Organizations in Cloudentity™ Identity
This article explains the concept of organization in the Cloudentity™ Identity stack.
Concept of the organization
The concept of the organization is utilized when multiple business units within a company would like to consume the Identity and Access Management service(s) deployed as a shared common identity service, such as an internal demo provider, to authenticate their users onto their business tools, applications, or platforms.
Another conceptual application of the organization in Cloudentity™ Identity supports the B2B2C use case.
If a company wants to be a B2B2C provider, each of the company’s business relationships and users within that business can be represented as an organization.
Role of the organization
Organizations are for grouping users in the Cloudentity system. These disjoint sets of users are useful for restricting the scope of the admin authority. In addition, certain operations may be applied to organizations to affect all member users.
The User Delegated Administration service allows administrators to manage and administer organizations and users belonging to the organizations in the Cloudentity system.
Cloudentity has a robust set of IAM APIs and a delegated administration model to allow the management of suborganizations and users under them.
This delegated administrative model can be utilized to manage use cases for multiple organizations consuming a single IAM service deployed in the company’s internal cloud and providing a required abstraction at the services and UI level by a flattened data layer model.
General rules that govern the use of organizations in the Cloudentity platform are:
Organizations are uniquely identified by a organization identifier, or CID, which is an addition to the system-generated globally unique key, UUID.
Every user in Cloudentity belongs to exactly one organization, which is denoted by an organization CID stored as a user’s organization attribute. This is referred to as a user’s home organization and cannot be changed.
When a user authenticates, the user’s home organization is set as a property of the created session. This is referred to as an authenticated user’s session organization.
The session organization is the context used for the majority of operations that admins perform on other users, including listing and viewing users. Admins with sufficient privileges are able to change their session organizations.
In the Cloudentity system, there are a few functions that are organization-dependent and steered from the organization level, such as:
Default MFA method - capability to configure and enforce an organization-specific MFA method
EULA-related logic - capability to configure an organization-specific end-user license
Password policy - capability to configure an organization-specific password policy
External identity provider (SAML/OIDC) - ability to configure an organization-specific SAML/OIDC external identity provider
Authentication flow - ability to configure an organization-specific authentication flow
Authorization policy - ability to configure an organization-specific logic in the access/authorization policy
Permissions and roles - ability to configure organization-specific permissions and roles (requires the Cloudentity Permissions service extension).