← Patterns / SP-010

Identity Management Pattern

Identity management is the foundational discipline that underpins every access control decision in an organisation. Before a system can enforce what a user is permitted to do, it must first establish who that user is, how confident it is in that assertion, and how to maintain that identity throughout its lifecycle. This pattern addresses the architecture of identity management systems -- from provisioning a new identity through its active use for authentication and authorisation, to its eventual decommissioning. The scope of identity management extends well beyond username and password databases. A modern identity architecture must handle multiple identity types: employees, contractors, business partners, customers, service accounts, machine identities, and IoT devices. Each category has different lifecycle characteristics, assurance requirements, and governance models. An employee identity is provisioned through HR integration, requires background screening, and follows a structured offboarding process. A customer identity is self-registered, requires privacy-preserving storage, and must support self-service account management. A service account may never involve a human at all but still requires credential rotation and access governance. Identity federation is a critical architectural concern. In an era of cloud services, SaaS applications, and business-to-business integration, identities must be asserted across organisational and technical boundaries. Federation protocols (SAML, OpenID Connect, OAuth 2.0) enable an identity provider to assert a user's identity to a relying party without sharing credentials. This reduces credential proliferation but introduces trust dependencies -- the relying party must trust the identity provider's authentication strength, attribute accuracy, and revocation timeliness. Federation boundary management, including attribute mapping, trust policy enforcement, and consent mechanisms, is a significant architectural challenge. Authentication assurance levels must match the risk of the transaction being protected. A low-risk content browsing session may require only a username and password, while a high-value financial transaction demands multi-factor authentication with hardware tokens or biometrics. Step-up authentication, adaptive authentication based on risk signals (location, device, behaviour), and continuous authentication are architectural patterns that balance security with usability. Privacy is inseparable from identity management. Identity systems store the most sensitive data an organisation holds: personal identifiers, authentication credentials, access histories, and behavioural attributes. Data minimisation, purpose limitation, consent management, and the right to erasure are not just regulatory requirements -- they are architectural constraints that must be designed into the identity platform from the outset, not bolted on after deployment.
Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06
Assess
image/svg+xml Pattern: 08-02-Pattern_010_31_Identity_Management.svgOSA is licensed according to Creative Commons Share-alike.Please see: http://www.opensecurityarchitecture.org/community/license-terms Server Mod Application Server Actor:Service Owner Actor:IT SecurityManager Private customer accepts an agreement that definespurpose and boundaries ofdata usage Directory Server AuthenticationService ERP (HR) System Actor:Private Customer Actor: Business Partner Actor:Employee Policies CRM Actor:Human Resources Actor:ID Administration Via a federation agreement, or via a contract ruling how the business partner contri-butes to keep his ID information up to date in directory Internal provisioning processes, rule how identity and role assignement informationfrom the ERP HR system is provisioned tothe directory. PS-07 Third-PartyPersonnel Security AC-03 Access Enforcement AU-02 Auditable Events IA-02 User IdentificationAnd Authentication AC-01 Access ControlPolicies and Proced.. AC-02 Account Management IA-01 Identification AndAuthentication Poli.. AT-01 Security AwarenessAnd Training Policy.. AC-13 Supervision AndReview -- Access Co.. AU-01 Audit AndAccountability Poli.. AU-06 Audit Monitoring,Analysis, And Repor.. PS-01 Personnel SecurityPolicy And Procedur.. PS-04 PersonnelTermination PS-05 Personnel Transfer IA-04 IdentifierManagement IA-05 AuthenticatorManagement Internal provisioning processes, rule how identity and role assignment informationfrom the ERP HR system is provisioned tothe directory.

