Identity Management

A person in an organization goes through a life-cycle, from initial hire and assignment to projects or departments, through to termination or leaving the organization. During each of these stages their digital identity will be created, updated or deleted. Managing this life-cycle and digital identity has always been problematic. Some of these problems include lack of automation, difficulty in reconciling information across disparate systems and multiple passwords across different systems.

Systems exist that attempt to solve these problems. They are commonly called 'Identity Management Systems'. These systems have traditionally been targeted at very large organizations with many disparate systems. Most of these Identity Management systems cost hundreds of thousands of dollars to purchase and implement. They also cost a significant amount of time and effort to maintain.

These systems have tended to focus on mapping disparate attributes (such as firstName and lastName) in different directories into a common schema and flowing the changes out the connected systems. This is a non-trivial exercise when 2-way synchronization is required.

The issue with these systems is that they tend to be poor in the following areas.

Identity Management has a many different aspects including:

These areas are covered in the following sections.

Identity Aggregation and Synchronization is the process of mapping user identities between systems and mapping attributes in those systems. For example, determining that 'FJones' in Active Directory (AD) is actually 'Fred Jones' in the HR system is a mapping of user identities. The fact that the AD 'displayName' is the same as the HR systems 'Full Name' field is an example of mapping attributes between different systems. This is where full Identity Management systems work well.
Activate recommends that where possible external accounts and systems are not created or maintained. This avoids entirely the issue of creating, synchronizing and maintaining external user's accounts and linking or mapping them.

Vendors are slowly enabling applications to integrate directly with AD. For example, most Intranet products and the large ERP systems such as Peoplesoft and SAP have modules that allow direct authentication and integration with AD. This mechanism should be the preferred option where possible.

Provisioning is the process of providing users with access to data and technology.

Please click here for more information on how Activate handles Provisioning either stand-alone or in conjunction with a full Identity Management System.

Please click here for more information on how Activate handles this.

Password management is the process of creating, resetting and maintaining user identity passwords in the organisation.

Please click here for more information on how Activate handles Passwords and Password Resets.

Activate is designed to handle Identity Management for medium to large sized companies with moderate requirements, or operate in conjunction with a full Identity Management System when automated 2-way synchronization across many disparate systems is required. Activate integrates closely with Microsoft MIIS (or other Identity Management Systems) to achieve a superior level of functionality.

Activate uses Microsoft Active Directory (AD) as it's primary identity store and authorization mechanism. Therefore where most systems can be integrated with AD, or user accounts can simply be Provisioned on external systems, then external Identity Management software is not required.

However, if you have many external systems and require 2-way synchronization then implementing an external Identity Management System is recommended. This combines all the benefits of Activate Workflow and Provisioning with the benefits of a full Identity Management System.

Our Identity Management Philosophy