Why identity architecture matters
Identity architecture joins workforce, customer, privileged, service, and machine identities to directories, identity providers, applications, cloud tenants, certificates, and authorization systems. Centralization can make administration more consistent, but it can also concentrate outage risk and widen the effect of a bad trust, group, or provisioning decision. A useful design records which system is authoritative for each identity attribute, which service accepts it, and which team can change the relationship.
Core concepts
An identity is a representation of a person, workload, or device. An account is one implementation of that identity in a directory or application. A credential proves something about a sign-in attempt; it is not the same as an entitlement. Workforce identities, customer identities, service accounts, workload identities, and privileged accounts usually have different lifecycle, recovery, and monitoring needs. In hybrid designs, synchronization can create duplicate records, delayed deprovisioning, tenant or domain boundaries, and dependencies on connectors, certificates, network paths, DNS, and time.
Inventory the trust path
| Component | Questions to record |
|---|---|
| Authoritative source | Who owns the record, which attributes are authoritative, and how corrections are approved. |
| Identity provider or directory | Which identities it serves, recovery method, availability dependency, and audit source. |
| Relying application | Accepted protocol, claims, local fallback accounts, application authorization owner, and logout behavior. |
| Privileged or machine identity | Purpose, owner, credential type, scope, rotation, and interactive-use restriction. |
Architecture review workflow
- Draw authentication, provisioning, authorization, administration, and audit flows separately. One diagram rarely makes all five clear.
- Mark trust boundaries where an external federation, directory connector, tenant, partner, cloud service, or administrative plane accepts an assertion or changes policy.
- Identify failure domains: identity-provider outage, certificate expiry, synchronization failure, DNS loss, time drift, unreachable logging, or unavailable recovery staff.
- Define emergency access that is controlled, monitored, periodically tested, and not used as a normal convenience path.
- Collect configuration references, owners, representative sign-in evidence, and a current dependency map before approving a broad change.
Trust-boundary questions
- Which application trusts which issuer, tenant, domain, certificate, or directory connection?
- What identity data crosses the boundary, and is it necessary for the decision?
- Can an authentication success be followed by a different local authorization decision?
- Where are logs generated, correlated, retained, and reviewed when a dependency fails?
- Does a third party have an administrative, support, or federation path that needs separate review?
Failure-domain checklist
Test a bounded identity-provider outage, expired or rolled certificate, broken synchronization, unavailable external provider, and recovery-account path using approved change procedures. Confirm which applications fail closed, which allow existing sessions, which use local fallback accounts, and which operational teams receive the relevant evidence. Availability planning should not silently create a bypass around privileged access controls.
Validation boundaries and failure modes
Review duplicate identity records, tenant and domain boundaries, certificate and key dependencies, and recovery from identity-provider outage. A central service can simplify administration while increasing blast radius, so define which applications retain existing sessions and which teams own restoration.
Before closing a review, confirm the result with the system owner and retain a reference to the relevant configuration, event, approval, or test. Missing evidence should create a follow-up question, not an unsupported conclusion about safety, authorization, or exposure.
Common mistakes
Common mistakes include treating a directory as the only identity store, mapping broad groups directly to administrator roles, omitting machine identities from the inventory, or assuming central login revokes local sessions and secondary credentials. Another mistake is recording a trust relationship without recording its owner, certificate lifecycle, and outage behavior.
Fictional hybrid example
A company synchronizes workforce records to a cloud identity provider and federates several SaaS applications. During review, the team finds that a legacy management portal retains local administrators and that an automation account uses a certificate outside the normal rotation process. The design is updated with separate owners, a certificate dependency, an emergency-access procedure, and an application-level authorization review. The central identity provider remains useful, but it is no longer assumed to cover every access path.
Related Vuln Signal content
Continue with Identity and Access Learn, Authentication, Authorization, and Accounting, Secure Remote Access, TLS and Service Identity, and IAM Access Review practice.