Identity and Access Management Framework Book

In the last six months, I visited an organization that outsources literally dozens of their services. They have nearly twenty key services for which they create separate id’s, and for which they have no single sign-on (which is a whole other issue). I keep obsessing over this place, since I wonder if this IS the future. Payroll, HR management, healthcare, personal achievement, all the big functions are handled over the web. And okay, since it’s the term du jour, we’ll say over the Cloud. Gmail is called a cloud vendor now. Okay, fine.

Fast forward to a couple of weeks ago, and I was at a gathering where we discussed the matter of, should service providers also provide identity services as part of their offering? This gets really complicated.

My immediate answer is, unless a provider is THE identity source of truth, then NO, they should not provide IdM. They would keep enough of an identity to provide their current service, and that’s about it.

Here’s how it ought to work. Let’s say I work for MegaBigCorp. I get to my desktop each morning and authenticate. When I need to check on my health claims, or my 401K, I click a link, the home server generates a SAML assertion for me, and off I go. The provider gets the ticket, says “I know you, and I know what level of access you get, so come on in.” That simple.

So what does that provider need to know about me? Only as much as it needs to. My id, which it links to my role and therefore my access. My employer should be my source of truth, and share only what it needs to.

Another sticky bit is when the provider doesn’t even host what little IdM it does provide. The 401K guy manages the money, but uses another provider to manage security and identity. Ouch. The latency is often, as they say in the lab, sucky.

What’s supposed to drive a proper cloud relationship is federation. I log the user in, I hand you an assertion with identity and role and maybe a few choice attributes (or maybe YOU keep the attributes and look them up when I hand over the identity), and that’s the end. That’s why there’s a Ping Identity, or a Symplified, or an Oracle Identity Federation.

I’ve read various discussions on whether SaaS vendors should host identity. The correct answer is, they don’t need the liability, and they don’t necessarily have the smarts, so they should host their content, and leave identity to the originator who should own it.