Identity Fabric
A unified identity graph that consolidates all identities across your organization into a single, queryable source of truth.
Overview
The Identity Fabric is TigerIdentity's foundational layer that creates a comprehensive view of every identity in your organization. It aggregates data from dozens of identity sources, resolves duplicate identities through entity resolution, and maintains a real-time graph of relationships between identities, resources, and permissions.
Unlike traditional identity systems that treat each source as a silo, the Identity Fabric continuously synchronizes and enriches identity data, providing a single API to query and manage all identities regardless of their origin.
Key Benefit: Eliminate identity fragmentation. Know exactly who and what has access to which resources, in real-time, across your entire technology stack.
How It Works
Data Ingestion
Connectors pull identity data from source systems (IdPs, cloud providers, databases, SaaS apps) via APIs or event streams. Changes are detected and synchronized within seconds.
Entity Resolution
The system identifies when multiple records represent the same identity (e.g., [email protected] in Okta and jdoe in AWS IAM) using configurable matching rules based on email, employee ID, or custom attributes.
Graph Construction
Identities, resources, and their relationships are stored in a graph database. This enables complex queries like "show all resources accessible by contractors in engineering" to be answered in milliseconds.
Enrichment
Additional context is layered on top: risk scores from security tools, behavioral patterns, session data, and custom attributes from your systems.
Identity Types
The Identity Fabric supports four core identity types, each with specific attributes and lifecycle management requirements.
Human Identities
Employees, contractors, and external users with accounts in your IdP.
- Email, name, department, title
- Group memberships and roles
- Authentication methods (MFA, SSO)
Service Accounts
Application identities used for service-to-service authentication.
- Owner and purpose metadata
- Credential rotation status
- Usage patterns and anomalies
API Keys & Tokens
Long-lived credentials for programmatic access to systems.
- Creation date and expiration
- Scope and permissions granted
- Last used timestamp and IP
AI Agents
Autonomous systems making decisions and taking actions on behalf of users.
- Model version and capabilities
- Delegated permissions from users
- Action audit trail
The Identity Graph
At the core of the Identity Fabric is a graph database that models relationships between identities, resources, and permissions. This enables powerful queries that are impossible with traditional directory services.
Graph Structure
Nodes
Identities, resources (databases, APIs, cloud accounts), groups, roles
Edges
HAS_ACCESS, MEMBER_OF, OWNS, MANAGES, DELEGATED_TO, AUTHENTICATED_AS
Attributes
Each node and edge can have custom attributes for context-aware decisions
curl -X POST https://api.tigeridentity.com/v1/graph/query \
-H "Authorization: Bearer ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"query": {
"match": [
{
"node": "identity",
"where": { "email": "[email protected]" }
},
{
"relationship": "HAS_ACCESS",
"direction": "outbound"
},
{
"node": "resource",
"where": { "provider": "aws" }
}
],
"return": ["resource.arn", "resource.type", "relationship.granted_at"]
}
}'
# Response
{
"results": [
{
"resource.arn": "arn:aws:s3:::production-data",
"resource.type": "s3_bucket",
"relationship.granted_at": "2026-01-15T10:30:00Z"
},
{
"resource.arn": "arn:aws:rds:us-east-1:123456789:db:prod-db",
"resource.type": "rds_database",
"relationship.granted_at": "2026-01-20T14:22:00Z"
}
]
}Connectors
Connectors are the data pipelines that feed the Identity Fabric. Each connector is responsible for pulling identity data from a source system and normalizing it into the graph.
Connector Features
- Incremental sync (only changes since last sync)
- Webhook support for real-time updates
- Automatic retry with exponential backoff
- Rate limiting and quota management
Sync Intervals
- Real-time: via webhooks (0-5s latency)
- Fast: polling every 1-5 minutes
- Standard: polling every 15-60 minutes
- Full sync: daily reconciliation
apiVersion: tigeridentity.com/v1
kind: Connector
metadata:
name: okta-production
namespace: identity-sources
spec:
type: okta
config:
domain: company.okta.com
apiToken:
secretRef:
name: okta-credentials
key: api-token
sync:
# Incremental sync every 5 minutes
interval: 5m
# Full reconciliation daily
fullSyncInterval: 24h
# Enable webhook for real-time updates
webhook:
enabled: true
endpoint: https://webhooks.tigeridentity.com/okta
mappings:
# Map Okta attributes to Identity Fabric schema
- source: profile.email
target: attributes.email
required: true
- source: profile.department
target: attributes.department
- source: profile.employeeNumber
target: attributes.employeeId
matchKey: true # Use for entity resolution
filters:
# Only sync active users
- field: status
operator: equals
value: ACTIVEAttributes & Enrichment
Every identity in the fabric can be enriched with additional attributes from multiple sources. These attributes are used by the policy engine to make context-aware access decisions.
Standard Attributes
Automatically extracted from identity sources: email, name, department, manager, groups, roles, MFA status, last login.
Security Enrichment
Risk scores from SIEM/EDR tools, device posture (managed vs BYOD, OS version, encryption status), location and IP reputation.
Behavioral Attributes
Typical access patterns, anomaly scores, peer group comparisons, time-of-day analysis computed by TigerIdentity's ML engine.
Custom Attributes
Add your own attributes via API or webhook. Examples: security clearance level, background check status, training completions, project assignments.
Build on the Identity Fabric
Start consolidating your identity sources into a unified graph.