Intro to identity management
Using Single sign-on and Apple services such as Apple ID, Managed Apple ID, iCloud, iMessage, and FaceTime let users communicate securely, create documents online, and back up personal data—all without compromising an organization’s data. Each service uses its own security architecture, which ensures the following: secure handling of data (whether it’s on an Apple device or in transit over a wireless network), protection of users’ personal information, and threat protection against malicious or unauthorized access to information and services. MDM solutions can be used to restrict and manage access to specific services on Apple devices.
Authentication is retrieving a credential from an authority after providing an assertion that proves your identity.
Authorization is different from authentication. Authentication proves who you are, whereas authorization defines what you are allowed to do. Authorization is retrieving a token from an Authority after authentication is done by providing an assertion that proves your identity.
For example this could be done by providing a user name and password to an IdP. In this example, the authority is your Identity Provider or Active Directory, the assertion is the user name and password, and the token is the data received after a successful sign in. Other assertions can be used including certificates, smart cards, other multifactor devices.
Identity federation is the establishment of trust between identity providers across security domains. Federation requires that the domains are set up by administrators to trust each other and agree on the method to identify users. A common example is using your enterprise account to sign in to a cloud identity provider.
For example, Apple has enabled federation between Microsoft Azure Active Directory and Apple School Manager or Apple Business Manager to streamline the creation of Managed Apple IDs for an organization. The users can use their existing Azure AD credential to sign in to iCloud or on Apple devices associated with Apple School Manager or Apple Business Manager.
If the user isn’t challenged to assert their identity again, then the federation is also performed using Single sign-on, described next.