In the future, as Harding sees it, "The cloud will require SSO and user directory/user store synchronization. There is no way to avoid this as every cloud app needs an identity store. Standards are required to make this function seamless (no database cheats in the cloud). Hence the relevance of SAML and SCIM. Each of the major platforms will likely support some derivative of these protocols -- Microsoft being the exception in Azure/Office 365 with their reliance on WS-Federation and Graph."
The first rule of Identity Fight Club
This points at an inherent conflict. When implementing identity solutions, you often run into the edge where Microsoft doesn't support SAML, but instead WS-Federation, a competing standard. Vendors throughout the history of identity in the on-premise space have failed to come up to speed on the latest standards (SAML 1.1 vs. 2.0) or even the same standards (SAML vs. WS-Federation). The consequence is a series of brittle integration points that often require custom software and nearly always complex configuration.
Your sole provider -- or else
To further complicate matters, many of your XaaSes want to be your sole provider. Anil Saldhana, lead JBoss security architect at Red Hat, says, "Most of the cloud providers, such as Salesforce and Google, provide the option of using a customer-hosted identity provider, which can be the sole holder of identity. The cloud providers would act as service providers and you can use SAML attributes to pass roles, etc."
Martin Raepple, product owner for SAP's NetWeaver cloud solution, doesn't believe there will be one major player in the cloud who will be in a role of managing identities centrally. He says, "Any attempts in this direction failed gloriously in the past, including the most prominent example of Microsoft's (.Net) Passport system."
Saldhana agrees: "Reasonably sized companies will not delegate IaaS hosting to another provider. I do not know the success of providing a software stack that enables companies to host their own identity providers. It is not about the technology alone. It is about the directories (Users/Roles/Partners/Customers)."
If Raepple and Saldhana's pessimism holds true, we could be stuck with a lot of point-to-point integration in the cloud.
In the near future, we'll probably have a combination of on-premise solutions integrated with the off-premise cloud. According to Raepple, "Many of the security vendors basically offer solutions today that extend the employees' SSO experience from the corporate network into the cloud -- and thereby hold/provision the employee identity into the vendor's cloud-based hub. Customers willing to accept this 'man-in-the-middle' approach will certainly adopt those solutions, but we as a platform also need to support native capabilities for SSO and federation."
This may give Microsoft a home court advantage.
Identity crisis is natural to immaturity
SAML, Oauth, OpenID, and others are still fairly new standards and haven't propagated evenly. In other words, this is still an area of active development in the standards space. Saldhana is involved in those efforts at OASIS. The cloud aspect is still at the use-case identification stage, which is very, very early.
As sure as it rains in Redmond, the cloud is likely to complicate the mess that is identity. It may be difficult to go all-in cloud with identity, due to vendors engaging in their platform reindeer games and the general immaturity of the space. As Saldhana puts it, "It is a kind of wild, wild west in the public cloud space."
This article, "The looming cloud identity crisis," was originally published at InfoWorld.com. Read more of Andrew C. Oliver's Strategic Developer blog, and keep up on the latest developments in application development at InfoWorld.com For the latest business technology news, follow InfoWorld.com on Twitter.