An IdM system is designed to be an authoritative central hub of identity information. External services may access information through APIs or directory services, or data may be provisioned to external services. It is crucial to ensure that information security is maintained when data is in transport and when stored in a new location. Changes in the IdM system should be propagated to external systems in a timely manner. The ease and speed of propagating changes may be a factor when procuring systems which need to be integrated with the IdM system.
Generic Functional Requirements
- Information about a user should include attributes as specified by the organization
- Only the IdM system should be able to write to log/audit data stores
- The IdM system must be able to associate user account data across multiple systems each which may have different schemes for local identifiers
- The IdM system needs to notify downstream systems of user-related events in a timely and secure fashion
- The IdM system must consume upstream user-related events from systems of record in a timely and secure fashion
- IdM functions may need to be invoked by remote systems using APIs for specific purposes
Standards Support and Integration Considerations
Where possible, avoid non-standard technologies which require specifically integrated vendor components to be deployed.
Key Design Considerations
- Look for designs of data integration components which are loosely coupled. Components which are loosely-coupled can bring flexibility and interoperability with products from different vendors.
- Favor designs which use commodity message queuing products. For example, use products such as Apache ActiveMQ for messaging needs.
- Integration with downstream systems ideally should be asynchronous and loosely-coupled. For example, user provisioning can use event notification mechanisms with generic user account add/modify/delete event messages.
- Favor systems which expose IdM system functions as REST-based services for simplicity. REST-based services allow such related systems as user administration or resource management applications to simply access IdM functions.