New services may help drive standards-based identity federation adoption
As businesses and governments alike wrestle with the problem of making the internet more secure, federated identity has emerged as the clear winner as a secure means of authenticating users to a cloud service (e.g. SaaS). Instead of relying on passwords, federation uses claims about a user that have been digitally signed and encrypted by an issuer you trust. One of the biggest challenges with federation is not its level of security but its adoption. Though the largest SaaS providers support it, thousands of mid-market and smaller vendors don't. Sometimes it's due to lack of in-house skill; sometimes it's because it's not seen as a priority. These sites still require you manually login with a userid and password you must maintain at the website.
My recent Market Watch article on the rise of identity management as a service (IDaaS) points out that IDaaS providers work around this problem by creating customized "screen scraping" and password vaulting solutions that take care of the dirty work of entering userids and passwords for web services that don't support federation. This is just a workaround, though, to the real problem: Federation standards need to be more widely adopted, and quickly, because new SaaS providers appear on a daily basis.
Ping Identity yesterday announced PingOne, which is a couple of IDaaS-related services with a different twist. Ping Identity has been part of the cloud identity scene for a number of years, and has offered its PingConnect identity service (which will be EOLed as a result of this announcement) for much of that time. The first of the new PingOne offerings is PingOne Cloud Access Services (CAS), which superficially resembles IDaaS providers such as Okta, Symplified, and others. To provide identity data to a cloud identity service like these, you must get the data from the enterprise identity store (such as Active Directory) to the cloud identity service. Most IDaaS providers accomplish this with an on-premises agent that makes AD queries and passes the LDAP query results to the identity service, encrypted in transit via SSL. CAS is different from other identity connectors in two ways. First, this identity service-to-identity provider connection can be configured as fully federated, so passwords never go beyond the domain and the connection is fully standards compliant. You must have an on-premises federation service such as PingFederate or Microsoft's Active Directory Federation Service to do this.
The second difference is on the other end of the connection - the SaaS provider. If you think of an IDaaS portal as a marketplace of SaaS applications, unlike other IDaaS providers CAS only supports service provider partners that understand federation. This provides an end-to-end, standards-based solution that uses SAML, OpenID, OpenID Connect, SCIM, and OAuth. This is what Jonathan Buckley, vice president of Ping Identity's on-demand business unit, describes as a Tier 1 SSO solution.
The drawback to CAS requiring only federated partners is that federation support hasn't made it to medium and smaller SaaS providers. This is where the second PingOne component, Application Provider Service (APS), comes into play. APS is designed to make federation-enabling a SaaS provider easy – a one-day process. APS is interesting because it targets the need to provide easy federation support for a variety of web applications, especially among mid-market and smaller companies where federation was previously just not feasible. It is, to my knowledge, the first product in the market to do this. Further, it does this as a service, which provides Ping continuing revenue from APS's subscribers. And in the broader sense, APS's success will help speed federation's adoption.
The primary use case for APS is to enable federation for B2B partners. For example, a large enterprise which has on-premises federation installed and uses a network of suppliers that may not also have it can require (or pay for) them to enable federation through APS, thus increasing security and eliminating duplicate identity stores. As I mentioned, it seems to be a quick way for SaaS vendors to provide federation services to their increasingly federated customers. And thus federated, these SaaS vendors can also be part of the PingOne CAS marketplace.
PingOne offers two subscription-pricing options. PingOne Application Provider Services starts at $5,000 per application per year. PingOne Cloud Access Services is available for as little as $5 per user per month.
PingOne is built on Internet-scale architecture and is globally load balanced for very low latency response time on any continent. All operations are monitored 7X24X365 in the PingOne Network Operations Center.