Identity Access Management for SSO and MFA Integration

Slide 1

Purpose of the System

Goal

To provide secure, seamless identity and access management through Single Sign-On (SSO) and Multi-Factor Authentication (MFA) capabilities, enabling organizations to protect their digital assets while delivering excellent user experience.

Problem Statement

Organizations face increasing security threats requiring stronger authentication mechanisms
Users struggle with managing multiple credentials across different applications
IT teams need centralized control over access policies and user provisioning
Compliance requirements demand robust audit trails and access governance

Business Objectives

Security: Reduce unauthorized access and credential theft through MFA
Productivity: Enable one-click access to multiple applications via SSO
Compliance: Meet regulatory requirements (SOC2, ISO 27001, GDPR)
Cost Reduction: Lower help desk costs by reducing password reset requests

Target Users

End Users: Employees accessing corporate applications
IT Administrators: Managing users, applications, and policies
Security Teams: Monitoring access patterns and threats
Application Owners: Integrating applications with IAM

Slide 2

Key Requirements - Functional

Authentication & Authorization

Support multiple authentication methods (password, biometric, smart cards)
Implement multi-factor authentication with various factors (SMS, email, TOTP, push notifications)
Provide risk-based adaptive authentication
Support federated authentication (SAML 2.0, OAuth 2.0, OpenID Connect)
Role-based access control (RBAC) and attribute-based access control (ABAC)

Single Sign-On

Enable SSO across web applications (cloud and on-premises)
Support multiple SSO protocols (SAML, OAuth, OIDC, Kerberos)
Provide seamless authentication experience with automatic token refresh
Support single logout (SLO) functionality

User Lifecycle Management

Automated user provisioning and de-provisioning
Self-service password reset and account recovery
User profile management and synchronization
Integration with HR systems and identity directories (AD, LDAP)

Session Management

Configurable session timeouts and idle timeouts
Concurrent session control and management
Session monitoring and analytics
Forced session termination capabilities

Application Integration

Pre-built connectors for popular SaaS applications
Custom application integration via APIs
Application catalog and user self-service access
Application-level access policies

Audit & Reporting

Comprehensive audit logs for all authentication events
Real-time monitoring and alerting
Compliance reporting and analytics
User activity dashboards

Slide 3

Key Requirements - Non-Functional

Security

End-to-end encryption (TLS 1.3 for transport, AES-256 for data at rest)
Zero Trust security model implementation
Token-based authentication with short-lived access tokens
Protection against common attacks (CSRF, XSS, SQL injection)
Regular security audits and penetration testing
Compliance with industry standards (SOC2, ISO 27001, HIPAA)

Performance

Authentication response time < 2 seconds (95th percentile)
SSO token validation < 100ms
Support 10,000 concurrent authentications per second
Page load time < 3 seconds for user portal
API response time < 500ms for standard operations

Availability

99.9% uptime SLA (less than 43 minutes downtime per month)
No single point of failure in architecture
Automated failover capabilities (< 30 seconds)
Disaster recovery with RPO < 1 hour, RTO < 4 hours
24/7 monitoring and incident response

Scalability

Support for 100,000+ concurrent users
Horizontal scaling capability for all components
Handle 1 million+ user accounts
Support integration with 500+ applications
Elastic scaling based on load patterns

Usability

Intuitive user interface with minimal training required
Responsive design for mobile and desktop
Accessibility compliance (WCAG 2.1 Level AA)
Multi-language support
Contextual help and documentation

Maintainability & Modifiability

Modular architecture allowing independent component updates
Comprehensive API documentation
Automated testing coverage > 80%
CI/CD pipeline for rapid deployments
Configuration-driven behavior (minimal code changes)
Backward compatibility for API versions

Slide 4

Utility Tree of Architecturally Significant Requirements (ASRs)

The utility tree prioritizes quality attributes based on business importance and technical risk. Each scenario is rated with two priorities: (Business Importance, Technical Difficulty).

