Skip to main content

Identity Management

What is Identity Management?

Identity management includes authentication, which is the process of verifying that someone is allowed to sign into a web or mobile application. This typically involves using authentication methods such as single sign-on (SSO), two-factor authentication (2FA), and multi-factor authentication (MFA). For example, someone might be required to enter a verification code in order to sign into an application, in addition to entering their username and password.

Identity management also includes creating and managing user accounts. This includes creating a user profile, managing user sessions, capturing and renewing basic terms of service, providing self-service support (e.g. a “Forgot Password” link during login), and sending notifications to users (e.g. the user’s password has been changed, the user has passed identity verification).

IDENTOS Identity Management can easily be combined with Identity Verification to create a customer onboarding flow.

How Does IDENTOS Provide Identity Management?

IDENTOS Identity Management includes both authorization features and user account management.

1. Authorization

IDENTOS enables simple and secure sign-on for your users, creating an easy login experience. IDENTOS also allows you to grant, revoke, monitor, and automate user access to your applications.

IDENTOS supports both user login and user federated login.

User login refers to allowing a person to identify themselves in order to access services. This is typically done by allowing a user to enter credentials, such as a username and password, to sign into a web or mobile application.

The User Login feature provides various sign in options, such as login credentials, multi-factor authentication (MFA), and single sign-on (SSO). With SSO, you can allow your users to sign into multiple applications using a single set of credentials. When a user signs into one application, they are automatically signed into other connected applications. This reduces the number of times that users have to sign in to access services.

The User Login feature also includes session management. A user session refers to the period of time that a user is interacting with an application. The session begins when the user signs into the application and includes the activities performed by the user within the application. The session ends when the user signs out of the application or is automatically signed out because they have become inactive.

The User Login feature includes the following functionality:

  • Create login credentials (username/email and password) based on policies
  • Reset user passwords
  • Verify user email addresses
  • Enable multi-factor authentication (MFA)
  • Require multi-factor authentication (MFA)
  • Create a user session based on policies
  • Validate and manage a session (SSO login, logout)
  • Expire a session if the user is inactive for a specified period of time

User federated login refers to allowing a person to use an external account to identify themselves in order to access services. The owner of the external account (referred to as the Identity Provider or IdP) is responsible for creating and managing the user’s credentials, as well as authenticating the user.

In order to sign into the digital service provider’s web or mobile application, the user is directed to sign into another account (such as their Google account or their online banking account). This other account verifies the user’s credentials and sends a confirmation to the digital service provider’s application. The user is now allowed to access services via the digital service provider’s application.

In some ways, federated login is similar to SSO. Both (a) reduce the number of times the user has to sign in to access services and (b) reduce the number of username/password combinations the user has to remember. The key difference is that SSO enables users to access applications within a single domain or organization, while federated login enables users to access applications across multiple domains or organizations.

The User Federated Login feature includes the following functionality:

  • Allows users to sign into the digital service provider application using an external Identity Provider
  • Allow users to choose from a list of Identity Providers
  • Allow users to provide consent for the Identity Provider to share their user attributes (name, email, etc.) with the digital service provider’s application
  • Create an account for the user based on the user attributes from the Identity Provider

These functions are implemented using industry standard technology, such as SAML, OAuth, and OIDC.

2. User Account Management

A user account is an account assigned to a person that connects the person’s authentication credentials (such as their username and password), identity attributes (such as their name and email), and consents (permissions they’ve granted to share information).

For example, a user account can be used to respond to a terms and conditions agreement, or to provide consent to share identity attributes between applications.

The User Account Management feature includes the following functionality:

  • Create a user account based on local user authentication or the user’s federated identity (obtained from User Federated Login)
  • Add verified user attributes through Identity Verification
  • Store verified user attributes
  • Set the level of assurance (LoA) based on different criteria, such as the user attributes that have been collected
  • Provide verified attributes to relying parties
  • View user account details
  • View consents in the user’s Wallet
  • Revoke consents in the user’s Wallet
  • Update the user account
  • Close the user account and revoke the user’s access to the web or mobile application