Ian Glazer, profile picture
Uploaded byIan Glazer
PPTX, PDF1,615 views

Do we have a round wheel? Thoughts on Identity standards

The document discusses how identity management systems continually reinvent themselves as tasks and requirements change, similar to how humans reinvent the wheel. It examines how authentication, authorization, attributes, and user provisioning have evolved through multiple standards and protocols. While progress has been made, opportunities remain to adopt modern standards, help others adopt standards, demand standards from technology and service providers, and establish identity relationship management to connect organizations and services in a standards-based way. The goal is to develop interoperable, round wheels that can effectively handle the loads of relating people, devices, and things.

Embed presentation

Downloaded 20 times
1 / 209
2 / 209
3 / 209
4 / 209
5 / 209
6 / 209
7 / 209
8 / 209
9 / 209
10 / 209
11 / 209
12 / 209
13 / 209
14 / 209
15 / 209
16 / 209
17 / 209
18 / 209
19 / 209
20 / 209
21 / 209
22 / 209
23 / 209
24 / 209
25 / 209
26 / 209
27 / 209
28 / 209
29 / 209
30 / 209
31 / 209
32 / 209
33 / 209
34 / 209
35 / 209
36 / 209
37 / 209
38 / 209
39 / 209
40 / 209
41 / 209
42 / 209
43 / 209
44 / 209
45 / 209
46 / 209
47 / 209
48 / 209
49 / 209
50 / 209
51 / 209
52 / 209
53 / 209
54 / 209
55 / 209
56 / 209
57 / 209
58 / 209
59 / 209
60 / 209
61 / 209
62 / 209
63 / 209
64 / 209
65 / 209
66 / 209
67 / 209
68 / 209
69 / 209
70 / 209
71 / 209
72 / 209
73 / 209
74 / 209
75 / 209
76 / 209
77 / 209
78 / 209
79 / 209
80 / 209
81 / 209
82 / 209
83 / 209
84 / 209
85 / 209
86 / 209
87 / 209
88 / 209
89 / 209
90 / 209
91 / 209
92 / 209
93 / 209
94 / 209
95 / 209
96 / 209
97 / 209
98 / 209
99 / 209
100 / 209
101 / 209
102 / 209
103 / 209
104 / 209
105 / 209
106 / 209
107 / 209
108 / 209
109 / 209
110 / 209
111 / 209
112 / 209
113 / 209
114 / 209
115 / 209
116 / 209
117 / 209
118 / 209
119 / 209
120 / 209
121 / 209
122 / 209
123 / 209
124 / 209
125 / 209
126 / 209
127 / 209
128 / 209
129 / 209
130 / 209
131 / 209
132 / 209
133 / 209
134 / 209
135 / 209
136 / 209
137 / 209
138 / 209
139 / 209
140 / 209
141 / 209
142 / 209
143 / 209
144 / 209
145 / 209
146 / 209
147 / 209
148 / 209
149 / 209
150 / 209
151 / 209
152 / 209
153 / 209
154 / 209
155 / 209
156 / 209
157 / 209
158 / 209
159 / 209
160 / 209
161 / 209
162 / 209
163 / 209
164 / 209
165 / 209
166 / 209
167 / 209
168 / 209
169 / 209
170 / 209
171 / 209
172 / 209
173 / 209
174 / 209
175 / 209
176 / 209
177 / 209
178 / 209
179 / 209
180 / 209
181 / 209
182 / 209
183 / 209
184 / 209
185 / 209
186 / 209
187 / 209
188 / 209
189 / 209
190 / 209
191 / 209
192 / 209
193 / 209
194 / 209
195 / 209
196 / 209
197 / 209
198 / 209
199 / 209
200 / 209
201 / 209
202 / 209
203 / 209
204 / 209
205 / 209
206 / 209
207 / 209
208 / 209
209 / 209
Ian Glazer Senior Director, Identity Salesforce Identity @iglazer Do we have a round wheel yet?
Why do humans continually reinvent what they already have?
1. functional thing 2. attempt to “fix” it 3. break it 4. fix it 5. functional++ thing
Why is it that we reinvent the wheel?
Eventually we get a round one.
Why do we do this in the world of identity?
We reinvent the wheel when tasks change
SOA SOAP XML
services SOAP XML
services REST XML
services REST JSON
IAM has to stay contemporary
The load our IAM wheels have to carry has changed.
IAM in transition
Right Access Right People Right Time
Right Experience Right People Right Time
Right Experience Right People & Things Right Time
Right Experience Right People & Things Right Time Right Place
But that’s not all
firstName lastName email mobile ou nickname title … firstName lastName email mobile ou nickname title … firstName lastName email mobile ou nickname title … firstName lastName email mobile ou nickname title …
Reasonably large number of identities with a reasonable number of attributes
We are being asked to haul more and different identities
deviceID firmware deviceID firmware deviceID firmware deviceID firmware
25,000,000,000?
50,000,000,000?
Unreasonably large number of identities with a few attributes
Reports to Reports toReports to Works with
Reports to Reports toReports to Owns Works with Owns
Reports to Reports toReports to Owns Owns Owns Sends data to Gets data from Owns Paired with Uses Controls Works with
Reports to Reports toReports to Owns Owns Owns Sends data to Gets data from Owns Paired with Uses Controls Owns Uses Uses Constrains choice of Works with
Reports to Reports toReports to Owns Owns Owns Sends data to Gets data from Owns Paired with Uses Controls Owns Uses Uses Constrains choice of Sends data to Ridden in Ridden in Works with
Unreasonably large number of relationships between unreasonably large numbers of people and things, each with attributes
1. Authentication 2. Authorization 3. Attributes 4. User Provisioning
Authentication
Authentication Round
Multiple Protocols Multiple Standards
Complexity Maturity
OpenID Connect could use a few more miles on the road
But you should start today with it
What about representing identity assurance?
Can we harmonize levels of assurance?
Should we?
myLOA 2 = urLOA 3.1
You’ve been proofed. You’ve been authenticated.
So what?
Deployment matters.
Poorly deploying strong authentication makes it weak authentication.
LOA? Trust Framework? Start here?