Quality Attribute	Refinement	Scenario	Priority (H/M/L)
Security	Confidentiality	User credentials and tokens must be encrypted in transit and at rest, preventing unauthorized access even if network traffic is intercepted	(H, H)
	Authentication	System must detect and block brute force attacks within 5 failed attempts, locking account for 15 minutes	(H, M)
	Authorization	Access policies must be evaluated in < 50ms for every request, with no authorization bypass possible	(H, M)
Performance	Response Time	Authentication requests must complete within 2 seconds under normal load (1000 concurrent users)	(H, M)
Performance	Throughput	System must handle 10,000 authentication requests per second during peak hours	(H, H)
Availability	Fault Tolerance	Authentication service must remain operational even if one availability zone fails, with automatic failover < 30 seconds	(H, H)
Availability	Recoverability	System must recover from database failure within 4 hours with no data loss	(M, H)
Scalability	Load Handling	System must scale horizontally to support 50% increase in users within 10 minutes	(M, M)
Scalability	Data Volume	Support up to 1 million user accounts with no performance degradation	(M, M)
Modifiability	Extensibility	Add new authentication provider within 2 developer-days without modifying core authentication logic	(M, L)
Modifiability	Configurability	Modify authentication policies through configuration without code deployment	(M, L)
Usability	User Experience	New users can complete MFA enrollment within 3 minutes with 90% success rate	(M, L)

Top 5 Architecturally Significant Requirements

Security - Confidentiality: Encryption of credentials and tokens (H, H)
Performance - Throughput: Handle 10,000 requests/second (H, H)
Availability - Fault Tolerance: Automatic failover on zone failure (H, H)
Performance - Response Time: < 2 second authentication (H, M)
Security - Authentication: Brute force protection (H, M)

Slide 5

Tactics Used to Achieve Top 5 ASRs

ASR 1: Security - Confidentiality

Quality Attribute: Protect credentials and tokens from unauthorized access

Tactics Applied:

Encrypt Data: TLS 1.3 for all network communication, AES-256-GCM for data at rest
Hash Credentials: Bcrypt with salt for password storage (never store plaintext)
Limit Access: Role-based access control for administrative functions
Authorize Actors: OAuth 2.0 / OIDC with short-lived JWT tokens (15 min access, 7 day refresh)

Result: Even if database is compromised, credentials remain protected; intercepted traffic is unreadable

ASR 2: Performance - Throughput

Quality Attribute: Handle 10,000 authentication requests per second

Tactics Applied:

Increase Resources: Horizontal scaling with auto-scaling groups (10-50 instances)
Maintain Multiple Copies: Redis cluster for session caching and token validation
Introduce Concurrency: Asynchronous processing for non-critical operations (logging, analytics)
Load Balancing: Application Load Balancer with least-connection algorithm
Bound Execution Times: Circuit breakers on external service calls (3 sec timeout)

Result: Linear scalability; system handles peak loads by adding instances

ASR 3: Availability - Fault Tolerance

Quality Attribute: Automatic failover on availability zone failure

Tactics Applied:

Redundancy - Active: Multi-AZ deployment with active-active configuration
Health Monitoring: Continuous health checks every 30 seconds on all instances
Exception Detection: Automated detection of unresponsive nodes
Retry: Automatic request retry to healthy instances (exponential backoff)
Degraded Service: Cached authentication validation when database is unavailable

Result: Zero user-visible downtime during zone failures; automatic recovery in < 30 seconds

ASR 4: Performance - Response Time

Quality Attribute: Authentication completes within 2 seconds

Tactics Applied:

Caching: Redis cache for user profiles, policies, and session data (TTL: 5 minutes)
Reduce Computational Overhead: Pre-computed authorization rules in memory
Optimize Network: CDN for static assets, regional endpoints for API calls
Database Connection Pooling: Maintain warm connections (pool size: 20-100)
Asynchronous Processing: Offload audit logging and analytics to message queue

Result: 95th percentile response time < 1.5 seconds; cache hit rate > 85%

ASR 5: Security - Authentication

Quality Attribute: Protect against brute force attacks

Tactics Applied:

Detect Attacks: Rate limiting per IP address (10 requests/minute) and per user (5 attempts)
Respond to Attacks: Progressive delays after failed attempts; CAPTCHA after 3 failures
Recover from Attacks: Temporary account lockout (15 minutes) with notification
Risk-Based Authentication: Adaptive MFA based on user behavior, location, device
Audit: Log all authentication attempts for security analysis

Result: Brute force attacks blocked within 5 attempts; legitimate users minimally impacted

Slide 6

Software Architecture - Context Diagram

The context diagram shows the IAM system boundaries, external actors, and key integrations.

