SAML 2.0 is King of Federation Standards
For the next three days I’ll be attending the Gartner Identity and Access Management Summit. I’ll post a daily summary of the sessions I’ve attended. If any of the sessions have something particularly noteworthy, I’ll relay those interesting items via Twitter.
Day 2 was a quest for more customer stories and testimonials. But the opening session by Chris Hansen, correspondent for the NBC News “Dateline NBC” program was riveting. Hands down it was the fastest 45 minutes of the entire conference. Chris had a way of sharing the behind the scenes stories that lead up to the final “To Catch a Predator” specials that really had the audience hanging on his every word. I recall the promotions for the show but I never actually watched the show itself. The gist is an NBC investigative reporting team, lead by Hansen, pose as a 13 or 14 year old boy or girl online and attract predators to a house for inappropriate encounters. The house is wired with microphones and hidden cameras. The predator arrives and Hansen confronts the individuals about their illegal behavior.
One of the most disturbing comments Hansen shares is that he felt if they picked any city in the US, his team could setup their operation and within 24 hours, have 50 people lined up wanting to participate in illegal behavior. He mentioned he had doctors, firemen, clergy, businessmen … non-stereotypical people all looking to take advantage of children online.
Hansen linked his investigative team’s methodology to being successful with attracting pedophiles, electronics fraud, terrorist cells, you name it. It was a bit concerning on how the strong can take advantage of the weak online and it is very challenging for law enforcement to thwart such attacks.
It sounds like a very negative topic, but Hansen did an excellent job of communicating the seriousness of his experiences along with humor and a pragmatism that left the listeners with a deeper appreciation for the work his journalistic team dedicates to such endeavors.
Back to the quest for more customer stories and testimonials
I didn’t find the remaining morning sessions communicating anything I didn’t already know. It wasn’t until the post lunch session on “Managing Identity in the Cloud” by Gregg Kreizman that I found something noteworthy. With all the buzz around cloud computing these days, I figured this would be a popular session and I wasn’t disappointed. With multiple concurrent sessions, I would venture a guess this one had the bulk of attendees compared to other sessions in the same timeslot. Without further delay, below are my bulleted notes from this session:
- Web Access Management and Identity Management are precursors for SaaS/Cloud solutions for your business.
- Make sure to get Identity and Access Management (IAM) provisions into your contracts and terms and conditions with cloud providers.
- Federation was slow to start, but it is growing strong at present, kicked into high gear with companies looking to leverage cloud solutions.
- Cloud vendors are offering federation support, even though this presents an easier path to customer switching (reduced customer “stickiness”), because customers are demanding it.
I finally was hoping to hear some good customer insight at the “Road to Success is Paved in Strategy” session with a senior manager of global security at Mattel. It was a well constructed session on IAM strategy, but nothing radically different than the textbook approach to introducing a new technology and/or security discipline in a large organization, namely:
- Implement IAM as a 3 to 4 year initiative
- Have a focused PMO around IAM
- Mattel chose to focus a dedicated PMO resource, a business analyst and a systems analyst to IAM
- Prioritize applications (don’t boil the ocean)
- Get senior level champion outside of IT
- Cast a wide net with stakeholders, application owners
- Don’t just focus on technology
- Stay focused on business goals and objectives
- Focus on quick wins
- IAM can be painful so don’t expect an easy road, especially if you buy tools first
- Get some outside industry help
Lastly, it seems “New Directions in Federation” has confirmed what I was sensing since first embarking on federation a handful of years ago: SAML 2.0 is emerging as the clear winner amongst the various competing standards. Federated authorization is another story. No clear choice amongst the emerging standards morass.
Thus, let me be the first to pitch “Hillbilly Federated Authorization via SAML 2.0”
- In the SAML 2.0 payload on a federated sign-on, in addition to providing the required authentication information, use the <saml:AttributeStatement> element to include the identity provider’s user specific authorizations for the partner’s application.
- In addition, add “auto-provisioning” where all of the attributes needed for your authenticated user to be setup in the partner application is provided in every SAML assertion.
- Couple “Hillbilly Federated Authorization” with “Auto-provisioning” and one has a very light weight and company controlled extended/federated authentication and authorization model.
Where does this break down? Well, for one, if your federation partner is unwilling to work with you on this hybrid solution. And second, if you have a significant number of authorizations (fine grained entitlements), then trying to duplicate those in your directory plus add an administrative UI to manage those directory attributes PLUS keep everything in sync with every partner major/minor application upgrade … I think there will be plenty to talk about Federation at #GartnerIAM 2011.