Authentication’s wheel still has lumps
1. Reinvention 2. IAM’s Collective Shame
Reinventing just to reinvent
OAuth A4C
OAuth A4C
IAM’s collective shame
Password Vaulting
The need for password vaulting
We’ve had fully workable authentication standards for years
Yet we still password vault
Not enough service provider enablement
SP’s not acting on behalf of their customers’ interests
Standards-based authentication
(Standards-based user provisioning too)
Mobile-optimized authN will (hopefully) force SPs to act
Killing passwords is IAM’s new black
Killing the need for password vaulting
More reasonable More achievable More effective
Authentication standards Federated SSO
2017
ADD ROUND PICTURE!
Authorization
Authentication Round Authorization Not Round*
1. Over-inflated 2. Flat
XACML can do anything
Things that allow you to do anything
tend to make it hard to do anything
Focus on the PAPs not the protocol
XACML must be contemporary
REST & JSON are good steps forward
Could be used to represent authorization decisions
Semantics of scopes?
Binding obligations = duties of actors
Still needs more miles on the road
Enterprise-to- Enterprise use cases, please?
How can a thing make a decision with more autonomy?
How can we make decisions closer to the place and time of use?
Actionable relationships
Can perform actions Q, W, and E Can perform actions X, Y, and Z
Can perform actions Q, W, and E Can perform actions X, Y, and Z
Can perform actions Q, W, and E Can perform actions X, Y, and Z
? ?
ADD NOT ROUND WHEEL
Attributes
Authentication Round Authorization Not Round* Attributes Roundish
The Sad Magic of Commas.
1. Access 2. Representation
Access
Optimized for the modern web?
Graph APIs UserInfo Endpoints ADAP
LDAP?
Optimized for the modern web!
Representation
Name-Value Pairs
Name-Value Pair is the new comma
Name-Value Pairs Ubiquitous ✅ Standard Schema ❌
Anyone else miss inetOrgPerson?
inetOrgPerson for a new generation?
hipsterOrgPerson
dn:cn=Barbara Jensen, ou=WhatEvs, dc=company, dc=com objectclass:top objectclass:person objectclass:hipsterOrgPerson cn: Barbara Jensen nickname: Daisy favBand: no one you’ve ever heard of whatRUHaving: Fireball with a pickleback title: social media guru twitter: @daisypop89 email: isforoldpeople@irony.aol.com postalCode: 11211 country: USA! USA! telexNumber: is that like a fax or something?
Make SCIM schema the standard?
Standardizing schema can only work in communities of interest
User Provisioning
Authentication Round Authorization Not Round* Attributes Roundish User Provisioning Near Roundish
SPML
SPML v2 was not round
DSML v2 was round
But neither are well suited for the modern web
Others is supporting it.
Others are supporting it.
Join us!
Needs more miles on the road
Solid use case representation
Employee Identity User Provisioning
Customer Identity User Provisioning
Customer Identity Profile Management
SCIM can handle both
ADD ROUNDISH WHEEL
How round are the identity wheels?
Authentication Round Authorization Not Round* Attributes Roundish User Provisioning Near Roundish
Do we need things other than wheels?
How do you discover the identity services of a service provider?
Besides RTFM?
How do you know if they use
SAML SCIM proprietary attribute API FIDO U2F?
How do we connect our orgs and our identity services?
How do we kickstart relationships without paying p2p costs?
Hubs and axles for our roundish wheels
Remove the heavy lifting for providing and consuming services
This is where we must go.
Our future
People and things more closely related
Identity as business enabler
Right Access Right People Right Time
Right Experience Right People Right Time
Right Experience Right People & Things Right Time
Right Experience Right People & Things Right Time Right Place
We are going to shoulder a heavy load.
Round wheel Workable standards
Making and measuring progress
We need a set of design considerations.
The Laws of Relationships • Acknowledgeable • Actionable • Constrainable • Contextual •Immutable •Provable •Revocable •Scalable •Transferrable
Identity Relationship Management Working Group
Joni Brennan @jonibrennan Allan Foster @guruallan
1. Adopt standards
If you don’t, you are inventing your own wheel
That is a short-term optimized strategy at best.
If the current ones don’t work for you, bring out your use cases.
Kelly Grizzle @kelly_grizzle Nat Sakimura @_nat Leif Johansson @leifjohansson Maciej Machulak @mmachulak John Bradley @ve7jtb
2. Help others to adopt
Build SDKs to help people use OpenID and SAML
Support open source implementations of SCIM and OAuth
Start with your organization’s developers,
then help the community.
3. Demand standards
From your identity technology providers.
Demand standards
From your business service providers.
Demand standards
From your own developer teams.
Demand standards
If for no other reason than to kill off the need for password vaulting.
Demand standards
A round wheel ≠ the goal
A great spec is satisfying
A great spec is satisfying Pamela Dingle @pamelarosiedee Chuck Mortimore @cmort Eve Maler @xmlgrrl David Brossard @davidjbrossard Susan Morrow @avocoidentity Brian Campbell @__b_c
but it isn’t the end goal.
We reinvent the wheel,
we revisit and rebuild our standards
to get round, beautifully functioning ones
to carry the loads we must shoulder,
to get us where we need to go
in this era of modern identity.
Thanks!

