An identity management system is an integrated system of policies, organizational processes, and business rules that facilitates and controls access to the information systems of an organization.

It should not be seen as a single solution, but rather as a group of interrelated solutions to administer user authentication and authorization, user rights, restrictions, profiles, access to groups, passwords, and all other information that is required for proper administration.

The main goals that are sought by an organization that wants to implement a solution with these characteristics are:

• Standardize identity data that is present in multiple repositories.
• Unify the different business rules used to manage the different repositories.
• Automate the addition/deletion of users to and from the different repositories.
• Provide provisioning tools to administrators and tools to change/recover passwords for users.
• Unify user passwords in the different repositories.
• Create a global metadirectory for all of the members of the organization in order to offer services related to the repository.
• Support delegated administration of users by groups.

To achieve these goals, Ándago proposes actions in the following areas:

• Standardization. “Identity Management” systems are a requirement in organizations in which the number of identity, user, and/or service repositories has become large enough to make it difficult to continue to comply with the business, identity, and organizational rules without devoting excessive resources. The information standardization area involves a study of the existing identity systems, the implementation of criteria to unify the use of the systems, and the preparation of data to all it to be loaded into a "provisioning" system. It is important to note the difference between the standardization and provisioning areas; standardization processes are aimed at organizing an organization’s identity information prior to integration into an identity management system, and the processes implemented in the provisioning area are focused on implementing the organization's identity-related business rules.

• Provisioning. The purpose of the provisioning area is to implement the business and user provision rules of the organizations. The object of this area is the business rules themselves, not the reordering of information that was "disorganized" prior to the implementation of an identity management system. In this area, graphic data management interfaces are used to carry out procedures, such as the creation/deletion/modification of users in the organization, the propagation of identity data to the different repositories based on the type of user, the collection of identity data from different repositories, time-based tasks (such as password-change policies, expirations).

• Metadirectory. Organizations generally have different identity repositories. This means that the complete list of users and the full identity information for the users in the organization is distributed, with part in each one of the repositories. Also, during the implementation of identity management systems, new identity fields that did not exist previously usually appear in the organization and are used to manage the user identity data.  The metadirectory service dumps all of the organization's users into one identity directory, with a large set of information that is currently divided among the different repositories, and in some case, new data used to manage identity so that they can be used by future services in the organization.

• Authentication/Authorization. The authentication/authorization area is the section that is responsible for authenticating/authorizing the different users in the different services of the organization. Actually, depending on the organization, this does not normally involve new additions to the existing systems, but rather is given as a product of the provisioning area. However, it is sometimes necessary to modify the configuration of the services to completely adjust them to the organization’s business rules. In other cases, this area works on the implementation of APIs that generally function against the metadirectory service, that make it possible to authenticate/authorize users.

• SSO. The Single Sign On is the next area that is involved after authentication/authorization.  Its purpose is to allow processes to be carried out in such a way that once a user has been authenticated in one of the services, it is not necessary to re-authenticate the user in other services in the organization, because the first service sends a credential to the user that users can establish their identities with the rest of the services. SSO services are divided into two parts, Web/Development on one hand, and services based on system services, such as a mail server, ftp server, access to a Windows/Linux terminal.

• Federation. Another step that goes beyond authentication/authorization and SSO is federation. Federation is the area that works on the mechanisms for the interchange of identities between different organizations.