Like SPML, XACML is somewhat complicated and has not gained widespread adoption for cross-domain provisioning. It remains mostly limited to use behind the firewall. Another protocol, WS-Federation, is part of the Web Services Security framework and focuses on controlling access to Web Services. WS-Federation, along with WS-Trust and WS-SecureConversation, has yet to gain widespread adoption among SaaS providers.
Some have also suggested that OAuth could be adapted to serve as part of an approach for federated provisioning in the cloud. OAuth is a wildly popular and successful approach to user-level authorization, and it is not unreasonable to think that a revised OAuth protocol, or a new protocol spun off of OAuth, could gain significant traction. Keep your eye on this, although nothing appears to be imminent.
Identity as a service
Technical specifications alone are not the solution to managing provisioning issues. Few customers want to be in the business of writing code to perform custom integrations with cloud apps, even if every SaaS provider in existence supported both SPML and SCIM.
Luckily, cloud identity management providers are beginning to emerge to take care of the technical details and hide the nasty integration bits behind a simple, user-friendly interface. In particular, Okta has a very comprehensive enterprise identity management platform, which neatly encompasses the provisioning of SaaS applications -- and can unify an existing on-premises identity management mechanism with cloud apps. Okta already supports SaaS applications, including Google Apps, Microsoft Office 365, Salesforce.com, Box.com, and many more.
Of slightly more recent vintage, Bitium graduated from the Amplify startup accelerator in 2012 and recently raised $2.4 million in venture funding to further develop a SaaS provisioning platform. Like Okta, Bitium provides a single platform for administrators to manage access to all the SaaS applications. Bitium advertise support for a laundry list of applications, including Yammer, Box.com, Dropbox, Salesforce.com, Gmail, and so on.
What you should do
If you've taken a flying leap into the cloud and subscribed to multiple SaaS applications, no doubt you've encountered many of the same issues we have bumped into at Open Software Integrators. To sum up, here are our recommendations:
- Investigate Okta and/or Bitium and consider using their respective services if they fit your needs.
- Encourage SaaS vendors that you work with to add support for SPML and SCIM protocols for programmatic provisioning.
- If you're technically inclined, consider joining the SCIM Working Group or the OASIS Provisioning Services TC and help develop the protocols necessary to address your needs.
SaaS applications will only grow in importance, which guarantees that cross-domain provisioning will remain a hot issue for years to come. Dive in and become more knowledgeable about the work going on in this space. If you have the interest and ability, perhaps you can become part of the solution.
This article, "How to provision users in a cloud world," was originally published at InfoWorld.com. Keep up on the latest developments in application development, and read more of Andrew Oliver's Strategic Developer blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.