More Related Content

PDF
Introducing Salesforce Identity
bySalesforce Developers
 
PDF
Integrating Active Directory with Salesforce
bySalesforce Developers
 
PDF
Integrating Active Directory With Salesforce Using Identity Connect
bySalesforce Developers
 
PPTX
Secure Development on the Salesforce Platform - Part I
bySalesforce Developers
 
PPTX
Secure Development on the Salesforce Platform - Part 2
bySalesforce Developers
 
PPTX
Secure Development on the Salesforce Platform - Part 3
byMark Adcock
 
PPTX
DO WE HAVE A ROUND WHEEL YET?
byForgeRock
 
PDF
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
byCA API Management
 
Introducing Salesforce Identity
bySalesforce Developers
 
Integrating Active Directory with Salesforce
bySalesforce Developers
 
Integrating Active Directory With Salesforce Using Identity Connect
bySalesforce Developers
 
Secure Development on the Salesforce Platform - Part I
bySalesforce Developers
 
Secure Development on the Salesforce Platform - Part 2
bySalesforce Developers
 
Secure Development on the Salesforce Platform - Part 3
byMark Adcock
 
DO WE HAVE A ROUND WHEEL YET?
byForgeRock
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
byCA API Management
 

Similar to Do we have a round wheel? Thoughts on Identity standards

KEY
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
byIan Glazer
 
PPTX
Catalyst 2015: Patrick Harding
byPing Identity
 
PPTX
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
byChris Phillips
 
PDF
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
byJean-François LOMBARDO
 
PDF
The Case For Next Generation IAM
byPatrick Harding
 
PPTX
SWXG 2010.6.9 v2
byPaul Trevithick
 
PPTX
Centralisation of IAM (Identity and Access Management) 7 modern trends every ...
byIbrahim Muhammadi
 
PDF
Standards and APIs: How to Best Build Platforms and Tools to Manage Identity ...
byDana Gardner
 
PPTX
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
byPing Identity
 
PDF
Advanced Authentication: Past, Present, and Future
bySecureAuth
 
PPTX
Campus Consortium EdTalks Featuring Clemson University
byCampus Consortium
 
PDF
CIS14: Identity at Scale: Building from the Ground Up
byCloudIDSummit
 
PDF
Patterns to Bring Enterprise and Social Identity to the Cloud
byCA API Management
 
