At a Glance
Central Software
CityVoD - CSC Forum Archive
Software List on CSC Student LAN

Location and Floor Plan of the CSC Teaching Studio Areas
Opening Hours of the CSC
Systems Maintenance Schedule
List of Blocked Network Cards / IP Addresses
List of CSC Representatives
List of Departmental Network Administrators
Staff Computer Courses
CSC e-Forms
Submit CSC Work Req.
Req. for Printing
Req. for Dump / Restore
Teaching Studio Booking / Cancellation
Email Alias Application
Apply for a New Domain Name
Remove an Existing Domain Name
Modify the Hosting of an Existing Domain Name
Useful Links
IT Information for Students
IT Information for Staff
IT Information for Alumni
Got any questions, comments or suggestions? Contact the editors at
Issue 43 - March 2005
Identity Management: behind the scenes
By Angela Tang

The community of City University is expanding not just in the increasing number of student, alumni and staff, but also diverse relationships with the University such as prospective students/staff, visiting scholars, exchange students, retired staff, etc. Moreover it is common to have multiple roles and changing roles. Identity Management is definitely the direction for enabling the not only huge number but also heterogeneous users to gain secure access to the suitable electronic resources in a timely manner. Before discussing how we have started to handle this big subject, let us talk about the complications involved.

With the rapid development of IT, accessing information and services electronically has become increasingly handy and fast. In order to determine whether a person is allowed to use certain resources or services, it is usually handled by creating an account on the system. Whoever has the account username and correct password would be allowed to use the service. By doing so, there are a few underlying problems as described below:

  1. Data Integrity

    User information stored on distributed systems may be different from one another. Data integrity is difficult to maintain.

  2. Account and Service Management

    Account and service provision is complicated when it comes to creating, maintaining and removing the provision. As there is no complete picture on all the resources allocated to a user, granting of privileges has become a tedious task especially when a user has multiple roles i.e. when a person is both a staff and a student in the university. Synchronization of information among systems demands manual process by different departments. As a result, delay may occur in information creation and updating.

  3. Username/Password Chaos

    Not only one has to remember the username/password pair for each resource, but also separate log-in is required. When a user forgets the password, assistance is needed for resetting password.

The Ultimate Solution - Identity Management

Identity Management is an integrated set of technologies and processes that enable secure access to the information and resources of an enterprise in a scalable manner. That is, to allow the right people in and give them access to the appropriate information, system, application and service.

What are the Benefits?

  • Reduced Cost

    As Gartner report stated, "Identity and access management (IAM) solutions, which can offer three-year return on investment in the triple-digit-percent range, are becoming essential tools for effective management of user account and access rights information across heterogeneous IT environments, for web and non-web applications."

  • Increased Security

    The risk of unauthorized access to resources, or disclosure of confidential information is reduced or eliminated.

  • Improved Productivity

    Reduced management overhead with the automation and centralized management of identity. Reduced time taken to enable new employees to get access to the required resources within the organization.

  • Improved Service

    Reduced user waiting time and frustration for faster account creation and password reset processes.

  • Increased Compliance

    Provide consistent and standard identity data to and for applications. Audit of user access rights can be improved.

Functions of an Identity Management System (IMS)

Digital identity includes information which can represent a distinct person in the electronic world. For instance, a person's unique account name, a certificate, authentication and authorization data, and profile data are all part of the person's identity. In the real world, a person can be a teacher in school, a father at home as well as a customer at supermarket. Similarly, for a given context, digital identity also has its corresponding relationship. A person may use the Human Resources System as an employee, access Library system as a lecturer, logging into the Facilities Booking system as a general user. In other words, depending on the context, digital identity may have different views. With this concept in mind, let us now look at the various functions of the IMS.