Context Diagram - System Boundaries and External Interactions

External Actors

End Users: Authenticate via web portal or mobile app to access applications
IT Administrators: Configure policies, manage users, monitor system health
Security Teams: Monitor authentication events, investigate anomalies
Client Applications: SaaS and on-premises applications consuming IAM services

External Systems & Integrations

Identity Directories: Active Directory, LDAP for user synchronization
HR Systems: Workday, SAP SuccessFactors for automated provisioning
MFA Providers: SMS gateways, email services, authenticator apps
SIEM Systems: Splunk, QRadar for security event correlation
PKI Infrastructure: Certificate authorities for certificate-based authentication
Cloud Providers: AWS, Azure, GCP for infrastructure services

Key Interfaces

SAML 2.0: Federation protocol for web SSO
OAuth 2.0 / OIDC: Modern API-based authentication and authorization
SCIM 2.0: User provisioning and lifecycle management
REST APIs: Administrative and integration interfaces
LDAP/LDAPS: Directory synchronization protocol

Slide 7

Software Architecture - Module Decomposition

The module view shows the logical organization of the system into layers and components.

Module Decomposition Diagram - Logical Component Organization

flowchart TB subgraph PRESENTATION["Presentation Layer - User Interface"] WEB["User Portal
React SPA
Login & App Dashboard"] ADMIN["Admin Console
Angular App
User & Policy Management"] SDK["Mobile SDK
iOS/Android
Biometric Auth"] end subgraph GATEWAY["API Gateway Layer - Entry Point & Security"] ROUTE["Request Routing
API Versioning
Load Distribution"] RL["Rate Limiting
DDoS Protection
Throttling"] AM["Auth Middleware
Token Validation
Request Authentication"] end subgraph SERVICES["Service Layer - Business Logic (Microservices)"] AUTH["Authentication Service
Password/MFA Validation
Risk Assessment"] USER["User Management
CRUD Operations
Provisioning/De-provisioning"] SESSION["Session Service
Token Generation
Session Lifecycle"] POLICY["Policy Engine
RBAC/ABAC Rules
Authorization Decisions"] FED["Federation Service
SAML/OAuth/OIDC
Token Exchange"] AUDIT["Audit Service
Event Logging
Compliance Reports"] NOTIF["Notification Service
Email/SMS/Push
MFA Code Delivery"] end subgraph DATA["Data Layer - Persistence & Caching"] PG[("PostgreSQL
User Profiles
Credentials
Policies")] REDIS[("Redis Cache
Session Store
Token Cache
Rate Limit State")] LOGS[("TimescaleDB
Audit Logs
Auth Events
Time-Series Data")] CONFIG[("Config Store
System Settings
App Metadata
Feature Flags")] end PRESENTATION -->|"REST/GraphQL API"| GATEWAY GATEWAY -->|"gRPC/REST"| SERVICES SERVICES -->|"SQL/Redis Protocol"| DATA

Presentation Layer

User Portal (Web): React-based SPA for end-user authentication and app access
Admin Console (Web): Angular-based dashboard for system administration
Mobile SDK: Native iOS/Android libraries for mobile integration

API Gateway Layer

API Gateway: Request routing, rate limiting, API versioning
Load Balancer: Traffic distribution across service instances
Authentication Middleware: Token validation, request authentication

Service Layer (Microservices)

Authentication Service: Credential validation, MFA orchestration, session creation
User Management Service: CRUD operations, provisioning, profile management
Session Service: Session lifecycle, token generation/validation, SSO state
Policy Engine: Authorization decisions, access control evaluation
Federation Service: SAML/OAuth/OIDC protocol handling
Directory Service: LDAP/AD synchronization, user search
Audit Service: Event logging, compliance reporting
Notification Service: Email, SMS, push notifications for MFA

Data Layer

User Database (PostgreSQL): User profiles, credentials, policies
Session Store (Redis): Active sessions, tokens, cache
Audit Database (TimescaleDB): Authentication logs, audit trails
Configuration Store: System configuration, application metadata

Cross-Cutting Concerns

Security Module: Encryption, key management, certificate handling
Monitoring Module: Metrics collection, health checks, alerting
Logging Module: Structured logging, log aggregation

Slide 8

Software Architecture - Component & Connector Diagram

The component and connector view shows runtime interactions, data flows, and communication patterns.