PDF
PSCR 2019 - ICAM Standards
byAdam Lewis
 
PPTX
Identity Management: Using OIDC to Empower the Next-Generation Apps
byTom Freestone
 
PPT
Opening Up User-Centric Identity
byEduserv Foundation
 
PDF
Navigating Identity and Access Management in the Modern Enterprise
byWSO2
 
PDF
Five Things You Gotta Know About Modern Identity
byMark Diodati
 
PDF
CIS14: Spinning New Threads with Existing Identity Systems
byCloudIDSummit
 
PDF
Who’s Knocking? Identity for APIs, Web and Mobile
byNordic APIs
 
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
byIan Glazer
 
Catalyst 2015: Patrick Harding
byPing Identity
 
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
byChris Phillips
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
byJean-François LOMBARDO
 
The Case For Next Generation IAM
byPatrick Harding
 
SWXG 2010.6.9 v2
byPaul Trevithick
 
Centralisation of IAM (Identity and Access Management) 7 modern trends every ...
byIbrahim Muhammadi
 
Standards and APIs: How to Best Build Platforms and Tools to Manage Identity ...
byDana Gardner
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
byPing Identity
 
Advanced Authentication: Past, Present, and Future
bySecureAuth
 
Campus Consortium EdTalks Featuring Clemson University
byCampus Consortium
 
CIS14: Identity at Scale: Building from the Ground Up
byCloudIDSummit
 
Patterns to Bring Enterprise and Social Identity to the Cloud
byCA API Management
 
PSCR 2019 - ICAM Standards
byAdam Lewis
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
byTom Freestone
 
Opening Up User-Centric Identity
byEduserv Foundation
 
Navigating Identity and Access Management in the Modern Enterprise
byWSO2
 
Five Things You Gotta Know About Modern Identity
byMark Diodati
 
CIS14: Spinning New Threads with Existing Identity Systems
byCloudIDSummit
 
Who’s Knocking? Identity for APIs, Web and Mobile
byNordic APIs
 

Recently uploaded

PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
apidays New York 2025 | AI in Application Security
byapidays
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Workflow and decision Automation with Flowable
bychakib ch
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 

