What Is Identity Orchestration and How Does It Help?

About 28% of people in the US manage more than four email addresses, according to a 2021 Statista survey. And the average person has between 6 and 7 social media accounts they use actively. 

The corporate setting is no different, as employees frequently access sensitive information through an increasing array of software platforms in expanding tech environments.

Identity orchestration is one of the most effective approaches to navigating this reality.

This article will explain identity orchestration, why it’s important in identity and access management (IAM), how it typically works, and what benefits it brings to adopters.

What is identity orchestration?

Identity orchestration is a set of technologies and approaches that help organizations create seamless user journeys across disparate identity environments. Identity orchestration – also referred to as journey-time orchestration – provides an intuitive, low-lift interface for IT teams to define processes such as user registration, login, MFA,  and syncs with CRMs and external user stores.

Many experts see identity orchestration as a solution to the “treadmill problem” of ever-increasing account management complexity. Subjecting users to managing a seemingly endless string of accounts and credentials is a recipe for disaster, even under the best circumstances. It’s even more risky when visibility into or control over user accounts and activity is lacking.

Orchestrating identity intentionally makes IAM systems both safer and easier for all parties involved. It abstracts out authentication and other steps into user journeys that can easily be created and modified without any code-heavy processes.

Identity orchestration vs. identity federation

Identity orchestration is closely related to and often mistaken for identity federation, also known as federated identity management (FIM). FIM produces similar results for users by unifying and streamlining the login process across various digital environments. 

However, unlike orchestration, FIM relies upon pre-existing relationships and trust between the platforms through protocols such as SAML and OpenID Connect.

Identity orchestration happens at the organization level where IT teams implement solutions to orchestrate identities across specific accounts and tasks. However, federated authentication methods span various identities relevant to users’ personal and professional lives. 

For example, individuals who log in to ecommerce, social media, or other websites and apps using a personal Google account use federation. Identity orchestration could also use federation, but it would not depend solely upon it. For example, a user’s account may be created in a CRM after they sign up for a SaaS product – in this case, user identity traits are disseminated from the product or primary IdP to the CRM through orchestration.

Another closely related concept is single sign-on (SSO). SSO systems utilize a single user account with an SSO platform to grant access to a particular set of enterprise accounts. It’s closer to an orchestration configuration in practice, but identity orchestration includes several other workflows including step-up authentication, risk-based MFA, and user account merging.

How identity orchestration works

Identity orchestration platforms create seamless and secure user journeys. When staff, clients, or other stakeholders log in to one digital environment, identity orchestration could be used to run several workflows depending on the user journey defined by the organization. These workflows could be based on the specific information users are attempting to access, their permissions, their geolocation, and risk factors associated with the login attempt.

Consider three examples: 

1. A user logs in to a banking app. They are able to view their balance amounts and transfer money between internal accounts. But when they want to transfer money outside the back, they may need to provide an additional authentication factor (step-up authentication).

2. A user usually logs in to a workplace app from the office. However, they are traveling one day and attempt to log in from another location in a different timezone. Since the login attempt is deemed risky – either by the identity orchestration system itself or by other risk identification systems – the user enters into an MFA flow.

3. Two users attempt to sign up for a shopping app. The user who signs up from the US is shown magic links and social logins as the authentication options, while the user who signs up from India is shown OTP over WhatsApp as the authentication option. They each get a registration experience with auth options familiar to them.

Identity orchestration makes the above three examples, along with several others, a reality.

4 prerequisites for an identity orchestration platform

The identity orchestration market is crowded and includes vendors that approach the technology from different angles. Here are some prerequisites to consider for organizations seeking an identity orchestration platform:

1. Workflows: User journeys are a critical part of any identity paradigm. Identity orchestration solutions should provide organizations with a clear, intuitive workflow-based interface that allows them to create and customize their user journeys. These workflows should be executable and modifiable without re-coding the apps being accessed. 

2. Interoperability: The world of identity is replete with authentication methods and protocols with their own strengths and drawbacks. An identity orchestration solution should be compatible with protocols and systems such as SAML, OIDC, FIDO2, WebAuthn, and passkeys.

3. Extensibility: Customer identities are important for several business teams and processes. Identity orchestration solutions should integrate with external services, whether they be other identity providers, risk identification software, identity verification services, or go-to-market tools. Any product that materially impacts the user journey should be fair game for identity orchestration.  

4. Security and availability: Safeguarding customer identities is a top priority for all businesses. Poor identity management can also affect an organization’s bottom line – every second of downtime and every poor bit of UX leads to user churn. Identity orchestration solutions should have best-in-class product security, SLAs, and failover mechanisms. They should also be compliant with frameworks such as SOC 2, ISO 27001, and any relevant industry regulations.

Benefits of identity orchestration

Identity orchestration has several benefits for end users, developers, and IT admins alike:

• Improved user experience: Identity orchestration enables use cases such as passwordless authentication, risk-based MFA, and SSO, which are all geared towards providing end users with a frictionless experience. 

• Enhanced security: Identity orchestration helps organizations weed out fraudulent users without affecting the experience of real users. These systems can monitor login attempts in real-time and create branching user paths based on the deemed risk level. Bidirectional integrations with external fraud services provide even more signals to identify account takeover attempts.

• Increased IT and dev productivity: Identity orchestration systems help IT teams administer IAM experiences without custom coding. This both frees up developers to focus on core product initiatives and frees up IT teams from auth-related help desk tickets and complex configurations.

• Organizational flexibility: As organizations grow, identity orchestration makes it easier to create and modify user journeys during new market expansions, mergers and acquisitions, and so on. In a multi-identity environment, identity orchestration also makes it easier to switch out identity vendors and other products that touch the user journey. 

No-code identity orchestration with Descope

Identity orchestration enables organizations to deliver secure and user-friendly experiences across a variety of digital accounts while eliminating identity silos and complexity.

Descope is a drag-and-drop CIAM platform that helps developers and IT teams easily add authentication, authorization, and identity management to their customer-facing apps. By using bidirectional connectors with several third-party services, Descope customers can implement use cases such as:

• Risk-based MFA and fraud detection with reCAPTCHA.

• Facial recognition and verification with Amazon Rekognition.

• Checking breached credentials with Have I Been Pwned?

• User journey localization with Google Cloud Translation and Amazon Translate.

• Syncing user data into CRMs with Segment and HubSpot.

Explore Descope connectors to discover other identity orchestration use cases. Have questions about our platform? Schedule a demo with our auth experts.