multiple heterogeneous federation protocols.

2nd Fundamental

Transport protocol agnostic : 

  • Should not be coupled into a specific transport protocol – HTTP, MQTT
  • Should have the ability read from and write into multiple transport channels.

3rd Fundamental

Authentication protocol agnostic : 

  • Should not be coupled into a specific authentication protocol, username/password, FIDO, OTP. 
  • Pluggable authenticators.

4th Fundamental 

Claim Transformation :

  • Should have the ability to transform identity provider specific claims into service provider specific claims and vice versa.
  • Simple claim transformations and complex transformations. An example of complex claim transformation would be to derive the age from the date-of-birth identity provider claim - or concatenate first name and last name claims from the identity provider to form the full name service provide claim.

5th Fundamental 

Home Realm Discovery:

  • Should have the ability to find the home identity provider corresponding to the incoming federation request looking at certain attributes in the request. 
  • The discovery process should be pluggable.
  • Filter based routing.

6th Fundamental 

Multi-option Authentication:

  • Should have the ability present multiple login options to the user, by service provider. 
  • Based on the service provider who initiates the authentication request, the identity broker will present login options to the user.

7th Fundamental

Multi-step Authentication:

  • Should have the ability present multiple step authentication (MFA) to the user, by service provider. 
  • Multi-factor Authentication (MFA) is an instance of multiple step authentication, where you plug in authenticators that do support multi-factor authentication into any of the steps.

8th Fundamental

Adaptive Authentication:

  • Should have the ability change the authentication options based on the context. 
  • The identity broker should have the ability to derive the context from the authentication request itself as well as from other supportive data.

9th Fundamental

Identity Mapping:

  • Should have the ability map identities between different identity providers. 
  • User should be able to maintain multiple identities with multiple identity providers and switch between identities when login into multiple service providers.

10th Fundamental

Multiple Attribute Stores:

  • Should have the ability connect to multiple attribute stores and build an aggregated view of the end user identity.

11th Fundamental

Just-in-time Provisioning:

  • Should have the ability to provision users to connected user stores in a protocol agnostic manner.

12th Fundamental

Manage Identity Relationships:

  • Should have the ability to manage identity relationships between different entities and take authentication and authorization decisions based on that. 
  • A given user can belong to a group, role and be the owner of devices from multiple platforms.
  • A device could have an owner, an administrator, a user and so on.

13th Fundamental

Trust Brokering:

  • Each service provider should identify which identity providers it trusts.

14th Fundamental

Centralized Access Control:

  • Who gets access to which user attribute? Which resources the user can access at the service provider?

15th Fundamental

Centralized Monitoring:

  • Should have the ability to monitor and generate statistics on each identity transaction, flows through the broker. 
  • The connected analytics engine should be able to do batch analytics, realtime analytics and predictive analytics.