Do we have a round wheel? Thoughts on Identity standards

Editor's Notes

  • #3 Why do human continually seem to reinvent what they already have? Why is it that we take a reasonably functional thing and attempt to rebuild it and in doing so render that reasonably functional thing non-functional for a while? Why is it that we reinvent the wheel?
  • #4 Why is it that we take a reasonably functional thing and attempt to rebuild it and in doing so render that reasonably functional thing non-functional for a while?
  • #5 Because eventually, we get a round one. Anyone who has worked on technical standards, especially identity standards, recognizes this pattern. We build reasonably workable standards only to rebuild and recast them a few years later.
  • #7 We do this not because we develop some horrid allergy to angle brackets, an allergy that can only be calmed by mustache braces. This is not why we reinvent the wheel, why we revisit and rebuild our standards. Furthermore, revisiting and rebuilding standards isn’t simply a “make-work” affair for this guy (insert picture of Tony in Google t-shirt
  • #10 We reinvent the wheel the tasks needed of those wheels change. In IAM, the shift from SOA, SOAP, and XML to little s services, REST, and JSON was profound. And we had to stay contemporary with the way the web and developers worked. In this case, the technical load that our IAM wheels had to carry changed.
  • #17 But there is a more profound change to the tasks we must perform and the loads we must transport and it too will require us to examine our standards and see if they are up to the task.
  • #18 It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? IAM is in the midst of a transformation in order to serve customers, citizens, and even our “thing.”
  • #19 It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? IAM is in the midst of a transformation in order to serve customers, citizens, and even our “thing.”
  • #20 It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? IAM is in the midst of a transformation in order to serve customers, citizens, and even our “thing.”
  • #21 It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? IAM is in the midst of a transformation in order to serve customers, citizens, and even our “thing.”
  • #24 IAM is really good at a reasonable number of identities with a lot of attributes
  • #25 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #26 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #27 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #28 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #33 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #34 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #35 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #36 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #37 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #38 but how well will it hold up when we have a completely unreasonable number of identities with very few attributes?
  • #39 25B according to Gartner.
  • #40 50B according to Cisco. I guess we know who has more to gain
  • #42 IAM can handle some amount relationships
  • #48 But this transition is not just from managing identities of people carbon-based life forms to silicon ones. Today we are okay at managing a few relationships each with very few attributes. But what we as an industry must do is manage a completely unreasonable number of relationships between an unreasonable number of things and each of these relationships has a fair number of attributes of their own. That, my friends, is a heavy load to haul.
  • #49 Let’s consider identity standards and their “roundness” Image courtesy of NARA: https://upload.wikimedia.org/wikipedia/commons/thumb/f/fa/As_this_big_pile_of_used_auto_tires_indicates%2C_the_United_States_with_its_many_passenger_cars_has_in_discarded_tires..._-_NARA_-_535587.tif/lossy-page1-1244px-As_this_big_pile_of_used_auto_tires_indicates%2C_the_United_States_with_its_many_passenger_cars_has_in_discarded_tires..._-_NARA_-_535587.tif.jpg
  • #51 Overall, I’d say the authentication wheel is round, maybe could use a little air, but its round. We’ve got multiple protocols, multiple standards, which is both a reflection of the complexity of the problem and the maturity of the problem. Now some of these protocols do need a few more miles on them – OpenID Connect but by no means does this mean you shouldn’t use it today. Expect new profiles over time but you certainly can get going today. And where OpenID Connect cannot take you, trusty SAML still can. Although authentication is okay, representing assurance isn’t. I wonder if we need to harmonize level of assurance. I also wonder if this is even possible. Knowing that a person was proofed and how they were authenticated is nice, but as Mark D will be the first to tell you deployment matters. You can deploy a strong auth technology poorly rendering into a weaker state. So knowing your LOA 3 is my LOA 2.25 might not be useful. More importantly, I wonder how small and medium sized organizations, those without a resident identity dork, figure out what LOA to require, what trust framework to use, and how to proceed. This to me, seems like a place for the IDESG and its ilk. And although the authentication wheel is round, that doesn’t mean it isn’t without its lumps. First, we do see some reinventing the wheel just to reinvent the wheel. OAuth A4C is simply not a fruitful activity. Second, the fact that password vaulting exists at this point in history is an embarrassment. To be clear, I am not saying that password vaulting solutions and vendors are an embarrassment. The fact that, having had workable authentication standards for this many years and we still have password vaulting is an embarrassment to our profession. It means that identity vendors have not done enough to enable service providers. It means that service providers still exist who do not want to operate in the best interest of their enterprise customers. At the minimum those service provider must offer a standards-based approach to authentication (and user provisioning would be nice too.) The existence of password vaulting means that organizations haven’t been loud enough in their demands for a better login experience. Interestingly enough, I think the need for a mobile-optimized authentication experience will force service providers hands. I know we are all trying to kill the password but I think a more reasonable, more achievable, and more effective goal is to eliminate the need for password vaulting through the use of authentication and federated SSO standards. By 2020, if I am still saying this, we have failed.