Click any control badge to view its details. Download SVG

Key Control Areas

  • Identity Lifecycle Management: The core challenge of identity management is ensuring that identities are created, maintained, and retired in a controlled and timely manner. Provisioning should be automated through integration with authoritative sources (HR systems for employees, CRM for customers, partner portals for B2B). Joiner-mover-leaver processes must be well-defined: when an employee changes role, their access entitlements must be updated to reflect new responsibilities and old access must be revoked. When an employee leaves, all access must be terminated within a defined SLA -- orphaned accounts with active credentials are a perennial audit finding and a real attack vector. Self-service capabilities (password reset, profile management, access requests) reduce operational burden while maintaining security through appropriate verification steps.
  • Authentication Architecture: Authentication is the process of verifying that a claimed identity is genuine. The architecture must support multiple authentication methods appropriate to different risk levels: knowledge factors (passwords, PINs), possession factors (hardware tokens, mobile authenticators, smart cards), and inherence factors (biometrics). Multi-factor authentication combining two or more factor types should be the baseline for any access to sensitive systems. Passwordless authentication using FIDO2/WebAuthn is emerging as the preferred approach, eliminating the credential phishing and stuffing attacks that dominate current breach statistics. The authentication architecture must also address session management, token issuance and validation, and single sign-on across the application estate.
  • Federation and Cross-Boundary Trust: Federation enables an organisation to accept identity assertions from external identity providers, avoiding the need to manage credentials for external users directly. The architecture must define trust policies: which identity providers are trusted, at what assurance levels, and for which relying parties. Attribute mapping and transformation at federation boundaries ensure that identity attributes are correctly interpreted across different naming conventions and schema. Just-in-time provisioning creates local accounts from federated assertions, reducing administrative overhead while maintaining local access control. Federation also enables the organisation to act as an identity provider for its own users accessing external services, centralising authentication and enabling consistent MFA enforcement.
  • Authorisation and Entitlement Management: While authentication establishes who someone is, authorisation determines what they can do. The identity management architecture must integrate with authorisation systems that enforce access policies. Role-based access control (RBAC) assigns permissions based on organisational roles, while attribute-based access control (ABAC) evaluates dynamic attributes (time, location, risk score) for fine-grained decisions. Entitlement management involves the governance of who has what access, regular certification campaigns to validate access remains appropriate, and separation of duties enforcement to prevent toxic combinations of permissions. Access governance tooling should provide visibility into the full entitlement landscape across all connected systems.
  • Credential and Secrets Management: Every identity has associated credentials that must be managed securely throughout their lifecycle. For human identities, this includes passwords (with complexity and rotation policies), MFA tokens, certificates, and biometric templates. For machine identities, this includes API keys, service account passwords, TLS certificates, and signing keys. Credentials must be stored using strong cryptographic protections (bcrypt, scrypt, or Argon2 for passwords; HSMs or dedicated secrets managers for keys). Rotation must be automated where possible, and credential compromise must trigger immediate revocation and re-issuance. The architecture should enforce a policy of no shared accounts, no hard-coded credentials, and no credentials in source code.
  • Privacy and Data Protection: Identity systems are inherently privacy-sensitive. The architecture must implement data minimisation (collect only what is needed), purpose limitation (use identity data only for stated purposes), and storage limitation (retain identity data only as long as necessary). Privacy by design requires that consent is obtained before collecting identity data, that users have visibility into what data is held about them, and that erasure mechanisms exist for regulatory compliance (GDPR Article 17, CCPA). Audit trails of identity data access and modification provide accountability. Pseudonymisation and anonymisation techniques should be applied where full identity resolution is not required.

When to Use

This pattern applies to any organisation that stores, processes, or transmits identity information for employees, customers, business partners, or other entities. It is essential when the organisation operates multiple applications requiring authentication, when business processes cross organisational boundaries requiring identity federation, when regulatory requirements mandate specific identity data handling practices, or when the organisation is adopting cloud services that require identity integration. The pattern is also indicated when audit findings identify issues with orphaned accounts, excessive privileges, weak authentication, or lack of access governance.

When NOT to Use

Organisations that do not process personal or confidential identity information and do not store identity data may not require the full scope of this pattern. Very small organisations with a handful of users and a single application may find the full architectural approach disproportionate to their needs, though the principles of credential management and access governance remain relevant at any scale. This pattern focuses on architecture and governance rather than specific technical implementation -- it should be complemented by the appropriate infrastructure patterns (SP-008 for web authentication, SP-011 for cloud IAM, SP-014 for awareness training) for implementation guidance.

Typical Challenges

The oldest enterprise challenge in identity management is synchronisation of identity data between distributed systems. Directory services, HR systems, application databases, cloud identity providers, and partner directories all maintain identity records that must remain consistent. In outsourced and federated scenarios, this challenge extends across network and trust boundaries. Federation requires trust models that span organisations, attribute harmonisation at federation boundaries, and standards compliance from all parties -- each of which introduces friction. Timely provisioning and de-provisioning is a persistent operational challenge: the time between an employee starting work and having all required access (and conversely, the time between departure and full access revocation) directly impacts both productivity and security. Data leakage of identity information is a critical risk in every organisation. Privilege creep -- the gradual accumulation of access rights as personnel move between roles without having old access revoked -- creates excessive entitlements that violate least privilege. The proliferation of machine identities (service accounts, API keys, certificates) often exceeds human identity counts by orders of magnitude and receives far less governance attention.

Threat Resistance

This pattern addresses threats across the identity lifecycle. Credential theft through phishing, keylogging, and database breaches is mitigated by multi-factor authentication, passwordless approaches, and strong credential storage. Account takeover through credential stuffing is resisted by breach detection integration and adaptive authentication. Insider threats from excessive privileges are constrained by entitlement governance, access certification, and separation of duties enforcement. Orphaned account exploitation is prevented by automated de-provisioning tied to authoritative source events. Identity fraud in self-registration scenarios is addressed by identity proofing and verification processes. Federation-based attacks (assertion manipulation, replay, confused deputy) are mitigated by protocol-level protections in SAML and OIDC implementations. Privacy violations from excessive identity data collection or retention are addressed by data minimisation and lifecycle management controls. Machine identity compromise (stolen API keys, expired certificates causing outages) is mitigated by secrets management and automated rotation.

Assumptions

The organisation has an authoritative source of identity data (typically an HR system for employees and a CRM or registration system for customers). A directory service or identity provider exists as the central point of authentication. Network connectivity supports the authentication protocols in use (SAML, OIDC, LDAP, Kerberos). The organisation has defined data classification and risk assessment frameworks that can inform authentication assurance level requirements. Regulatory requirements for identity data handling (GDPR, CCPA, sector-specific rules) have been identified.