Identity Management in Quercus<>

Identity Management System components

An identity management system is constructed from a number of components which can be deployed in various ways. The most commonly used components are described below.

Component

Description

Service provider

A service provider is a system which provides a service to the end-user. Quercus is a service provider in this sense.

Identity provider

An identity provider is a system which can confirm the credentials of an authenticated user in response to a request from a service provider.

LDAP server

Identity providers often take the form of LDAP servers.

LDAP (Lightweight Directory Access Protocol) provides a standard set of methods for referencing, storing and retrieving user profile information. LDAP databases can be thought of as large-scale dictionaries optimised for fast lookup of user profiles. What constitutes profile information can vary from organisation to organisation but generally includes name, contact details, organisation and role plus the membership of specific user groups known as LDAP groups.

SSO (Single sign on)

SSO allows a user to log in once in order to gain access to all enterprise systems. Users enter their user IDs and passwords for one system and they are authenticated and signed in to all other systems to which they are authorised to access.

From the end-user’s perspective SSO provides the main visible benefit of a centralised IDM – just one log-in gives you access to all the enterprise systems you need.

Shibboleth

Shibboleth is a widely used open source platform which can be used to enable the single-sign-on functionality and allow the sharing of user information between systems. Shibboleth is basically a set of server-side technological components which orchestrates the communication between an IDM LDAP server and the various systems which are in use.

Once you sign into a participating Shibboleth system you are authenticated to all other participating systems allowing you to navigate seamlessly from one system to another.

SAML

The messages which Shibboleth passes between systems are encoded using SAML (Security Assertion Markup Language).

SAML provides a standard way of representing the authentication and authorisation messages which are passed between the identity provider (the LDAP server) and the service providers (of which Quercus is an example).