  • #52 Authentication’s wheel is round! Could use a bit of air but pretty good
  • #56 Expect new profiles over time but you certainly can get going today.
  • #57 If OpenID Connect can’t get you there today…
  • #58 SAML can
  • #59 Although authentication is okay, representing assurance isn’t. I wonder if we need to harmonize level of assurance. I also wonder if this is even possible. Knowing that a person was proofed and how they were authenticated is nice, but as Mark D will be the first to tell you deployment matters. You can deploy a strong auth technology poorly rendering into a weaker state. So knowing your LOA 3 is my LOA 2.25 might not be useful. More importantly, I wonder how small and medium sized organizations, those without a resident identity dork, figure out what LOA to require, what trust framework to use, and how to proceed. This to me, seems like a place for the IDESG and its ilk.
  • #63 Knowing that a person was proofed and how they were authenticated is nice
  • #66 So knowing your LOA 3 is my LOA 2.25 might not be useful.
  • #67 More importantly, I wonder how small and medium sized organizations, those without a resident identity dork, figure out what LOA to require, what trust framework to use, and how to proceed. This to me, seems like a place for the IDESG and its ilk.
  • #68 IDESG to the rescue?
  • #69 And although the authentication wheel is round, that doesn’t mean it isn’t without its lumps. First, we do see some reinventing the wheel just to reinvent the wheel. OAuth A4C is simply not a fruitful activity. Second, the fact that password vaulting exists at this point in history is an embarrassment. To be clear, I am not saying that password vaulting solutions and vendors are an embarrassment. The fact that, having had workable authentication standards for this many years and we still have password vaulting is an embarrassment to our profession. It means that identity vendors have not done enough to enable service providers. It means that service providers still exist who do not want to operate in the best interest of their enterprise customers. At the minimum those service provider must offer a standards-based approach to authentication (and user provisioning would be nice too.) The existence of password vaulting means that organizations haven’t been loud enough in their demands for a better login experience. Interestingly enough, I think the need for a mobile-optimized authentication experience will force service providers hands.
  • #72 OAuth A4C is simply not a fruitful activity
  • #73 OAuth A4C is simply not a fruitful activity
  • #74 Second, the fact that password vaulting exists at this point in history is an embarrassment. To be clear, I am not saying that password vaulting solutions and vendors are an embarrassment.
  • #77 The fact that, having had workable authentication standards for this many years and we still have password vaulting is an embarrassment to our profession. It means that identity vendors have not done enough to enable service providers. It means that service providers still exist who do not want to operate in the best interest of their enterprise customers. At the minimum those service provider must offer a standards-based approach to authentication (and user provisioning would be nice too.) The existence of password vaulting means that organizations haven’t been loud enough in their demands for a better login experience. Interestingly enough, I think the need for a mobile-optimized authentication experience will force service providers hands.
  • #79 t means that identity vendors have not done enough to enable service providers.
  • #80 It means that service providers still exist who do not want to operate in the best interest of their enterprise customers.
  • #81 At the minimum those service provider must offer a standards-based approach to authentication (and user provisioning would be nice too.) The existence of password vaulting means that organizations haven’t been loud enough in their demands for a better login experience. Interestingly enough, I think the need for a mobile-optimized authentication experience will force service providers hands.
  • #83 We need organizations to be louder in their demands. Image courtesy of Joe Mills: https://www.flickr.com/photos/joedm/2255363378
  • #85 I know a little something about killing off bits of IAM… I know we are all trying to kill the password but I think a more reasonable, more achievable, and more effective goal is to eliminate the need for password vaulting through the use of authentication and federated SSO standards. By 2020, if I am still saying this, we have failed.
  • #89 By 2017, if I am still saying this, we have failed.
  • #90 The authentication wheel is round Image courtesy of Craig Sunter https://www.flickr.com/photos/16210667@N02/12013320215
  • #92 Authorization’s wheel is not round in an interesting way
  • #94 XACML can do anything; it really is an amazing standard. But the problem with things that allow you to do anything is that they tend to make it hard to do something. The JSON binding is a great start to make XACML more relevant for the modern web. One challenge exists as to how to represent the output of an authorization decision. Once a decision is made, how does the result get communicated to various enforcement points along the way? Certainly OAuth and scopes can be used for that. But this requires an understand of the semantics of scopes, which isn’t a bad thing but it is a thing… service providers have to invest time to understand that. Also there are those who believe bearer tokens are hellspawn… so there’s that too.
  • #100  The JSON binding is a great start to make XACML more relevant for the modern web.
  • #101 We might be able to employ OAuth and scopes.
  • #102 Could be used to represent the output of an authZ decision
  • #103 But this requires an understanding of the semantics of scopes, which isn’t a bad thing but it is a thing… service providers have to invest time to understand that.
  • #104 What about UMA? It definitely holds promise, especially when we consider the duties of all the parties involved in managing and enforcement access to resources. I really like the idea of a standard that has a profile that describes duties of the actors separate from the wireline protocol description. UMA definitely needs more miles on the road and to be perfectly honest I still have a hard time understanding it in an enterprise context. Maybe now that Eve is coming back to the product world, the community will get more UMA awesomeness.
