Why the Future of Identity is OpenID Connect and not SAML

This blog is part of a series comparing the implementation of identity management patterns in SAML and OpenID Connect:

Future of Identity Federation is OpenID Connect

Identity management is an enabler for networked services whether web browser, mobile or smart-tv applications or the internet of things. The increase in services will create an increase in passwords without mechanism for sharing & trusting identities. eGovernment services require a higher level of identity verification than the social authentication capabilities of Twitter & Facebook connect. The future of eGovernment Identity is an interoperable authentication and authorisation capability that can support higher levels of identity verification.

The importance of interoperability amongst identity solutions is that it will enable individuals to choose between and manage multiple different interoperable credentials. Futhermore service providers will choose to accept a variety of credential and identification media types. “Identity Solutions will be Interoperable” is a guiding principle of the US National Strategy for Trusted Identities in Cyberspace (NSTIC) which is a White House initiative for both public & private sectors to improve the privacy, security, and convenience of online transactions.

SAML is insufficiently interoperable to be the future standard for identity management federation. SAML is limited in its ability to support mobile & smart-TV applications and requires the implementation of a complex Broker Service in order to support multi-service provider & multi-IdP use cases.

OpenID Connect will most likely supersede SAML for all eGovernment externalised identity management. OpenID Connect is a lightweight identity verification protocol built on top of modern web standards (OAuth 2.0, REST and JSON) superseding OpenID 2.0. OpenID Connect allows a service provider (Relying Party) to select between a variety of registered or discovered identity providers. OpenID Connect can satisfy all of the SAML use cases but with a simpler, JSON/REST based protocol.

SAML OpenID Connect Comparison
SAML 2.0 & OpenID Connect comparison

Continue reading “Why the Future of Identity is OpenID Connect and not SAML”

The Future of Identity Management According to CoTS Vendors Part 1

Most identity management software vendors will rationalise their service enablement capability as so:

  1. Identity and access management has traditionally focused on managing user accounts in the form of directory service entries – the traditional IAM/IdM view
  2. it has seldom involved managing identities, let alone multiple types. They might digress slightly here on the history of Master Data Management which has had to grow to the side of identity management but often within the organisation so has never been able to support an identity type discovery service.
  3. Identity and access management (IAM) has traditionally focused on managing user information technology accounts in the enterprise. The rise of different types of accounts and identities such as cloud, mobile and other devices, e-commerce, and social networks has asymmetrically complicated things. – So far so good
  4. Furthermore the internet of things requires identity management for devices, embedded SIMs and network connections all of which require tying back to potentially enterprise, family or personal accounts. – Note about licence costs likely at this point
  5. The increase in user and device accounts will require IAM providers to offer more flexible solutions but in all likelihood enterprise will continue to confine their IAM capabilities according to their directory service. – Product pitch coming here…

Depending on the organisations existing IAM capabilities and embedded technologies the software vendor will generally pitch a service enablement capability that sits on top of legacy directory services.  This should be an intelligent Master Data Management capability but often is a lightweight OAuth & SAML cloud enabling layer and an upgraded 2FA/3FA service for external authentication & possible BYOD.

As these a vendor driven pitches they do not seek to solve enterprise’s more fundamental issue of how to consolidate all those existing directory services and to support multiple identities.  A strategic architecture is needed for that first…