Identity management systems are information systems that support the management of identities. In particular, an identity management system establishes the identity of a subject or an object by linking a name (or number) with the subject or object. The identity management system may also describe the identity, for example, by assigning one or more attributes applicable to the particular subject or object to the identity. The identity management system may also modify the identity, such as by linking a new or additional name, or number, with the subject or object and/or change one or more attributes applicable to the particular subject or object. The identity management system can record and/or provide access to logs of activity by the identity.
One of the cornerstones of establishing a secure network environment is making sure that access is restricted to people who have the right to access the network. This access is allowed when the user can authenticate to the identity management system, meaning the user can verify his identity. Typically, the identity management system provides a single point of management, a single source for identities, single sign-on or single password, and a single data store. Single sign-on is a configuration which allows administrators to create a single password store so that users can log in once, using a single password, and be authenticated against all network resources. Single sign-on is both a convenience to users and another layer of security for the server and the network. Single sign-on hinges on secure and effective authentication.
The authentication of the identity management system may be managed by a public key infrastructure (PKI), such as implemented by a certificate system. For PKI, users and machines may present digital certificates to verify their identity. A digital signature is a mathematical representation of a message, using public key cryptography, which identifies the originator of the message, in a non-forgeable manner. Public key cryptography requires the use of two mathematically related keys—a public key and a private key (collectively referred to as a key pair). The private key is kept private by a single owner, and is not distributed to anyone else. The owner uses his or her private key, in conjunction with cryptographic algorithms, to digitally sign a message. The public key is made public, and can be used by anyone to verify the digital signature on a message. The fact that these two keys are mathematically related ensures that only a single private key can generate a digital signature that is verifiable by the corresponding public key, making the digital signature unforgeable. A digital certificate, commonly referred to as a certificate, is an electronic document used to identify an individual, a server, a company, or another type of entity and to associate that identity with a public key. The digital certificate binds a person's identity to his or her public key, and consequently, to his or her private key, and may be used to verify digital signatures. Digital certificates and digital signatures then provide the foundation for secure transactions over a network, such as the Internet.
Certificate authorities (CAs) validate identities and issue certificates. CAs can be either independent third parties or organizations running their own certificate-issuing server software, such as a certificate system. Before issuing a certificate, a CA must confirm the user's identity with its standard verification procedures. The certificate issued by the CA binds a particular public key to the name of the entity identified by the certificate. In addition to the public key, the certificates include the name of the entity it identifies, an expiration date, and the name of the CA that issued the certificate.
The authentication identity management system may also be managed by Kerberos authentication. Kerberos authentication is an authentication system that uses a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Kerberos authentication builds on symmetric key cryptography and requires a trusted third party.