I read your recent response to a question on SCIM identity management, and wanted to know more specifically about provisioning. I know some heavy-hitters like Google and Salesforce.com are involved with it, so I think that helps its chances of becoming widely implemented. With that assumption in mind, is there anything enterprises can or should do to prepare for it? Are the providers offering their own documentation? Are there likely to be software patches or connectors that are needed?
Ask the Expert!
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
For enterprises to be ready for SCIM identity management, or any Internet-based identity provider, there are several things that can be done. As I described in the article you referenced, there are a number of technical standards competing to be the “connection protocol of choice” for Internet-based identity services. It’s too early to predict which will survive, so organizations need to keep their interconnection options open.
Enterprise provisioning has historically concentrated on connectors for internal applications like business systems from Oracle Corp., Microsoft, IBM and others. These connectors generally send and receive data using vendor proprietary protocols. But Internet applications, like those provided by Google Inc. and Salesforce.com, are based on interoperable protocols like SAML, OAuth, XACML, and the others I mentioned in the article. As anyone who has created an SCIM provisioning or other provisioning connector knows, there is a modicum of technical understanding that must be applied in order to successfully connect a provisioning system to a corporate application. This is also true for open standards-based applications. If an enterprise doesn’t have technical experience with open identity standards, the organization should first learn how these protocols work, their dependencies and how the protocols are used to provide identity management interoperability between applications.
Next, an enterprise can prepare to leverage Internet identities by creating a standard application bus architecture using service-oriented architecture (SOA) services within their application environment. SOA disassociates tightly intersected application connections with a common communications channel that allows data to flow through a series of interoperable services at the application layer.
Finally, an enterprise needs to develop Internet access for their provisioning or SOA architectures. Often these services are used for internal-only connectivity, so the components are configured where they cannot be accessed from the enterprise DMZ or the Internet. By creating Internet-facing portals and applications, these services can be made available to an external identity provider for sharing of authentication/authorization data.
You asked if the providers are offering documentation on how to connect to them. Of course, the providers want your business. Since you mentioned two in particular, I’ll give pointers to their documentation. Google has standardized on OpenID. Information on how to connect to OpenID can be found online. Proving there isn’t one standard, Salesforce.com settled on SAML. Information on how to connect to SAML can also be found online.
Should a company connect to an Internet-based identity provider now? If a company has a strong business relationship with one of these Internet-based identity providers, it is possible to use their services by contacting them and building an architecture using the vendor’s standard interfaces. Whether a company has many or no Internet business relationships, it would be prudent, as part of the company's identity management (IdM) strategy, to concentrate on working on externalizing the enterprise identity systems using the widest standards available and wait to see which protocols win to determine what to use in the future.
This was first published in June 2012