News Stay informed about the latest enterprise technology news and product updates.

OpenID Connect: Poised for greatness in enterprise authentication?

Despite the popularity of SAML, the mobile and cloud benefits of OpenID Connect may spur adoption as an enterprise authentication platform.

Three years ago, OpenID seemed to be headed toward oblivion, or at least irrelevance.

Since its creation in 2005, the open specification for authentication and single sign-on for the Web has been adopted by a number of cloud providers, including Google, but the Security Assertion Markup Language (SAML) grew to dominate as the primary way that websites and authentication services exchanged security information. The promise of OpenID's motto, "Make simple things simple and make complicated things possible," remained unfulfilled; authentication architects often implemented OpenID in their own non-standardized ways.

Many early adopters stopped supporting the nascent standard. Agile-services provider 37Signals -- best known for its Basecamp collaboration service -- dumped support for OpenID two years ago, saying less than 1% of customers used the option to log in.

OpenID Connect is very developer friendly --as such we will see much greater adoption of OpenID Connect among developers.

Patrick Harding,
CTO, Ping Identity

"What we've learned over the past three years is that it didn't actually make anything any simpler for the vast majority of our customers," the company stated in a 2011 blog post announcing the move. "Instead, it just made things harder."

Yet, times have changed. In February, the OpenID Foundation -- created in 2005 to foster the standard -- launched OpenID Connect, a new version of the protocol that builds on the OAuth 2.0 authentication framework to add identity, mobile support and better interoperability. A number of large cloud service providers -- such as Google, Microsoft and Yahoo -- are supporting the framework, while companies such as Deutsche Telecom and have implemented the technology as the basis of their own identity and access infrastructures.

While the long-preferred alternative, SAML, dominates among APIs and Web-based authentication, some identity and access management (IAM) experts believe that OpenID Connect's simplicity, openness and roots in the cloud and mobile sectors will help it quickly gain market share in the enterprise and even pave the way for companies to replace their on-premise IAM systems with cloud offerings.

"OpenID Connect is very developer friendly -- as such we will see much greater adoption of OpenID Connect among developers," said Patrick Harding, CTO of Ping Identity. "Eventually, it will become the standardized framework for all [Internet-connected] applications."

Identity problems: History of OpenID

The seemingly complex world of enterprise authentication boils down to two simple desires: Users want to log in once and access many services, and companies want to manage a single store of user identities that enable employees, partners and others to access their applications and resources.

In most organizations, the central part of an authentication system is the identity provider. Also known as an asserting party, it facilitates a process known as federation to provide authentication services to the relying parties, such as companies offering cloud services. Many consumers use, for example, Facebook as an identity provider to log into the Web services of relying parties, such as Feedly and Hulu.

Solving the problem of allowing a user to log in once and access multiple, disparate resources on and off the Web in a standardized, interoperable way, however, proved difficult. OpenID was created in 2005 by LiveJournal creator Brad Fitzpatrick to fill the void and soon became popular as a Web authentication paradigm among bloggers.

SAML though came to dominate the Web services landscape. Introduced in 2002, the specification became much more popular after the release of SAML 2.0 in 2005, because the standard emphasized security and could be used in high-assurance applications, which --as security became more important for Web services -- expanded to include most offerings.

SAML was created during a time when Web architects tried to make all communications on the Web look like the hypertext markup language, or HTML, and is based on the meta-markup language XML. That philosophy adds complexity, said Mike Jones, standards architect for Microsoft and one of the inventors --and now the primary editor -- of the OpenID Connect specification.

"While it was once believed that most protocols and message formats were going to be based on XML," said Jones, "in practice most Web developers did not have a taste for it."

Instead, developers have increasingly used data structures based on JavaScript Object Notation (JSON). While OpenID Connect is a federation protocol like SAML, it uses JSON data structures to pass information between the various parties.

One protocol to rule them all?

Today, that ease in development could turn OpenID Connect into the reigning authentication standard among enterprises. Google, for example, has already deprecated many of the previous OpenID-based login systems in favor of OpenID Connect, a process that will be complete in the next year. Yet many companies with established infrastructures will continue supporting SAML, so the Internet giant will also support that standard, because they are less able to quickly switch to new technologies, said Clayton Jones, manager for Google's identity and device management products.

"Some of the larger, more established enterprise players have a connection to SAML, while some of the young startups are more vested in OpenID Connect," said Google's Jones, adding that "rumors of SAML's demise are overstated."

SAML's momentum as an established protocol may prove difficult for OpenID Connect to overcome. Most cloud developers continue to focus on implementing SAML in their products. More than two-thirds of software as a service firms currently use SAML for their login infrastructure, with another 30% intending to implement the technology in the next two years, according to a survey of 100 cloud service providers conducted by San Francisco-based IAM vendor OneLogin. Only 3% of providers had no plans for SAML.

"SAML is still our preferred approach and I think the best approach, when a user is trying to get to a resource in a browser," says David Meyer, vice president of product for OneLogin. "It is super-efficient and super secure. People say SAML is dead, but we see it exponentially increasing in adoption every year. Literally, exponentially."

OpenID support for cloud and mobile are key

Yet, OpenID Connect could become not only the most popular way to exchange identity information between Web services, but could also lead to the replacement of much of the IAM infrastructure within enterprises with cloud-based identity and access management services.

In addition to its ease of use for developers, OpenID Connect benefits from two other major trends.

The growing demand for mobile device authentication and the need to authenticate to a variety of emerging and cloud-based services and data sources, experts say, will likely foster OpenID Connect's future growth. The GSM Association, an industry group representing more than 800 mobile carriers, announced in February that the industry would pursue a Mobile Connect authentication initiative based on the OpenID Connect protocol.

Additionally, increasing enterprise adoption of cloud services will mean that the ability to log in once via a Web-based service and gain access to numerous additional services will have a greater importance, not only for consumers accessing Web services, but also for companies looking for simpler user access management.

"There is a realization that authentication is a full-time job," said Allan Foster, vice president of technology and standards with San Francisco-based ForgeRock, an authentication provider. "Enterprises need to know who the user is, but they don't need to own an entire infrastructure."

No matter which technology service providers adopt, authentication frameworks like OpenID Connect and SAML could simplify authentication and access management infrastructure, likely leading to increased outsourcing to the cloud. Netflix, a company whose genetics are firmly rooted in the cloud, has moved its identity and access management functions from an on-premise appliance-based system to OneLogin's SAML-based cloud service. Google, meanwhile, has used its clout to push the use of OpenID Connect across its services, making many small business users of Google Apps default users of OpenID Connect.

In the end, SAML and OpenID Connect will coexist, said Don Thibeau, executive director of the OpenID Foundation, but that future growth and innovation will come from openness and ease of development that are core to OpenID.

"When you have the world of mobility and the world of identity bumping into each other, that is the space to watch," Thibeau said. "In the next year or so, we are going to see some interesting innovations coming out and a truly global conversation on, not just identity, but on enterprise applications."

Dig Deeper on Single-sign on (SSO) and federated identity