Cross-domain Identity Management¶

Purpose¶

For a large enterprise using Sequel’s applications and an external identity provider (Idp), managing authentication (AuthN) and authorization (AuthZ) directly from the IdP instead of through the Sequel Security Services (Sequel's Security) application would reduce a lot of extra maintenance work. This functionality is based in two features:

• User synchronization from the IdP to Sequel's Security.
• User's membership synchronization, translating from IdP groups to memberships in Sequel's Security.

This integration will reduce the maintenance cost of user management at Sequel's Security to some initial configurations:

• Roles, specifying the granular permission for this role.
• Groups.
• Membership set, linked to an IdP group. In other words, define the mapping functions for translating from an IdP group to a set of memberships (pair of roles -permissions- and groups). Considering different level of complexity as: an IdP group could represent a Sequel's membership, role or group concepts.

Once the above manual configuration tasks are done, the daily maintenance of users will not require further manual actions at Sequel’s Security Services for:

• Creation of new users
• Update changes on basic user information: first and last name and email
• Changes on user groups (member of).

Manual configuration will be required if a new AD group needs to be used in Sequel’s application(s) or if memberships associated to an AD group need to be changed.

Integrations¶

Current version of Sequel SEcurity Services can integrate with other IdP for syncing users and groups using:

• Azure AD with Microsoft's Graph API
• Windows AD with LDAP

User Information Store and Cache¶

Critically, when used as a proxy/middleware Sequel Security Service does not store user credentials (eg username, password), nor does it have knowledge of these sensitive credentials – the responsibility of identifying a user lies with the identity provider (eg Microsoft Azure). At no point are these sensitive credentials communicated, processed or stored by the Sequel Security Service. The Sequel Security Service is responsible for storing non-sensitive user information, within its User Information Store and Cache, and providing this user information to other products within the Sequel suite.

The Sequel Security Service is responsible for managing user’s and their permissions within Sequel products, and providing (limited) information on users to Sequel products, principally a user’s name, email address and their permissions/roles for each Sequel Product, which when connected to and IdP are defined as groups usually on the IdP (eg. At Azure Active Directory is defined by membership of Azure Active Directory groups). This information is stored within the Sequel Security Service (and Sequel products) and updated from data sourced from client’s IdP. This store acts as a cache and avoids repeated, relatively slow requests to the identity provider (AAD).

The Sequel Security Service both stores this user information within its own data store/cache and distributes the information to downstream Sequel product instances to update their own stores, to improve product instance performance and isolate product instances’ workloads.