Why the future of authentication isn’t SAML
02 August, 2013
category: Digital ID
The future of authentication will not rely on SAML, but with OpenID Connect and OAuth 2 instead, Dave Kearns contends in a blog post for KuppingerCole.
SAML, or Security Assertion Markup Language, is a component of Ping Identity’s federation products, and though it’s still being used, Kearns feels that Ping CTO Patrick Harding’s conclusions from this year’s Cloud Identity Summit are worth noting. Harding expressed a need for a “modernized identity protocol stack, baked into every application that scales to Internet proportions and hides its complexity from developers and end-users.” The foundation for this identity stack, according to Harding, is shaped by three emerging protocols — OAuth, OpenID Connect (OIDC) and the System for Cross-Domain Identity Management (SCIM).
As Kearns points out in his blog post, there is a noticeable lack of SAML in that list.
Kearns explains that OpenID Connect enables a user to authenticate to an app, service or site – otherwise known as a Relying Party – and uses an identity established with the Identity Provider, Facebook or Google for example. The trick here, and the important factor in the authentication equation, is that the user must authenticate to the Identity Provider.
Using the examples of Google or Facebook, this means that the user must login to the identity provider with a username and password. Google, along with a few of its social networking peers, have implemented optional two-factor authentication, but Kearns believes that from a security standpoint this is no safer than a password alone.
What Kearns is ultimately calling for is an “adaptive, dynamic, risk-based authentication and authorization system, based on context derived from open APIs.” In this way, Kearns believes that users can correctly authenticate those seeking access, but can also define their appropriate level of authorization.
For more from Dave Kearns, see his full blog post on KuppingerCole’e website.