The looming cloud identity crisis

For now the answer to most identity problems is on-premises Active Directory integration. In an all-in cloud architecture, what do we do?

Love it or hate it, Microsoft is the de facto standard in corporate Identity. In truth, I think this is well deserved. Despite spotty support for standards, Microsoft's suite of products -- including Certificate Server, SCCM, the flagship Active Directory, and Active Directory Federation Services in combination with the core Windows login -- has long been the corporate identity standard.

As businesses move to the cloud, this situation will change. If you don't want to manage your own application servers, operating systems, and hardware and instead opt for the cloud, why would you want to manage an infrastructure for identity? This leaves us searching for the identity solution to what I call the "all-in" cloud architecture.

[ Also on InfoWorld: The all-in cloud architecture of tomorrow. | Learn how to work smarter, not harder with InfoWorld's roundup of the tips and trends programmers need to know in the Developers' Survival Guide. Download the PDF today! | Keep up with the latest developer news with InfoWorld's Developer World newsletter. ]

I hate to use the word "security" when talking about identity. But I often have to because it refers to a set of concepts that people understand. When I say "identity," I'm talking about the parts of security that are authentication and authorization -- who are you and what do you want? -- and how we provision that identity as a data construct.

XaaS identity scenarios

In the marketing avalanche of as-a-service acronyms (hereafter collectively referred to as XaaS), you'll find the emerging field of IDaaS, or identity as a service. The idea is that you can manage user identities with a Web application the way you'd manage prospects and sales in a CRM app.

But identity in the cloud is more than that. Let's say you created a user and declared her a salesperson with management responsibility. She might use for CRM, Google Apps for email and documents, and a custom application deployed on a PaaS such as Cloud Foundry. That PaaS app might even call services on Salesforce and Google Apps.

In general, your IDaaS will use the SAML protocol to handle authentication and authorization to your various XaaSes. In some cases, the user may authenticate to the IDaaS and authorize on the XaaSes with the Oauth protocol. But what exactly is this IDaaS thing?

Should you stick with what you know?

One possibility is Microsoft's IDaaS. According to John Shewchuk, a Technical Fellow at Microsoft, "You can think of Windows Azure Active Directory as essentially Active Directory running in the cloud -- a multi-tenanted service with Internet scale, high availability, and integrated disaster recovery."

Microsoft's strategy supports both on- and off-premise Active Directory as well as hybrids between the two strategies. According to Shewchuk, the Azure Active Directory "is an open directory that can be used by any third-party application or service, and it supports industry standard protocols such SAML, OAuth 2, and OData."

Or should you go with something cloudier?

There are other possibilities, such as PingOne by Ping Identity. Patrick Harding, CTO of Ping Identity, notes that "the cloud in 2012 is different from the on-premise world of 2002. Back then a proliferation of different directories emerged that were then subsumed by AD [Active Directory]. Most on-premise apps were tied to AD for authentication and role/group management."

In the future, as Harding sees it, "The cloud will require SSO and user directory/user store synchronization. There is no way to avoid this as every cloud app needs an identity store. Standards are required to make this function seamless (no database cheats in the cloud). Hence the relevance of SAML and SCIM. Each of the major platforms will likely support some derivative of these protocols -- Microsoft being the exception in Azure/Office 365 with their reliance on WS-Federation and Graph."

The first rule of Identity Fight Club

This points at an inherent conflict. When implementing identity solutions, you often run into the edge where Microsoft doesn't support SAML, but instead WS-Federation, a competing standard. Vendors throughout the history of identity in the on-premise space have failed to come up to speed on the latest standards (SAML 1.1 vs. 2.0) or even the same standards (SAML vs. WS-Federation). The consequence is a series of brittle integration points that often require custom software and nearly always complex configuration.

Your sole provider -- or else

To further complicate matters, many of your XaaSes want to be your sole provider. Anil Saldhana, lead JBoss security architect at Red Hat, says, "Most of the cloud providers, such as Salesforce and Google, provide the option of using a customer-hosted identity provider, which can be the sole holder of identity. The cloud providers would act as service providers and you can use SAML attributes to pass roles, etc."

Martin Raepple, product owner for SAP's NetWeaver cloud solution, doesn't believe there will be one major player in the cloud who will be in a role of managing identities centrally. He says, "Any attempts in this direction failed gloriously in the past, including the most prominent example of Microsoft's (.Net) Passport system."

Saldhana agrees: "Reasonably sized companies will not delegate IaaS hosting to another provider. I do not know the success of providing a software stack that enables companies to host their own identity providers. It is not about the technology alone. It is about the directories (Users/Roles/Partners/Customers)."

If Raepple and Saldhana's pessimism holds true, we could be stuck with a lot of point-to-point integration in the cloud.

Hybrid identity

In the near future, we'll probably have a combination of on-premise solutions integrated with the off-premise cloud. According to Raepple, "Many of the security vendors basically offer solutions today that extend the employees' SSO experience from the corporate network into the cloud -- and thereby hold/provision the employee identity into the vendor's cloud-based hub. Customers willing to accept this 'man-in-the-middle' approach will certainly adopt those solutions, but we as a platform also need to support native capabilities for SSO and federation."

This may give Microsoft a home court advantage.

Identity crisis is natural to immaturity

SAML, Oauth, OpenID, and others are still fairly new standards and haven't propagated evenly. In other words, this is still an area of active development in the standards space. Saldhana is involved in those efforts at OASIS. The cloud aspect is still at the use-case identification stage, which is very, very early.

As sure as it rains in Redmond, the cloud is likely to complicate the mess that is identity. It may be difficult to go all-in cloud with identity, due to vendors engaging in their platform reindeer games and the general immaturity of the space. As Saldhana puts it, "It is a kind of wild, wild west in the public cloud space."

This article, "The looming cloud identity crisis," was originally published at Read more of Andrew C. Oliver's Strategic Developer blog, and keep up on the latest developments in application development at For the latest business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.