  • #108 There is another thing to think about as we study the roundness of the authorization wheel. Knowing that the load we will have to carry is a heavy one and one that includes “things” I think we need to think about how those “things” can make decisions with more autonomy. How can our authorization systems make authorization decision closer to the place of use at the time of use? As I have been thinking about identity relationship management, I’ve been sketching some design constraints, some laws. This is the law of relationships – Actionable. How can we make relationships actionable so that a thing, an agent, a whatever, can act on the existence of a relationship without always having to consult a back-end authorization service? (use slides from IRM deck)
  • #111 Relationships must be able to carry authorization data
  • #114 Relationships must be able to carry authorization data to account for situations when the backend service cannot be reached
  • #115 Relationships must be able to carry authorization data to account for situations when the backend service cannot be reached
  • #116 Authorization’s wheel is not round… in an interesting way Image courtesy of Judith Doyle https://www.flickr.com/photos/doyland/6688993219
  • #117 The wheel of attributes is more round than not. Now, this is not a diatribe against commas and their sad magic. There are two parts to the attribute story: access and representation. We can access attributes… sorta. There’s no clear winner that is optimized for the modern web. We’ve got graph APIs, ADAP, and UserInfo Endpoints – not to mention proprietary APIs as well. Notice I added the constraint of “optimized for the modern web.” If remove that constraint, then we could say that access to attributes is a fully solved problem: LDAP. But we are going to a protocol that enables workers in the modern web to access attributes. As for a standardized representation… we have one. Name-value pairs. In fact, name-value pairs might be the new comma. (Ian speaks into cellphone “Siri, remind me to kill name-value pairs next year.) And although NVP are ubiquitous, we don’t have a standard schema. What is the inetOrgPerson of a new generation? There is no inetOrgPerson for millennial developers to use. But does that even matter? We could take SCIM’s schema and decree it to be the standard. But we all know, that each of us would extend the hell out of it. Yes we started with a standard schema, but every service provider’s schema is nearly unique.
  • #118 Attributes’ wheel is more round than not
  • #119 This won’t be a diatribe against the sad magic of commas. I promise.
  • #121 We can access attributes… sorta.
  • #122 There’s no clear winner that is optimized for the modern web. We’ve got graph APIs, ADAP, and UserInfo Endpoints – not to mention proprietary APIs as well.
  • #124 If remove that constraint, then we could say that access to attributes is a fully solved problem: LDAP. But we are going to a protocol that enables workers in the modern web to access attributes.
  • #125 But we are going to a protocol that enables workers in the modern web to access attributes.
  • #126 As for a standardized representation… we have one. Name-value pairs. In fact, name-value pairs might be the new comma. (Ian speaks into cellphone “Siri, remind me to kill name-value pairs next year.) And although NVP are ubiquitous, we don’t have a standard schema. What is the inetOrgPerson of a new generation? There is no inetOrgPerson for millennial developers to use. But does that even matter? We could take SCIM’s schema and decree it to be the standard. But we all know, that each of us would extend the hell out of it. Yes we started with a standard schema, but every service provider’s schema is nearly unique.
  • #128 In fact, name-value pairs might be the new comma. (Ian speaks into cellphone “Siri, remind me to kill name-value pairs next year.)
  • #134 We could take SCIM’s schema and decree it to be the standard. But we all know, that each of us would extend the hell out of it. Yes we started with a standard schema, but every service provider’s schema is nearly unique.
  • #136 Attributes’ wheel is roundish
  • #137 User provisioning is on the verge to being semi-inflated. Let’s face it the wheel that SPML v2 built was not round. The example that the standard provided wasn’t even valid XML – not an auspicious start. In fact, SPML was a set away from roundness when we think about DSML v2. DSML v2 was a round wheel. It wouldn’t be very useful to day but it would roll. So what about SCIM? I’m bullish on it. Some really smart people worked on it, including my boss. We are supporting it. We hope you support it too. In fact, hopefully, at the end of this week it might just get ratified at the IETF meeting in Toronto. SCIM definitely needs more miles on the road, but I believe that the use cases that have been used to form SCIM are fairly representative of a majority of use cases we have. It can’t do everything but better believe it can do something. And this narrow focus is important as we think about the work we must do. As we as an industry shift from just dealing with employee identities to those of customers, citizens, and things, there is shift from heavy rich user provisioning to lighter weight registration and profile management. SCIM is just as applicable in an employee identity scenario as it is in a customer identity scenario. And thus is well positioned to make the transition.
  • #138 User Provisioning’s wheel is nearly roundish.
  • #139 Let’s face it the wheel that SPML v2 built was not round. The example that the standard provided wasn’t even valid XML – not an auspicious start. In fact, SPML was a step away from roundness when we think about DSML v2. DSML v2 was a round wheel. It wouldn’t be very useful to day but it would roll.
  • #143 So what about SCIM? I’m bullish on it. Holds great promise. Some really smart people worked on it, including my boss. We are supporting it. We hope you support it too. In fact, hopefully, at the end of this week it might just get ratified at the IETF meeting in Toronto. SCIM definitely needs more miles on the road, but I believe that the use cases that have been used to form SCIM are fairly representative of a majority of use cases we have. It can’t do everything but better believe it can do something. And this narrow focus is important as we think about the work we must do. As we as an industry shift from just dealing with employee identities to those of customers, citizens, and things, there is shift from heavy rich user provisioning to lighter weight registration and profile management. SCIM is just as applicable in an employee identity scenario as it is in a customer identity scenario. And thus is well positioned to make the transition.
