Run down on current cloud based IAM standards

There has been some activity on cloud based IAM lately, most recently with the release of the new Intel Cloud based IAM solution. It looks pretty expensive for high volumes, but it might make sense for something that has total cost recovery or for small, elastic groups of transitory users. In HE, I am thinking about alumni or prospective students specifically. But in addition to writing about this, I wanted to make an updated rundown on the standards, since there is now movement on SCIM.t

## [SAML](http://en.wikipedia.org/wiki/SAML_2.0)

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML OASIS standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between an identity provider and a web service. SAML 2.0 enables web-based authentication and authorization scenarios including single sign-on (SSO).

SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLConform, SAMLCore, SAMLBind, and SAMLProf.

## [OAUTH](http://en.wikipedia.org/wiki/Oauth)

OAuth is an open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific site (e.g., a video editing site) for specific resources (e.g., just videos from a specific album) and for a defined duration (e.g., the next 2 hours). This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.
OAuth is a service that is complementary to, but distinct from, OpenID.

## [OpenID](http://en.wikipedia.org/wiki/OpenID)

OpenID enables an End-user, the entity that wants to assert a particular identity, to communicate with a Relying party (RP), the site that wants to verify the end-user’s identifier. Other terms for this party include “service provider” or the now obsolete “consumer”. This communication is done through the exchange of an Identifier or OpenID, which is the URL or XRI chosen by the end-user to name the end-user’s identity. An Identity provider or OpenID provider (OP) , which is a service that specializes in registering OpenID URLs or XRIs, provides the OpenID authentication (and possibly other identity services). The exchange is enabled by a User-agent, which is the program (such as a browser) used by the end-user to communicate with the relying party and OpenID provider.

## [OpenIDConnect](http://openid.net/connect/)

This is a tighter specification than the original OpenID. OpenID Connect is a suite of lightweight specifications that provide a framework for identity interactions via RESTful APIs. The simplest deployment of OpenID Connect allows for clients of all types including browser-based, mobile, and javascript clients, to request and receive information about identities and currently authenticated sessions. The specification suite is extensible, allowing participants to optionally also support encryption of identity data, discovery of the OpenID Provider, and advanced session management, including logout.

OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly. OpenID Connect can also be extended to include more robust mechanisms for signing and encryption. Integration of OAuth 1.0a and OpenID 2.0 required an extension (called the OpenID/OAuth hybrid); in OpenID Connect, OAuth 2.0 capability is built into the protocol itself.

## [SCIM](http://www.simplecloud.info/)

The Simple Cloud Identity Management (SCIM) specification is designed to make managing user identity in cloud based applications and services easier. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. It’s intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence, make it fast, cheap, and easy to move users in to, out of, and around the cloud. It was originally designed to work with cloud applications and not provisioning applications, but this is being worked on actively. There is a REST API provided, as well as a SAML 2.0 binding.

## [XACML](http://en.wikipedia.org/wiki/XACML)

XACML stands for eXtensible Access Control Markup Language. The standard defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate authorization requests according to the rules defined in policies.

As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between authorization implementations by multiple vendors. XACML is primarily an Attribute Based Access Control system (ABAC), where attributes (bits of data) associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way. Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.

The XACML model supports and encourages the separation of the authorization decision from the point of use. When authorization decisions are baked into client applications (or based on local machine userids and Access Control Lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes. When the client is decoupled from the authorization decision, authorization policies can be updated on the fly and affect all clients immediately.

The latest version 3.0 was ratified by OASIS standards organization in August, 2010.

[Intel Cloud SSO](http://software.intel.com/en-us/articles/cloud-sso/) just launched. Provides account provisioning, SSO + portal, and one time passwords. It synchs with MS ADirs. It will work with software based tokens for 2-factor AuthN. It will federate windows logins and works with SaaS platforms including Salesforce and Google Apps, having 100s of out of the box, or the ability to build using SAML.

[McAfee Cloud Identity Manager](http://www.mcafee.com/us/products/cloud-identity-manager.aspx) relieves the pain that end users have managing multiple passwords for cloud applications. Cloud Identity Manager allows you to enforce corporate standards for cloud application access and improves productivity for IT and end users by relieving password reset requests. It provides single sign-on (SSO), automated provisioning, strong authentication, authorization, and consolidated auditing. Get out-of-the-box integration with popular cloud-based applications, including Salesforce.com and Google Apps. No coding or separate purchases of tool kits are required. Simply pick your cloud application from the console menu and you are ready to go. Quick implementation means a better return on your investment and a faster time to value.

twitter
twitter

Leave a Reply

Your email address will not be published. Required fields are marked *