What is identity orchestration?

Authors

Matthew Kosinski

Staff Editor

IBM Think

Amber Forrest

Staff Editor | Senior Inbound, Social & Digital Content Strategist

IBM Think

What is identity orchestration?

Identity orchestration is a software solution for coordinating disparate identity and access management (IAM) systems from multiple identity providers into frictionless workflows.

In the age of digital transformation, organizations are adopting more software-as-a-service (SaaS) solutions, shifting to hybrid multicloud environments and embracing remote work. Today's corporate IT ecosystems contain a multivendor mix of cloud-based and on-premises apps and assets serving various users, from employees and contractors to partners and customers.

According to one report, the average business department uses 87 different SaaS apps..1 These apps often have their own identity systems, which might not readily integrate with one another. As a result, many organizations deal with fragmented identity landscapes and awkward user experiences.

For example, an employee might have separate accounts for the company’s ticket management system and customer relationship management (CRM) portal. This can make a simple task, like resolving customer service tickets, difficult. The user must juggle different digital identities to get ticket details from one system and pertinent customer records to another.

Meanwhile, IT and cybersecurity teams struggle to track user activity and enforce consistent access control policies throughout the network. In the previous example, the employee can end up with more privileges than they need in the project management system, while their CRM permissions are too low to access the records of the customers they’re serving.

Identity orchestration software helps streamline identity and access management by organizing distinct identity and authentication services into cohesive, automated workflows.

All of a company's identity tools integrate with the orchestration software, which creates and manages connections between them. This capability enables the organization to build custom IAM architecture, like vendor-agnostic single sign-on (SSO) systems, without replacing or retooling existing systems.

Returning to the prior example, the organization can use an identity orchestration platform to connect the employee’s accounts in the ticket management and CRM systems to an SSO platform and tie it all to a central user directory. This way, users can log in to the SSO once to access both apps, and the central directory automatically verifies their identities and enforces the right access permissions for each service.

Think Newsletter

Would your team catch the next zero-day in time?

Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox. See the IBM Privacy Statement.

Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.

https://www.ibm.com/us-en/privacy

How does identity orchestration work?

In information technology, orchestration is the process of connecting and coordinating disparate tools to automate complex, multistep workflows. For example, in the realm of security orchestration, an organization might string together a secure email gateway, threat intelligence platform and antimalware software to create an automated phishing detection and response workflow.

Identity orchestration connects and coordinates the capabilities of disparate identity tools to create unified, streamlined identity workflows.

Identity tools are the tools that an organization uses to define, manage and secure user identities, such as identity verification systems and customer identity and access management platforms.

Identity workflows are the processes by which users move through identity tools. Example identity workflows include user logins, onboarding and account provisioning.

Identity tools don’t always integrate easily, especially when organizations are dealing with SaaS tools hosted on different clouds or trying to bridge gaps between on-premises and cloud-based systems. Identity orchestration platforms can connect these tools even when they aren’t built to integrate.

Identity orchestration platforms act as central control planes for all the identity systems in a network. Every identity tool integrates with the orchestration platform, creating a comprehensive identity architecture called the identity fabric.

Organizations don’t have to hardcode any of these integrations. Instead, orchestration platforms use a mix of prebuilt connectors, application programming interfaces (APIs) and common standards like SAML and OAuth to manage connections between tools.

Once identity systems are woven into an identity fabric, the organization can use the orchestration platform to coordinate their activities and control how users move between the tools during identity workflows. Crucially, the orchestration platform decouples authentication and authorization from individual apps, which makes complex identity workflows possible.

As mentioned earlier, different identity systems might not talk to each other in the absence of an orchestration solution. If, for example, an organization used a customer relationship management (CRM) tool and a document management system (DMS) from separate vendors, each app might have its own IAM system.

Users must maintain separate accounts in each app. To access either app, users would log directly into that service. Authentication and authorization would happen within each app’s distinct IAM system and would not transfer between apps.

With an orchestration solution, things are different. When a user accesses either app, the request goes through the orchestration solution first. The solution routes the request to the right identity proofing and access control service, which can be a central directory outside either app.

Once the user is authenticated and authorized by the central directory, the orchestration platform triggers the app to let the user in with the correct permissions.

Security Intelligence | 3 December, episode 11

Your weekly news podcast for cybersecurity pros

Whether you're a builder, defender, business leader or simply want to stay secure in a connected world, you'll find timely updates and timeless principles in a lively, accessible format. New episodes on Wednesdays at 6am EST.
Watch the latest podcast episode

Identity workflows

To implement identity orchestration in practice, organizations use identity orchestration platforms to build identity workflows. Also called “user journeys,” identity workflows are processes that dictate how a user moves through identity tools—and how those tools interact—in defined situations, such as when logging into an app.

Workflows can be straightforward or relatively complex, with conditional logic and branching paths. They can involve many different systems, including some that aren’t strictly considered identity tools, like email services and social media sites.

Identity orchestration solutions allow organizations to build user journeys without writing any new code. These solutions have visual, no-code, drag-and-drop interfaces that can define events, connect identity tools and construct user pathways.

To understand what identity workflows are, it might help to look at an example. Here is a hypothetical new hire onboarding and login workflow that an organization can construct through an orchestration platform.

