It’s not an illusion: The safety boundaries we used to rely on at the moment are little greater than vapor. The migration of applications to the cloud, mobility and businesses granting nonemployees access to sensitive resources are trends challenging CIOs everywhere — at a time when it’s miles expected to “do more with less” and deliver added value while staff sizes shrink and the selection of users and applications explodes.

What is the trick for handling this modification? Standards. More precisely, a collection of contemporary identity management protocols aligned with fresh Web-based development methods and a touch of seniority from a de facto standard many enterprises use today for single sign-on.

This modern protocol set is built on developer-friendly frameworks, like REST and JavaScript Object Notation (JSON), and standards, including the System for Cross-Domain Identity Management, OAuth and OpenID Connect, and the venerable Security Assertion Markup Language.

You will need all of those pieces for scalable user management, a cornerstone of compliance mandates. Let’s dig slightly into each standard’s role:

System for Cross-Domain Identity Management: Without creating user identities, you can not manage application access. However, enterprises have struggled with fragile proprietary provisioning systems that break with application or operating system changes. Where early efforts across the Service Provisioning Markup Language failed by reason of complexity, SCIM offers a straightforward set of commands to create, read, update and delete.

SCIM is a developer-friendly standard that leverages REST and JSON, replacing costly proprietary or manual provisioning methods. SCIM 1.0 is already in use by service providers and available in identity and access management products. The IETF standards body has nearly completed the definition for the two.0 version of the SCIM protocol.

Security Assertion Markup Language: Created greater than a decade ago, SAML is the foremost widely deployed identity standard within the enterprise. It’s the de facto method for Web-browser-based authentication and single sign-directly to enterprise software-as-a-service applications. IT also uses it to attach disparate applications, similar to those introduced by a merger or acquisition. SAML has to be your first choice for Web-based SSO because such a lot of applications and identity systems support it. SAML also delivers SSO without hoping on password credentials, that are easily intercepted by attackers and used for unauthorized transactions and information security breaches. And SAML enables access at scale by eliminating password resets within the target application. The SAML assertion remains the highest quality for browser-based user authentication and SSO.

OAuth 2.0: What about native mobile applications, which regularly lack browser-based functionality? Enter OAuth 2.0, that’s more of a framework than a protocol.

The OAuth 2.0 standard enables native mobile applications to access resources on behalf of the user. It’s an API-friendly protocol that leverages REST and JSON, and it’s built into many SaaS applications, including Facebook, Google and Yahoo; cloud infrastructure platforms like Windows Azure Active Directory; and modern IAM software, including that offered by my company, Ping Identity. OAuth is the enterprise “certainty” for credential-based access to native mobile applications and has gained mindshare among developers and SaaS application vendors. The core standard for OAuth 2.0 is finalized and approved by the IETF.

While OAuth is the de facto credential standard for nonbrowser applications, it lacks a framework for the scalable registration of those applications — an essential task if apps are to be granted access to enterprise resources. Also, OAuth requires a broader identity management framework to supply user SSO to many applications.

OpenID Connect may help meet those OAuth challenges. It’s built on top of the OAuth framework to supply “identity at scale” by delivering an automatic registration process for applications and a discovery process for authentication systems. And given its OAuth roots, OpenID Connect streamlines into the OAuth authentication flow in a sense other protocols cannot.

The definition of the ordinary is substantially complete and is in final review status on the OpenID Foundation, with final approval expected early next year. Adoption is already underway: Google last week told partners it’s phasing out OpenID 2.0 and OAuth 1.0 in favor of OpenID Connect. The move would require websites that accept Google IDs for logins to upgrade to the specification. Salesforce.com and Microsoft are among others that support OpenID Connect, and IAM software vendors also are touting support. Acceptance of the protocol can also be pushing it onto the infrastructure radar of mobile operators, government-backed identity initiatives within the U.S. and Europe, and enterprise hybrid-cloud deployments. CIOs should hear.


Specs At the Move

Acceptance of this group of protocols has raced well past the lab and beta test environments. The groundwork is finished, and examples of production use are everywhere. Company and enterprise security architects realize that identity — every employee, every device and each application — is important in a connected world. The sole approach to scale access and security across that connected world is thru standards, especially as cloud, mobile and social transform how we do business.