This week I was fortunate to spend some time with Mike Schwartz, CEO and founder of Gluu, the leading open source and on-demand cloud identity management provider. Gluu is an Austin based start-up, that leverages open standards such as OpenID Connect, SAML 2.0, Shibboleth, and SCIM to make achieving single sign-on (SSO) secure and easy.
How has the concept of online identity management and federation services changed in the last few years?
Mike: Several fundamental changes are converging to the create the perfect storm of online identity: (1) Facebook Connect is bubbling up from the consumer space into the enterprise market, creating demand for instant connectivity based on user controlled decisions; (2) OpenID Connect is positioned to replace a plethora of other standards - SAML, OpenID versions 1 and 2, OAuth versions 1.0 and 1.1, WS-Fed and Information Cards; (3) there has been a proliferation of authentication technologies - username / password is not the only option any more, and in fact we are being presented with many more easy to use, and more secure alternatives; (4) Email address has emerged as the definitive identifier for a person, and domain name the definitive identifier for an organization; (5) Due to the proliferation of mobile and cloud apps, the use cases for online identity needs to address not only the attributes or claims of a person, but of the device or client to which the person is connected.
With the onset of OAuth 2.0 and OpenID Connect, does that mean the death of SAML?
Mike: Yes, it’s a “when” not an “if.” SAML does not support user authorization - trust is managed exclusively by the organization, and this model does not solve the use cases we are facing today. There are no organizational use cases which OpenID Connect cannot solve. With that said, online identity is about both “tools and rules.” SAML and OpenID Connect represent the tools. However the rules make the tools more useful. It will take time to replace all the rules and business agreements that have been implemented with SAML, which could be around for a number of years.
SAML is still quite well embedded in large scale telecoms and educational establishments. Do you see continued deployment of such approaches?
Mike: Website support for SAML has been tepid at best. Primarily, large websites, such as Google or Salesforce support SAML. Integration of SAML into commercial products has also been slow—your average off-the-shelf or open source software product does not support it. So despite its success and utility, SAML has not seen the adoption necessary to provide a ubiquitous identity layer for the Internet. Higher Education and telecoms ultimately will adopt the identity technology that offers them the most content - access to apps and websites. Its premature to expect adoption in these two vertical markets care about one protocol over another - the important goal is access to content, and solving business before the standard is finalized. However, industry groups such as Internet2 and ASIS do not really problems. Its clear that OpenID Connect will solve some of the most pressing problems facing both industries.
The concept of online identity management, relies heavily on providers. Is a standard only really as good as the providers signed up for it? Does everyone wait for a Facebook or a Google to become involved?
Mike: Adoption can be more important than standards. Support for a standard by large consumer IDPs is critical. In the US, Google-Microsoft-Yahoo have coverage of 99% of consumers (note: an email account is a requirement for Facebook). Support from large consumer IDPs will encourage web and app developers to create content… availability of content will drive organizations to run their own IDPs (rather than send their employees to a consumer IDP), to better control access to organizational resources (CMS-CRM…). So even though companies will not use the IDP services of consumer IDPs to identify employees, they do need to watch very closely what large consumer IDPs are doing.
Gluu and the OX Project, have significant attention in the last 12 months with great interest in organisations trying to managed federated authentication and distributed authorization. What does the next 12 months hold for Gluu?
Mike: Our primary goal is to write the best open source cloud identity software on the market. One of the many advantages of open source development is a fast release cycle. In the next few months we are integrating new features that go beyond the current OpenID Connect Standard: (1) Support for UMA—the User Managed Access - standard. UMA is an IETF standard that enables people or organizations to restrict access to APIs (URLs); (2) Based on our experience in SAML multi-party federations, we are proposing a new standard for OpenID Connect multi-party federations. Gluu has also proposed a new “OpenID Graph Working Group, ” which would leverage the OpenID Connect network to share data.
Are organisations becoming more interested in taking ownership of online identity management themselves (thinking inhouse development/managment) or will offerings like the Gluu appliance approach become the defacto standard?
Mike: Identity is moving to the cloud, like many other important enterprise services. Gluu’s on-demand offering focuses on authentication and authorization. Other companies such as Centrify, Okta and SailPoint offer more comprehensive identity suites that include provisioning, governance, and role management. Hopefully some of these companies who offer one-stop-shopping for organizational identity will incorporate the open source Gluu software into their stack (why re-invent the wheel). But in general, I agree that organizations - especially SMB’s - will move identity services to the cloud for this simple reason: cost effectiveness, more functionality, and more robustness - especially support for clustering and business continuity.
Large enterprises are continuing (and will continue) to deploy highly robust telco-like identity services with data centers on multiple continents. Other organizations like universities are pursuing a hybrid approach, where they are using “managed services” deployed on their private network, to make it clear that their PII (personally identifiable information) stays within the network perimeter.
The provisioning of users within a corporate network is in itself complex and time consuming. Do you think managing identities in the cloud will benefit from mistakes made at the individual company level and how will SCIM help, if at all?
Mike: Due to the variety of organizations, their missions, and the amount of technology they use, there is no one-size-fits-all solution for organizational identity management (IDM). While its true that many IDM projects have failed, it doesn't mean we can stop trying. Eric Sachs from Google says that the track record of consumer identity technology has been 99% failure. It sounds Darwinian, but there is no question that all of the cloud services that exist today have learned from these failures.
The SCIM protocol itself is a good example of learning from past mistakes. SCIM is very useful. It is critical for services to be provisioned in a standard way. Why should Google, Saleforce, and others define their own API to ‘add a user” or add a “group” - well known entities in the organizational business process. The same holds true for the Identity service where people are authenticated and authorized, which is why we see the Gluu platform as an “endpoint” not the originator of the provisioning workflow.
The other interesting lesson of SCIM is that in order to achieve consensus, standards need to limit the scope. SCIM does a small subset of SPML, but it handles the most important use cases and was able to quickly gain consensus.
One confusion is about SCIM’s relationship to authentication / authorization and attribute exchange. This is not what SCIM was designed to do, and in fact the vendors don’t even think this is the use case it addresses… just because you can push passwords everywhere with SCIM, doesn’t mean it’s a good idea.
Thanks to Mike and the guys at Gluu for their time on providing some great insights in the cloud based identity market.