Identity Management Architecture

The following Identity Management Model, by Tom Barton, generally shows how identity information should be extracted from source systems (ERP etc.), transformed by metadirectory processes, and loaded into directories for use by consumer systems. This flow can generally be seen from left to right. The magic happens in the often misunderstood Enterprise Directory Services, which is not a single product or LDAP directory, but rather a set of tools which handle the flow of information. Metadirectory processes often provision information services based on unique business rules which define elements of authentication and authorization, and are the primary place where identity resolution occurs between disparate systems.

It is generally promoted to use a relational database to maintain a person registry completely independent from any ERP or vendor application. This "middle database" of sorts, allows the organization to main complete lifecycle control, through custom business process, of one of its most important assets, the identity of its constituents. Most applications with user directories or databases are in constant flux, with accounts being added and deleted based on current state. The person registry allows for a permanent location enabling seemless lifecycle management regardless of software and infrastructure changes.

This architecture, is explained in more detail in the Core Middleware Overview Presentation.