There is a triangle of authentication consisting of price, usability and security. Not all triangles are equal. New technologies are arising that are more convenient, more secure and less expensive than passwords.
1. WHAT EXACTLY IS IDENTITY FEDERATION
These days, most websites and mobile apps don’t know how to authenticate you.
Instead, they call the APIs of services offered by popular “Identity Providers” or
“IDPs”, like Google and Facebook.
This enables a person’s “user” information to be utilized at many different websites on
the Internet, and information about a person can be shared with websites and apps
on an “as needed” basis. Of course web site developers don’t want to learn a different
authentication API for each IDP. And many organizations don’t trust a third party to
authenticate its people. So the Internet has moved to standards. The most widely
used standard for Web authentication is SAML. Perhaps the most promising standard
for authentication is OpenID Connect, which is a profile of OAuth2.
The explosion of Two-Factor Authentication technology…
One of the most important new technologies that is driving infrastructure changes is
the explosion of strong factor authentication technology.
There is a triangle of authentication consisting of price, usability and security. Not all
triangles are equal. New technologies are arising that are more convenient, more
secure and less expensive than passwords.
2. Once a company makes an investment in strong authentication, they want to use that
authentication technology across the maximum number of apps. For this reason, it makes
sense to support open standards, so all applications can benefit from the availability of
these new organizational authentication capabilities.
The Problem of Client Management
It’s not only people that need to be authenticated and authorized. There is a proliferation
of agents that act on behalf of the person, or are independent entities. How are these
authenticated and authorized by the organization… ?
Sesimic Shift: LDAP or WAM?
I think the seismic shift is from WAM (web access management) –> Federation, not from
LDAP –> Federation. LDAP is still entrenched as a robust persistence infrastructure for
user claims and password credentials. The problem with WAM products (i.e.
Siteminder, OAM, TAM…) is that the cost has been high, customers are locked in (why else
did CA buy Netgrity…), and integrations have been slow.
Companies realize that whether they are integrating authentication with internal
apps, external apps, or off-the-shelf products, open federation standards enable
consolidation, which saves money, and improves security.
3. In the large companies I’ve worked with, the security department did not have control over
the applications, so even though they were “internal”, a top-down approach was
inefficient. It’s better to publish your standards, and let the internal app developers “help
themselves” than to push a WAM architecture on them. In this sense, the fact that there
are external apps just provides further evidence to a trend that had already clearly
emerged.
IAM, not IDM
Often times, clients and consultants put too much emphasis on IDM, and not enough
emphasis on organizational trust management. It’s not just that I need to provision my
users for external websites, but I need to understand with which websites I have shared
which attributes. Also, organizations need to trust users who authenticated outside the
organization. Most large organizations participate in an ecosystem of autonomous
parties, and publish websites that are used by many outside the organization. This is the
old problem of extranet user management. Trust management, IMHO, is one of the biggest
challenges…
Where does XACML fit?
If you talk to organizations, you’ll find that the is no clear trend for XACML’s adoption.
Proprietary and custom solutions are the rule in authorization right now, with most
authorization actually taking place in the app.
4. To what extent centralized authorization will be achieved is totally uncertain, and I would
argue that this is the “adjacent possible,” as described in Stephen Johnson’s book “Where
Good Ideas Come From” — you can’t have authorization before we have clear standards
for authentication. In terms of adoption of technology, I’m bullish about UMA, and in fact I
think UMA and XACML are complimentary… app developers want JSON/REST… and it
would be more suitable for the PDP to form a XACML request to a XACML PDP, then for
the app developer to learn XACML. In any case, I’m a fan of XACML as a standard for
expressing authorization rules, but I do think that the technology is better suited for server
side developers.
Who will Outsource IDaaS?
I disagree with the common assumption that the majority of “IDaaS” will be outsourced.
Perhaps for SMB market, this might be true. But many large organizations maintain core
TCP/IP services, and AAA has traditionally been managed within the organizational
perimeter. In fact, many organizations simply cannot outsource this function for security
reasons. With standards, we will drive down the costs of the software and the
resources, and AAA will be simply another linux or windows service that can be
configured.
Article Resource:-http://gluu.jimdo.com/gluu-blog/what-exactly-is-identity-federation/