What is an Identity Server, really? What does it do? Why do you need one to run a business? Here I will try to answer this in the simplest way I can.
Imagine you are running an online business. You have a bunch of users; users of various kinds, who are accessing your website for different different purposes. These users can be your customers, the employees of your organization, or even partners who provide services for your core business. Then you have a bunch of applications and tools. Some of which you developed in-house for your business use cases. And some of which you didn’t develop, and whose services you rely on to facilitate your core business functionalities.
So, on one hand, you have the users, and on the other hand, you have the applications and tools.
For the business to run smoothly, you need to link one and the other properly. Well, you can imagine that linking these two involves a lot of things like user management, role management, permission management, authentication, user provisioning et cetera et cetera. Things can get really complicated when people move in and out of your organization, when partners change, when applications and tools you have linked adds or changes their functionality and when your employees move into different departments of the organization which thereby requires a change in their roles and permissions. Also, depending on the roles of the users, you might want to control their level of access to certain resources. You might want to provide an extra layer of security for the users with higher privileges in the system. As you can imagine, the list goes on.
And it doesn’t end there either. When you are running a business which involves many users, you need to implement some useful functionality for users like resetting forgotten passwords, periodic password change, account administration and so on. Also, you might want to enforce a specific password policy to ensure your users have strong passwords to mitigate any security threats.
Ideally, you want to manage this all centrally. That is exactly where an Identity Server comes in handy.
An Identity Server is exactly the thing that allows you to manage the users and roles in a centralized way. It also takes over the authentication requests and login requests and provides user interfaces for logging in and other extended functionalities. Apart from these, most identity servers are capable of many other features. It can provide features that lets you manage access control to resources. It can provide connectors that lets you integrate application and tools easily with your system. It can provide you with tools for monitoring and reporting analytics of your system.
So you can expect such a component to have a bunch of protocols on the technical side. Apart from that, it would need to comply with protocols and regulations on the legal side too.
On the technical front, most Identity Servers have two major Single-Sign-On protocols; SAML2 and OpenID Connect. Other main functionalities include Multi factor authentication, identity federation where you connect external identity providers, One-time passwords, etc. The more feature rich providers may also include features such as bio-metric authentication, adaptive authentication and support for many popular services so you can easily integrate them with your organization.
On the legal front, it would need to comply with things like the infamous GDPR policy which came into effect in Europe, UK data protection act, US Federal trade commission act and many other regulations for it to be eligible for use in those geographical regions.
Imagine the region you are operating has strict data protection laws. So, to run the business, you need to comply with local legislation. Without an identity server, it would be “tricky” to manage users consents and comply with all the regulations while dealing with user data. And the whole thing needs to be audit-able as well in case there is a security breach or a need for an inspection.
So, if you think of it, it is an enormous task. But there’s good news!
There are various Identity Server options in the market right now which you can choose from to suit the capacity and the needs of your business. These come in both proprietary commercial solutions as well as open-source solutions.
If you are leaning towards the open-source offerings, there are two main options which you can pick up and try. Those are Keycloak and WSO2 Identity Server. Both are widely adopted enterprise grade Identity Management Solutions which are open source.
Next time, we will dive deep into these two open-source offerings to see how they fulfill the functionality expected out of an identity server. There, we will stack them against one another and see how they compare.
[Update] You can find the detailed comparison between WSO2 Identity Server and Keycloak here.
