Skip to main content

Skillber v1.0 is here!

Learn more

IGA Platforms & Architecture

Checking access...

Identity Governance and Administration (IGA) platforms provide the technology foundation for identity governance. They automate the processes of identity lifecycle management, access certification, role management, SoD analysis, and compliance reporting.

Choosing the right IGA platform and architecture is one of the most consequential decisions an IAM architect makes — the platform must serve the organisation for 5-10 years while the identity landscape continues to evolve.

IGA Platform Capabilities

Core Capabilities

CapabilityDescriptionMaturity Required
Identity lifecycle managementAutomated provisioning and deprovisioning across target systemsFoundational
Access certificationCampaign management, reviewer workflows, remediation automationFoundational
Role managementRole engineering, role mining, role lifecycle, role certificationIntermediate
Segregation of dutiesSoD policy definition, analysis, violation managementIntermediate
Access requestSelf-service portal, approval workflows, entitlement catalogueFoundational
Compliance reportingDashboard, evidence collection, auditor evidence packagesIntermediate
Identity analyticsRisk scoring, anomaly detection, peer group analysisAdvanced
Privileged access governanceIntegration with PAM for privileged account lifecycle governanceAdvanced

IGA Platform Architecture

┌─────────────────────────────────────────────────────────┐
│ IGA Platform │
├─────────────────────────────────────────────────────────┤
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────┐ │
│ │ Identity │ │ Governance │ │ Compliance │ │
│ │ Lifecycle │ │ Engine │ │ Reporting │ │
│ │ │ │ │ │ │ │
│ │ • Provision │ │ • Certific. │ │ • Dashboards │ │
│ │ • Sync │ │ • SoD │ │ • Evidence │ │
│ │ • Recon │ │ • Roles │ │ • Auditor │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬─────────┘ │
│ │ │ │ │
│ ┌──────┴─────────────────┴─────────────────┴──────────┐ │
│ │ Integration Bus (Connectors) │ │
│ │ ┌───────┐ ┌───────┐ ┌───────┐ ┌───────┐ ┌──────┐ │ │
│ │ │AD/ │ │LDAP │ │SCIM │ │JDBC │ │ REST │ │ │
│ │ │AzureAD│ │ │ │Client │ │ │ │ API │ │ │
│ │ └───────┘ └───────┘ └───────┘ └───────┘ └──────┘ │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
│ │ │
▼ ▼ ▼
┌────────┐ ┌────────────┐ ┌───────────┐
│ HR │ │ Target │ │ SIEM / │
│ System│ │ Systems │ │ Audit │
└────────┘ └────────────┘ └───────────┘

Deployment Models

ModelDescriptionProsCons
SaaS / CloudFully managed by vendorNo infrastructure, automatic upgrades, elastic scalingData sovereignty, vendor dependency
On-premisesDeployed in organisation’s data centreFull data control, air-gap options, custom integrationsInfrastructure overhead, manual upgrades
HybridCore IGA in cloud, on-prem connectors for legacyBest of both worldsComplexity, integration challenges
Managed serviceVendor operates IGA for the organisationLowest operational burdenHighest TCO, limited customisation

Integration Patterns

Connector Architecture

IGA platforms use connectors to integrate with target systems:

Connector TypeProtocolExamplesSync Direction
Native connectorBuilt-in by vendorAD, Azure AD, SAP, WorkdayBidirectional
SCIM connectorSCIM 2.0Salesforce, ServiceNow, Zoom, SlackIGA → Target (provisioning)
JDBC connectorSQL databaseOracle DB, SQL Server, PeopleSoftBidirectional
LDAP connectorLDAPv3OpenLDAP, Oracle DSEEBidirectional
File-based connectorCSV, XML, JSONLegacy systems, flat-file HR feedsIGA → Target (one-way)
REST API connectorHTTP/RESTAny system with REST APIBidirectional

Key Integration Patterns

IntegrationPurposeCriticality
HR → IGAIdentity feed for joiner/mover/leaverCritical
IGA → DirectoryAccount creation, group membershipCritical
IGA → Target SystemsProvisioning and deprovisioningHigh
IGA → PAMPrivileged account lifecycle governanceMedium
IGA → SIEMEvent forwarding for security monitoringMedium
IGA → ITSMTicket creation, change managementMedium

IGA Platform Selection Criteria

CriterionWeightEvaluation Questions
Target system coverage25%How many connectors are available? Are all our target systems supported?
Certification capabilities20%Does it support risk-based certification, usage-based review, advanced reviewer workflows?
Role management15%Does it include role mining? Role lifecycle management? Role certification?
Scalability10%Can it handle our user count, entitlement count, and transaction volume?
Deployment flexibility10%Is SaaS available? On-premises? Hybrid?
API and extensibility10%Does it have a well-documented REST API? Custom connector SDK?
Reporting and analytics5%Are dashboards customisable? Can evidence be organised by compliance framework?
Total cost of ownership5%Licensing, implementation, ongoing operations, upgrade costs

IGA Vendor Landscape

VendorDeploymentStrengthsBest For
SailPointSaaS, On-premMost mature IGA, strong identity AI, broadest connector libraryLarge enterprises, complex IGA requirements
SaviyntSaaSCloud-native IGA, strong SoD and PAM integration, risk analyticsCloud-first organisations, mid-large enterprises
MicrosoftSaaS (Entra ID)Integrated with Microsoft ecosystem, strong identity analytics, PIM for Azure ADMicrosoft-centric organisations
OktaSaaSStrong lifecycle management, excellent integration marketplace, workforce + customer IAMModern IT environments, cloud-native
OmadaSaaS, On-premStrong role management, certified SAP connectorsSAP-centric organisations, European market
One IdentityOn-prem, SaaSStrong PAM integration, mature on-premises deploymentLarge on-premises environments
Hitachi IDOn-premStrong legacy system support, privileged access governanceHighly regulated, legacy-heavy enterprises

Tip

When selecting an IGA platform, prioritise target system coverage above all other criteria. The best IGA platform in the world is useless if it cannot connect to your most critical applications. Evaluate connectors for your specific target systems in the proof of concept, not just in the vendor’s documentation.

IGA Implementation Best Practices

PhaseActivityPitfalls to Avoid
DiscoveryDocument all target systems, user populations, and integration requirementsUnderestimating the number of target systems or integration complexity
DesignDesign role model, certification campaigns, approval workflowsOver-engineering before proving value; review with real managers
BuildConfigure connectors, develop workflows, implement role modelCustom development where vendor functionality exists
TestTest provisioning, certification, and reporting end-to-endTesting only in lab — test with real user data
DeployPhased rollout — start with one target system or user groupBig-bang deployment; start with pilot group
OperateEstablish IGA operations team, define SLAs, monitor healthAssuming IGA runs itself — it requires ongoing administration

Key Takeaways

  • IGA platforms automate identity lifecycle, access certification, role management, SoD analysis, and compliance reporting — they are the technology foundation of identity governance
  • IGA architecture centres on an integration bus with connectors to HR systems, target systems, directories, SIEM, and ITSM — connector coverage is the most critical selection criterion
  • Deployment models span SaaS (lowest overhead), on-premises (maximum control), hybrid (balanced), and managed service (minimum operations)
  • Key integration patterns include HR → IGA (identity feed), IGA → Directory (account management), and IGA → Target Systems (provisioning)
  • Platform selection should prioritise target system coverage, certification capabilities, role management, and scalability — evaluate connectors with your specific systems in the proof of concept
  • Implementation best practices include phased rollout starting with a pilot group, testing with real user data, and dedicating ongoing operational resources — IGA is a program, not a one-time project