In the world of zero-trust security and service mesh architectures, SPIFFE (Secure Production Identity Framework for Everyone) has emerged as a crucial standard for managing workload identities. However, a common question arises: How do you handle human identity in a SPIFFE-based system?

Understanding the Challenge

SPIFFE was designed specifically for machine-to-machine authentication and workload identity. It provides a standardized way to identify and authenticate workloads across different platforms and environments. However, human identity management presents unique challenges and requirements that don’t perfectly align with SPIFFE’s primary use case.

Potential Approaches

Let’s explore several approaches to bridge the gap between human identity and SPIFFE-based systems.

1. Workload-Based Approach

The most straightforward solution is to keep human identity separate and focus on assigning SPIFFE IDs to the services that humans interact with. In this model:

  • User-facing services receive SPIFFE IDs
  • Human authentication is handled by these services
  • The services then interact with other workloads using their SPIFFE identities

For example, a web portal might have a SPIFFE ID like:

spiffe://domain.com/portal/user-auth-service

This approach maintains a clear separation between human identity management and workload identity.

2. Identity Provider Integration

Another approach involves creating a bridge between existing Identity Provider (IdP) systems and SPIFFE-based workloads:

  • Keep human authentication in traditional IdP systems
  • Implement a bridge service with a SPIFFE ID
  • The bridge service validates human credentials and facilitates access to SPIFFE-authenticated services

A bridge service might have a SPIFFE ID like:

spiffe://domain.com/auth/human-idp-bridge

This approach leverages existing IAM infrastructure while enabling integration with SPIFFE-based systems.

While it’s technically possible to represent humans using SPIFFE IDs by creating a special trust domain:

spiffe://humans.domain.com/users/username

This approach is generally not recommended because:

  • It goes against SPIFFE’s intended design
  • It lacks support for human-specific identity management features
  • It might create confusion between human and workload identities

Best Practices and Recommendations

When dealing with human identity in SPIFFE-based systems:

  1. Keep human authentication separate from workload identity
  2. Use established IAM solutions for human identity management
  3. Focus SPIFFE IDs on the services and workloads that humans interact with
  4. Implement proper access controls at the service level
  5. Maintain clear documentation about how human identity maps to workload access

Conclusion

While SPIFFE provides excellent solutions for workload identity, it’s important to recognize its limitations when it comes to human identity management. Instead of trying to force human identity into SPIFFE, focus on building proper integrations between human IAM systems and SPIFFE-authenticated workloads.

By maintaining this separation while building proper bridges between systems, you can create a robust and secure identity management system that serves both human and machine authentication needs effectively.

Remember: The goal isn’t to make SPIFFE handle human identity, but rather to create a cohesive system where human and workload identity management work together seamlessly.