Component and Connector Diagram - Runtime Data Flow

flowchart TB USER["User Browser
HTTPS Client"] APPS["SaaS Apps
SAML/OAuth Client"] GW["API Gateway
Load Balancer
TLS Termination"] AUTH["Auth Service
Validate Credentials
MFA Challenge"] SESSION["Session Service
JWT Token Generation
Token Validation"] POLICY["Policy Engine
Evaluate Rules
Access Decision"] NOTIF["Notification Service
Send MFA Codes
Alert Users"] IDP["Directory Sync
User Import
Profile Update"] AUDIT["Audit Service
Log All Events
Compliance Trail"] DB[("PostgreSQL
User Data
Credentials (Hashed)")] REDIS[("Redis
Session Cache
Token Store")] LOGS[("Audit DB
Event Logs
Access History")] DIR[("Active Directory
Corporate Users
LDAP Protocol")] MQ["Message Queue
RabbitMQ
Async Processing"] USER -->|"1. Login POST
(username/password)"| GW APPS -->|"8. Token Validation
(Bearer Token)"| GW GW -->|"2. Route Request
gRPC Call"| AUTH AUTH -->|"3. Verify Password
SQL Query"| DB AUTH -->|"4. Send MFA Code
Async Message"| MQ MQ -->|"5. Deliver SMS/Email"| NOTIF AUTH -->|"6. Create Session
Generate JWT"| SESSION SESSION -->|"7. Store Token
SET Command"| REDIS GW -->|"9. Check Access
Policy Evaluation"| POLICY POLICY -->|"Authorization Decision"| AUTH AUTH -->|"10. Log Event
Kafka Message"| AUDIT AUDIT -->|"11. Persist Log
Batch Insert"| LOGS IDP -->|"Periodic Sync
LDAP Query"| DIR IDP -->|"Update Users
Bulk Update"| DB

Key Components & Connectors

1. Authentication Flow

User Browser ↔ API Gateway: HTTPS/REST (TLS 1.3)
API Gateway → Auth Service: gRPC (synchronous)
Auth Service ↔ User DB: PostgreSQL connection pool
Auth Service ↔ Redis: Redis protocol for session cache
Auth Service → Notification Service: RabbitMQ (asynchronous) for MFA codes

2. SSO Token Validation

Application → API Gateway: HTTPS/REST with Bearer token
API Gateway → Session Service: gRPC for token validation
Session Service ↔ Redis: Cache lookup (hit: < 10ms, miss: → User DB)
Session Service → Policy Engine: Authorization check via REST

3. User Provisioning

HR System → API Gateway: SCIM 2.0 REST API
API Gateway → User Service: gRPC for user CRUD
User Service → Directory Service: Event-driven (Kafka) for AD sync
Directory Service ↔ Active Directory: LDAPS protocol

4. Audit & Monitoring

All Services → Audit Service: Kafka message queue (async)
Audit Service → Audit DB: Batch inserts (TimescaleDB)
All Services → Monitoring: Prometheus metrics scraping
Monitoring → Alerting: Webhook to PagerDuty/Slack

Communication Patterns

Synchronous (Request-Response): User-facing operations, real-time validation
Asynchronous (Event-Driven): Notifications, audit logging, directory sync
Caching: Redis for session state, user profiles, authorization decisions
Database Replication: Master-slave for read scalability

Data Flow Security

All external communications use TLS 1.3
Internal service-to-service uses mTLS (mutual TLS)
Tokens signed with RS256 (RSA + SHA-256)
Sensitive data encrypted at rest using AES-256-GCM

Slide 9

Software Architecture - Deployment Diagram

The deployment view shows the physical infrastructure, network topology, and deployment configuration.