  • #150 As we as an industry shift from just dealing with employee identities to those of customers, citizens, and things, there is shift from heavy rich user provisioning to lighter weight registration and profile management. SCIM is just as applicable in an employee identity scenario as it is in a customer identity scenario. And thus is well positioned to make the transition.
  • #154 User provisioning’s wheel is nearly roundish
  • #157 A question – how do you discover identity services of from a service provider? I don’t mean in a specific ODIC way, but in a more general way. How do you know if they use SAML, SCIM, a proprietary attribute API, FIDO U2F, etc? Is there a way to kickstart point-to-point identity relationships without paying the cost of point-to-point drudgery? Could I point my identity system at yours, form a relationship between the organizations, and start to use our joint identity services to meaningfully interact? Let me ask this a different way – do we have hubs and axels for our roundish wheels? Can we building something that removes the heavy lifting when offering and/or consuming identity services? I believe this is the uncharted standards territory into which we must blaze a trail.
  • #158 A question – how do you discover identity services of from a service provider? I don’t mean in a specific ODIC way, but in a more general way. How do you know if they use SAML, SCIM, a proprietary attribute API, FIDO U2F, etc? Is there a way to kickstart point-to-point identity relationships without paying the cost of point-to-point drudgery? Could I point my identity system at yours, form a relationship between the organizations, and start to use our joint identity services to meaningfully interact? Let me ask this a different way – do we have hubs and axels for our roundish wheels? Can we building something that removes the heavy lifting when offering and/or consuming identity services? I believe this is the uncharted standards territory into which we must blaze a trail.
  • #163 Can we kickstart point-to-point identity relationships without paying the p2p costs?
  • #165 Can we build something that removes the heavy lifting when offering and/or consuming identity services?
  • #167 That modern era is one in which more people and more things are more closely related. It is an era that holds the promise of “identity as business enabler.” And in this modern era identity will not only deliver the right access to the right people at the right time but the right experience to the right people at the right time. Not just people but things too To be fair, this modern era will require us to haul a heavy load. To do that we need round wheels. We need workable identity standards. We have made great progress but we are not there yet. I’ll ask 3 things of this audience and of our industry. First, adopt standards. If you aren’t using identity standards, you are inventing your own wheel. That is a strategy only optimized for the short-run. If the current ones don’t work for you, bring those use cases to standards bodies. If you don’t know where to go, ping me, or Mark, or Eve, we’ll help you. Second, help others adopt standards. Build SDKs to help people use OpenID and SAML. Support open source implementations of SCIM and OAuth. Start at home – with you organization’s developers and move out from there. Third, demand standards. From your identity technology providers. Demand standards. From your business service providers. Demand standards. From your own development teams. Demand standards. If for no other reason than to kill off the need for password vaulting. Demand standards. Lastly, keep in mind that a round wheel is not an end in and of itself. A great spec is potentially satisfying to the hard-core identity dorks in the room, me included, but that isn’t the real goal. We reinvent the wheel, we revisiting and rebuild our standards to get round ones – beautifully functioning ones that help carry the loads we must shoulder and us get to where we need to go in this era of modern identity.
  • #170 It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? IAM is in the midst of a transformation in order to serve customers, citizens, and even our “thing.”
  • #171 It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? IAM is in the midst of a transformation in order to serve customers, citizens, and even our “thing.”
  • #172 It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? IAM is in the midst of a transformation in order to serve customers, citizens, and even our “thing.”
  • #173 It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? IAM is in the midst of a transformation in order to serve customers, citizens, and even our “thing.”
  • #176 As we continue to refine our standards, we need a way of evaluating the roundness of those wheels, so to speak. We need some set of design considerations to help use decided whether a standard will get us from here to there. A few weeks ago I debuted the laws of relationships. They a set of considerations that we as identity professionals must be mindful of as we begin to navigate the waters of modern IAM – of identity relationship management. They can help evaluate the roundness of our standards… but only if you lend a hand. Kantara is creating an Identity Relationship Management working group to which I am giving these Laws of Relationships. I hope you will join me, and Joni, and Allan, and others in this new working group to help make identity ready for the modern era.
  • #179 Kantara is creating an Identity Relationship Management working group to which I am giving these Laws of Relationships.
  • #180 I hope you will join me, and Joni, and Allan, and others in this new working group to help make identity ready for the modern era.
  • #185 If you don’t know where to go, ping me, or Mark, or Eve, we’ll help you.
  • #200 Lastly, keep in mind that a round wheel is not an end in and of itself. A great spec is potentially satisfying to the hard-core identity dorks in the room, me included, but that isn’t the real goal. We reinvent the wheel, we revisiting and rebuild our standards to get round ones – beautifully functioning ones that help carry the loads we must shoulder and us get to where we need to go in this era of modern identity.
  • #202 at least to the hard core identity geeks in the room