Skip to main content

Let’s talk about Identity Orchestration. What is it?

Kinda depends on who you talk to. It’s the new buzzword in the IAM space, so everyone is trying to cater it the suite of tools they already have or with some new glue app in the middle.

The gist of it is a tool, or group of tools, that all an organization to easily use all their disparate IAM tools across various clouds or networks to work seamlessly together for IAM workflows.

So let’s say you have a web app that’s built to look for certain headers or cookies to allow an authenticated use in, like a Siteminder enabled app. But now you want to switch it all up and move to PingFed for your authentication. Instead of having to rewrite all of your apps to handle the new PingFed authentication methods, you can drop an orchestrator in-between. Now when a user is authenticated by PingFed, the orchestration tool will read in the success data (cookies / headers / whatever) and then flip them to match the format the app they’re trying to access. In this case, it’ll transform the session to a Siteminder cookie + headers so that the backend apps don’t ever need to be updated. You can do this on a per app basis, and most of the tools out there like Ping Davinci or Strata, you can setup multiple apps in a single day. Making migration and integration painless and quick. When it’s done right, it feels like magic.

The first time I saw this process play out, I was like “damn…. this is sick. *THIS* is how Identity Management should have been happening ALL THE TIME!”.

Bluntly: An orchestration tool is mandatory for anyone with an IAM setup. If you don’t have one, you’re wasting a ton of time and money.

The best definition that I’ve found that I feel is the true sense of the term of Orchestration is:”The framework that businesses can use to weave a variety of identities together in a multi-cloud environment. Identity Orchestration allows businesses to enable consistent identity and access to a business’s apps and/or services, regardless of which identity system is used.”

When you jump into Ping and ForgeRock land, they prepend it with “No-Code Orchestration”

And this is a misnomer in itself (you’re still going to have to drop in some custom code in there, but it’s generally painless), but for the most part, they throw around the “No-code” prefix because their tools have a sweet GUI that let’s you build out the entire workflow of whatever is is that you want to create or connect to without having to write custom connectors, backend java apps, groovy snippets or anything like that to get an identity action to take place. It’s actually pretty cool when you start playing with it.

I highly encourage you to play around with the tools out there today! Top 2 I’ve personally seen killing it are Ping Davinci and Strata Mavericks.