Deployment Diagram - Physical Infrastructure and Network Topology

flowchart TB INTERNET["Internet
Users & Applications"] CDN["CloudFront CDN
Static Assets
Edge Caching"] WAF["WAF + DDoS Protection
AWS Shield
Rate Limiting"] LB["Application Load Balancer
SSL/TLS Termination
Health Checks
Port 443"] subgraph REGION["AWS Region: us-east-1 (Multi-AZ for High Availability)"] subgraph AZ1["Availability Zone 1 (us-east-1a)"] API1["API Gateway
ECS Fargate
3 Containers
t3.large"] SVC1["Microservices
Auth: 5x c5.xlarge
Session: 4x c5.xlarge
Policy: 3x t3.large"] CACHE1[("Redis Cluster
ElastiCache
cache.r5.large
Read Replica")] end subgraph AZ2["Availability Zone 2 (us-east-1b)"] API2["API Gateway
ECS Fargate
3 Containers
t3.large"] SVC2["Microservices
Auth: 5x c5.xlarge
Session: 4x c5.xlarge
Policy: 3x t3.large"] CACHE2[("Redis Cluster
ElastiCache
cache.r5.large
Read Replica")] DBREP[("PostgreSQL
RDS Read Replica
db.r5.xlarge")] end subgraph AZ3["Availability Zone 3 (us-east-1c)"] API3["API Gateway
ECS Fargate
3 Containers
t3.large"] SVC3["Microservices
Auth: 5x c5.xlarge
Session: 4x c5.xlarge
Policy: 3x t3.large"] DB[("PostgreSQL Primary
RDS Multi-AZ
db.r5.2xlarge
Auto-Backup")] CACHE3[("Redis Primary
ElastiCache
cache.r5.large
Auto-Failover")] end MONITOR["Monitoring
CloudWatch
Prometheus
Grafana Dashboards"] LOGS["Log Aggregation
CloudWatch Logs
S3 Archive
ElasticSearch"] end INTERNET --> CDN INTERNET --> WAF WAF --> LB LB -->|"Round Robin
Health Check"| API1 LB -->|"Round Robin
Health Check"| API2 LB -->|"Round Robin
Health Check"| API3 API1 --> SVC1 API2 --> SVC2 API3 --> SVC3 SVC1 -.->|"Read"| CACHE1 SVC2 -.->|"Read"| CACHE2 SVC3 -.->|"Read/Write"| CACHE3 SVC1 -.->|"Read"| DBREP SVC2 -.->|"Read"| DBREP SVC3 -->|"Write/Read"| DB DB -.->|"Replication"| DBREP CACHE3 -.->|"Replication"| CACHE1 CACHE3 -.->|"Replication"| CACHE2 SVC1 --> MONITOR SVC2 --> MONITOR SVC3 --> MONITOR SVC1 --> LOGS SVC2 --> LOGS SVC3 --> LOGS

Infrastructure Overview

Cloud Provider: AWS (Multi-region deployment for DR)
Primary Region: us-east-1 (3 Availability Zones)
DR Region: us-west-2 (Active-passive)

Network Architecture

Public Subnet (DMZ)

Application Load Balancer (ALB): Internet-facing, SSL termination
CloudFront CDN: Static asset delivery, edge caching
WAF: Web Application Firewall for DDoS protection

Private Subnet - Application Tier

API Gateway: 3 instances (t3.large), auto-scaling 3-10
Authentication Service: 5 instances (c5.xlarge), auto-scaling 5-20
User Service: 3 instances (t3.large), auto-scaling 3-10
Session Service: 4 instances (c5.xlarge), auto-scaling 4-15
Policy Engine: 3 instances (t3.large), auto-scaling 3-10
Federation Service: 3 instances (t3.large), auto-scaling 3-8
Directory Service: 2 instances (t3.medium), auto-scaling 2-6
Audit Service: 2 instances (t3.medium), auto-scaling 2-5
Notification Service: 2 instances (t3.small), auto-scaling 2-5

Private Subnet - Data Tier

PostgreSQL (RDS): db.r5.2xlarge, Multi-AZ with read replicas (2)
Redis (ElastiCache): cache.r5.large, 3-node cluster with automatic failover
TimescaleDB (EC2): r5.xlarge, replicated across 3 AZs
RabbitMQ (Amazon MQ): mq.m5.large, active-standby deployment

Deployment Configuration

Container Orchestration: Amazon ECS with Fargate (serverless containers)
Service Discovery: AWS Cloud Map for service registration
Configuration Management: AWS Systems Manager Parameter Store
Secrets Management: AWS Secrets Manager with automatic rotation
CI/CD Pipeline: GitLab CI → ECR → ECS rolling deployment

Monitoring & Operations

Metrics: CloudWatch + Prometheus + Grafana dashboards
Logging: CloudWatch Logs → S3 archive → ElasticSearch for search
Tracing: AWS X-Ray for distributed tracing
Alerting: CloudWatch Alarms → SNS → PagerDuty

Security Configuration

Network Isolation: VPC with security groups and NACLs
Encryption: TLS 1.3 for transit, KMS for data at rest
Bastion Host: Session Manager for secure administrative access
DDoS Protection: AWS Shield Standard + WAF rate limiting

