With applications moving to the cloud, mobile devices becoming more prevalent as an access and identity tool, enterprises need to know how to enable access securely and easily for employees.
All these factors are making enterprise identity management more important and increasingly complex. Paul Madsen, senior technical architect in the CTO’s office at Ping Identity, filled listeners in on standards and some of the latest trends with identity management during a webinar hosted by the company.
Madsen described the identity management challenges & opportunities enterprises are dealing with. Enterprises need to figure out how to deliver identity to Software as a Service applications, enable native app access, leverage the handset for user authentication and take advantage of social identity for access, Madsen says.
The best way to enable identity to cloud-based app, is with assertions, not passwords, Madsen says. Cloud providers should not manage passwords, instead employees should authenticate to an identity provider who then passes along identity assertions about the employee to the application.
SAML is one of the most mature identity standards used for this purpose. With SAML a user will try to access a service provider and the web browser will direct the browser to the relevant identity provider. After authenticating the user, the ID provider delivers an assertion to the service provider, which can then decide whether or not to enable access.
SAML works well in a browser-based world but when it comes to using native apps other standards have emerged that are able to authenticate to APIs. OAuth 2.0 adds an extra step and uses a token for clients to authenticate to APIs instead of passwords. When trying to gain access a token is generated that enables access for a certain amount of time. “Tokens enable a better privacy model because they can be revoked easier than a password,” Madsen explains.
The potential for the mobile phone as an authentication credential is also being more and more explored by the enterprise, Madsen says. “Phones make a pretty good something you have,” he adds. “Most users have an attachment to their phone and they’re more likely to have that with them opposed to some tailor purposed key fob.”
There are a number of ways mobile devices can act as authentication tools. – including one-time password (OTP) generator apps, or receiving an OTP through SMS, or acting as a secure container for digital certificates, Madsen explains. Phones with biometric capabilities can provide additional levels of security, as being standardized by the FIDO Alliance.
Madsen also talked about the Bring Your Own Identity (BYOI) trend, the idea of consumer enterprises accepting social identities – from Twitter, Facebook etc – as sufficient for access – at least to low-sensitivity resources. BYOI is seen as lowering the initial barrier to establishing a relationship with a potential customer – this social identity either supplemented or replaced as the relationship develops further. Adoption by the large social providers of the OpenID Connect standard makes this specification relevant for BYOI.