Identity Store LDAP directory is the most commonly used data repository for storing identity information and attributes.
Authentication This is the process to verify a digital identity. The most common method is to compare the identity information like a username and credential such as a password with the Identity store.
Authorization The process to enforce the access rights of an authenticated identity with a certain context.
Access control Define policies to govern resources being used by the right person at the right time.
Identity Lifecycle Management

This is to manage the entire lifecycle of digital identities. A typical lifecycle includes:

  • Initial set up - Provide new users with the appropriate access levels to the necessary resources.
  • Maintenance - As user's role may change and new context may arise, identity information has to be kept up-to-date and levels of access to resources adjusted accordingly in a timely manner.
  • Teardown - Deactivate, remove and archive the digital identity of a user when he/she is no longer affiliated with the organization.
  • Lifecycle management process - The process includes provisioning and decommissioning of accounts, self service for re-setting password and updating of identity information, and delegated administration to non-IT departments.
Audit To ensure the information of Identity store is being properly used and complies with privacy regulations.

Deployment Models

Each service has its own identity store as well as authentication and authorization processes. User has to keep logging in and out when moving from one service to another.

Walled garden
There is only a single identity management for a community. Individual services rely on it to obtain identity information and control access to the service.

Service is granted provided the identity has already been authenticated by a trusted external organization. For example, after buying books on-line from company A, you may continue to purchase air ticket from company B without re-identifying yourself to company B.

Identity Management Standards

For the walled garden deployment model, an Identity management service has to communicate with various user services. It would be impossible or extremely difficult to implement if each user service speaks differently. Moreover, the identity management service of organization A has to work with another identity management service of organization B according to the federation deployment model. For these reasons, there must be a common agreed way of communication when performing the Identity management functions and thus standards come into play.

There are quite a number of standards related to various aspects of Identity Management. Below are the essential ones.

Federated Identity and Standards

The concept of federated identity is defined as being able to extend account profile and access management to third parties who need to access resources in your organization, and similarly, being able to project your identity or identities that you manage to others.

- The Liberty Alliance Project
- Microsoft Federation
- Shibboleth Project

Directory Services (for identity store)
- Lightweight Directory Access Protocol (LDAP)
- Directory Service Markup Language (DSML)

Web Services
- Simple Object Access Protocol (SOAP)
- Web Services Description Language (WSDL)
- Universal Description, Discovery and Integration (UDDI)

- Security Assertion Markup Language (SAML)
- Web Services Security Language (WSS)
- Open Security Assertion Markup Language (OpenSAML)


As companies focus more on service delivery and customers demand for more information access while the number of identity theft cases keeps on rising, identity management has been recognized as the key component to achieve these while control and security are still being maintained. However, the industry is still waiting for these tools and standards to mature. Until then, we must rely on ourselves to properly protect our identities such as: username and password, and be vigilant about releasing our identity information to others.

Also in this issue...
University Services Enquiry
Computer Account Management is at Your Service
Deployment of Windows XP Service Pack 2
Upgrade of Teaching Studio L Completed
X-Win32 Replaces SunRay Thin Clients
The Importance of Protecting Your Password


Current & Back Issues
Search Articles
Microsoft Windows10
Microsoft Windows 7
Office 365 ProPlus
Microsoft Office 2013
Microsoft Office 2010
Internet Explorer 11
Internet Explorer 9
Email Services
Confidential Email
Wireless LAN
Virtual Desktop Service (VDS)
USB Flash Drive
CityU SMS (for Department)
CityU SMS (for Staff & Student)
iPad (iOS 5.x)
Wiping a Mobile Device
Wiping Mass Storage Device
Handling Handheld Smart Devices for Service Maintenance, Recycling Use, and Disposal
Staff Account Renewal
Changing Local Administrator Password
McAfee Endpoint Security
Full Scan of Your Computer for Concealed Computer Virus
Computer Warranty Scheme Software Copyright Declaration and Compliance Observation
Technical Guides
AV Facilities User Guide
Connecting to Wireless LAN (WiFi)
VPN Connection Setup Guide BitLocker To Go User Guide
Copyright© Computing Services Centre, City University of Hong Kong. Best viewed in 1024x768 with IE. Javascript enabled. Last modified on Friday December 28 2018 .