Slide 10

Description of How the System Works

End-to-End Authentication Flow with MFA

User Initiates Login
User navigates to application (e.g., Salesforce). Application redirects to IAM login page with SAML/OAuth request.
Credential Verification
User enters username/password. Auth Service validates credentials against User DB (bcrypt hash comparison). Risk assessment performed based on IP, device, location.
MFA Challenge
If risk score exceeds threshold or policy requires MFA, system sends challenge (SMS/Email/Push). User receives one-time code or push notification.
MFA Verification
User enters code or approves push. Auth Service validates MFA response. Time-based validation with 30-second window.
Session Creation
Upon successful authentication, Session Service creates session, generates JWT access token (15 min) and refresh token (7 days). Session stored in Redis cache.
Federation Response
Federation Service generates SAML assertion or OAuth authorization code. User redirected back to application with authentication response.
Token Exchange
Application exchanges authorization code for access token via back-channel call. Validates token signature and claims.
SSO to Additional Apps
User clicks on another app in portal. Session Service checks existing session in Redis. If valid, generates new app-specific token without re-authentication.
API Authorization
Application makes API calls with access token. API Gateway validates token, Session Service checks session status. Policy Engine evaluates authorization rules.
Session Maintenance
Session extended on user activity (sliding expiration). Background job cleans expired sessions. Forced logout possible via admin console.
Audit & Logging
All authentication events logged asynchronously to Audit DB. Real-time monitoring detects anomalies (impossible travel, brute force). Security team alerted on suspicious activity.

Key Technical Workflows

Directory Synchronization

Scheduled job (every 15 minutes) queries AD for user changes
Delta sync identifies new, modified, deleted users
User Service updates database, triggers provisioning to connected apps
Full reconciliation runs nightly to ensure consistency

Token Refresh Flow

Client detects access token expiration (< 1 minute remaining)
Sends refresh token to token endpoint
Session Service validates refresh token and session status
Issues new access token without user interaction

Slide 11

Key Learnings

Security as Foundation

Security quality attribute drives most architectural decisions in IAM systems. Defense-in-depth approach with multiple layers (encryption, authentication, authorization, audit) is essential. Zero Trust model requires continuous verification rather than perimeter-based security.

Performance vs. Security Trade-offs

Strong security measures (MFA, encryption, authorization checks) add latency. Strategic caching mitigates this but introduces consistency challenges. Token-based authentication balances security and performance by reducing database lookups.

Microservices Architecture Benefits

Decomposing IAM into focused services (Auth, User, Session, Policy) enables independent scaling and deployment. Each service can use optimal technology stack. Fault isolation prevents cascading failures.

Observability is Critical

Authentication failures can result from many causes. Comprehensive logging, metrics, and tracing are essential for troubleshooting. Audit trails are not just for compliance—they enable security analysis and anomaly detection.

Eventual Consistency Challenges

Distributed caching and multi-region deployment introduce consistency issues. Deleted users may temporarily authenticate via cache. Session revocation requires cache invalidation across all regions. Design for eventual consistency with acceptable windows.

Horizontal Scalability Patterns

Stateless service design enables easy horizontal scaling. Externalizing session state to Redis allows any instance to handle any request. Auto-scaling based on authentication rate handles traffic spikes (Monday mornings, product launches).

Availability Through Redundancy

Multi-AZ deployment eliminates single points of failure. Active-active configuration provides instant failover. Database replication and backup strategies are critical for disaster recovery. Trade-off: increased infrastructure cost.

Standards-Based Integration

Adopting industry standards (SAML, OAuth, OIDC, SCIM) simplifies integration with SaaS applications. Pre-built connectors reduce implementation time. Standards ensure interoperability and avoid vendor lock-in.

Modifiability Through Layering

Layered architecture (Presentation, API, Service, Data) isolates changes. Adding new authentication method doesn't affect authorization logic. Configuration-driven behavior reduces code changes for policy updates.

User Experience Matters

Strong security can frustrate users if not implemented thoughtfully. Risk-based MFA only prompts when necessary. Remember device reduces friction. SSO significantly improves productivity by eliminating repeated logins.

Asynchronous Processing

Non-critical operations (audit logging, notifications, analytics) use message queues. Decouples services and improves responsiveness. Failed messages can be retried without impacting user experience.

Compliance Requirements Shape Architecture

Regulations (GDPR, SOC2, HIPAA) mandate specific capabilities: audit trails, data encryption, access controls, data retention. Designing for compliance from the start avoids costly retrofits. Regular security audits validate architectural decisions.

Overall Insights

Building an enterprise IAM system requires balancing competing quality attributes. No single architecture pattern solves all problems—successful systems combine tactics strategically based on priorities. The utility tree methodology helps identify and prioritize ASRs, ensuring architectural effort focuses on high-impact scenarios. Understanding trade-offs (e.g., consistency vs. availability, security vs. usability) is essential for making informed architectural decisions.