  1. First, the new hire creates an account in a self-service HR portal. This triggers the onboarding workflow to begin.

  2. The identity orchestration platform triggers the creation of a unique user identity for the new hire in the organization’s central directory service. The new hire is automatically assigned a set of role-based access privileges as well.

  3. The orchestration platform then provisions accounts for the new hire in all the relevant services, including apps they’ll use on the job and back-office systems like payroll software. These accounts are associated with the new hire’s main user identity in the central directory.

  4. Now that the employee is in the system, they can log in to their corporate email app. Instead of going directly through the email app, the login request goes to the orchestration platform.

  5. The orchestration platform routes the request through a fraud detection system, looking for signs of suspicious behavior. Because this new hire is logging into their email account for the very first time, they are marked as higher risk.

  6. Next, the login request is sent to the organization’s SSO platform. Because the new hire was marked as a higher risk, adaptive authentication kicks in. The new hire must use multifactor authentication (MFA) to get into their account.

  7. The new hire completes the authentication challenges, and they are authenticated and authorized by the central directory. The orchestration platform relays this information to the SSO platform, which lets the new hire into their email account—and all the other apps behind the SSO—with the right privileges.

While there are quite a few steps here, it is worth noting that all of this happens automatically in the background without the user noticing. The orchestration platform oversees the process from start to finish. Furthermore, future logins are even more streamlined. The user signs into the SSO, which now recognizes them and grants them access to everything they need.

Identity orchestration use cases

Identity orchestration platforms don’t replace existing identity systems. They create connections between these systems, allowing various apps and tools to work together even if they weren’t designed to. This functionality can help organizations address a few common problems.

Breaking down identity silos in multicloud environments

Many organizations use multiple cloud providers and on-premises tools from different vendors. When these systems don’t integrate, organizations lose visibility into user behavior across the network. IT and security teams can’t track a single user between Microsoft Azure and Amazon Web Services, for example, because they’re using separate accounts for each cloud.

This fragmented landscape can also make it challenging to enforce consistent access policies and security controls on all of a company’s apps and assets.

These gaps in visibility and security create opportunities for hackers and malicious insiders to wreak havoc undetected. The stakes are especially high when it comes to identity systems, which are prime targets for cybercriminals. According to the X-Force® Threat Intelligence Index, cyberattacks using stolen or compromised credentials are among the most common threats.

Organizations can hypothetically avoid identity silos by only using tools from one vendor or only using tools designed to integrate. However, that would mean the organization would not always be free to choose the right tools for the job.

Identity orchestration can break down identity silos and restore visibility without massive changes to existing systems. Organizations can create centralized directories to support a single digital identity for each user, allowing the company to track behavior and spot threats in real time across apps and assets. Companies can also use orchestration to apply uniform access controls throughout the network.

Additionally, identity orchestration platforms can centralize identity lifecycle management for all types of users, including employees, customers and more. Organizations can bring robust cybersecurity controls to consumer-facing assets without disrupting the customer experience.
Creating custom SSO systems

SSO lets users log in to multiple systems with one set of credentials, but each SSO platform might not be compatible with all of an enterprise’s apps and assets. This is because different SSOs can use different standards, such as SAML or OIDC, to exchange authentication information between systems. If an app or asset cannot use the same standard as a particular SSO, it cannot communicate with that SSO.

Identity orchestration platforms can connect SSOs with apps that do not natively integrate. The apps and the SSO integrate with the identity orchestration platform, rather than with each other directly. The identity orchestration platform then handles communication between the systems, allowing organizations to bring all their apps and assets under the same SSO regardless of compatibility.
Updating and securing legacy assets without rewriting code 

Organizations often want to extend new security measures like MFA or passwordless authentication to legacy apps. However, such modernization efforts can be expensive and time-consuming, often requiring custom code or a total system replacement.

Identity orchestration can simplify the process. Organizations can use orchestration platforms' visual interfaces to design identity workflows that bring the latest security tools to legacy apps. This allows an organization to unite cloud-based and on-premises assets in a single zero trust architecture.
Meeting compliance requirements 

Organizations need visibility into user behavior to comply with regulations like the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA).

These regulations require that organizations apply strict access control policies to sensitive data, like credit card numbers and healthcare information, and track what users do with this data. When users have multiple digital identities, it can be difficult to ensure that only the right people are accessing the right data for the right reasons.

Identity orchestration can help organizations meet compliance requirements by making it easier to track user behavior and enforce consistent access permissions. Some orchestration platforms also keep logs of identity workflows, which can be helpful in the event of an audit.
Related solutions
IBM Verify

Build a secure, vendor-agnostic identity framework that modernizes IAM, integrates with existing tools, and enables seamless hybrid access without added complexity.

 Explore IBM Verify
Security solutions

Safeguard your hybrid-cloud and AI environments with intelligent, automated protection across data, identity, and threats.

 Explore security solutions
Identity & Access Management Services

Protect and manage user access with automated identity controls and risk-based governance across hybrid-cloud environments.

         Explore IAM services
    Take the next step

    Enhance IAM with Verify for seamless hybrid access, and strengthen identity protection by uncovering hidden identity-based risks with AI.

         Discover IBM Verify  Explore IBM Verify identity protection