Do we have a round wheel? Thoughts on Identity standards

Ian GlazerSenior Director, IdentitySalesforce Identity@iglazer

Do we have a round wheel yet?

Why do humans continually reinvent what they already

have?

1.functional thing2.attempt to “fix” it3.break it4.fix it5.functional++

thing

Why is it that we reinvent the wheel?

Eventually we get a round one.

Why do we do this in the world of

identity?

< … >

{ … }

We reinvent the wheel when tasks

change

SOASOAPXML

servicesSOAPXML

servicesRESTXML

servicesRESTJSON

IAM has to stay contemporary

The load our IAM wheels have to carry

has changed.

IAM in transition

Right AccessRight PeopleRight Time

Right ExperienceRight PeopleRight Time

Right ExperienceRight People &

ThingsRight Time


ThingsRight TimeRight Place

But that’s not all

firstNamelastNameemailmobileounicknametitle…




Reasonably large number of identities with a reasonable

number of attributes

We are being askedto haul more and different identities

deviceIDfirmware

deviceIDfirmware

deviceIDfirmware

deviceIDfirmware

25,000,000,000?

50,000,000,000?

Unreasonably large number of identities with a few attributes

Reports to

Reports toReports to

Works with

Reports to


Owns

Works with

Owns

Reports to


Owns

Owns

Owns

Sends data to

Gets data from

Owns

Paired with

Uses

Controls

Works with

Reports to


Owns

Owns

Owns

Sends data to

Gets data from

Owns

Paired with

Uses

Controls

Owns

Uses

UsesConstrains choice of

Works with

Reports to


Owns

Owns

Owns

Sends data to

Gets data from

Owns

Paired with

Uses

Controls

Owns

Uses

UsesConstrains choice of

Sends data to

Ridden in

Ridden in

Works with

Unreasonably large number of

relationships between

unreasonably large numbers of people and things, each with attributes

1.Authentication2.Authorization3.Attributes4.User Provisioning

Authentication

Authentication Round

Multiple ProtocolsMultiple Standards

ComplexityMaturity

OpenID Connect could use a few

more miles on the road

But you should start today with it

What about representing identity

assurance?

Can we harmonize levels of assurance?

Should we?

myLOA 2 = urLOA 3.1

You’ve been proofed.You’ve been

authenticated.

So what?

Deployment matters.

Poorly deploying strong

authenticationmakes it

weak authentication.

LOA?Trust Framework?

Start here?

Authentication’s wheel still has lumps

1.Reinvention2.IAM’s Collective

Shame

Reinventingjust to

reinvent

OAuth A4C

OAuth A4C

IAM’s collective shame

Password Vaulting

The need forpassword vaulting

We’ve had fully workable

authentication standards for years

Yet we stillpassword vault

Not enoughservice provider

enablement

SP’s not acting on behalf of their

customers’ interests

Standards-based authentication

(Standards-based user provisioning

too)

Mobile-optimized authN will

(hopefully) force SPs to act

Killing passwords is IAM’s new black

Killing the need for password vaulting

More reasonableMore achievableMore effective

Authentication standards

Federated SSO

2017

ADD ROUND PICTURE!

Authorization


Authorization Not Round*

1.Over-inflated2.Flat

XACML cando anything

Things that allow you to do anything

tend to make it hard to do anything

Focus on the PAPsnot the protocol

XACML must be contemporary

REST & JSONare good steps

forward

Could be usedto represent authorization

decisions

Semantics of scopes?

Binding obligations=

duties of actors

Still needs more miles on the road

Enterprise-to-Enterprise use cases, please?

How can a thing make a decision with

more autonomy?

How can we make decisions closer to

theplace and time of

use?

Actionable relationships

Can perform actions Q, W, and E

Can perform actions X, Y, and Z





?

?

ADD NOT ROUND WHEEL

Attributes



Attributes Roundish

The Sad Magic of Commas.

1.Access2.Representation

Access

Optimized for the modern web?

Graph APIsUserInfo Endpoints

ADAP

LDAP?

Optimized for the modern web!

Representation

Name-Value Pairs

Name-Value Pair is the

new comma

Name-Value Pairs

Ubiquitous ✅

Standard Schema ❌

Anyone else miss inetOrgPerson?

inetOrgPerson for a new generation?

hipsterOrgPerson

dn:cn=Barbara Jensen, ou=WhatEvs, dc=company, dc=comobjectclass:topobjectclass:personobjectclass:hipsterOrgPersoncn: Barbara Jensennickname: DaisyfavBand: no one you’ve ever heard ofwhatRUHaving: Fireball with a picklebacktitle: social media gurutwitter: @daisypop89email: [email protected]: 11211country: USA! USA!telexNumber: is that like a fax or something?

Make SCIM schema the standard?

Standardizing schema can only

work in communities of interest

User Provisioning



Attributes Roundish

User Provisioning

Near Roundish

SPML

SPML v2 was not round

DSML v2 was round

But neither are well suited for the modern web

Others is supporting it.

Others are supporting it.

Join us!

Needs more miles on the road

Solid use case representation

Employee IdentityUser Provisioning

Customer IdentityUser Provisioning

Customer IdentityProfile Management

SCIM can handle both

ADD ROUNDISH WHEEL

How round are the identity wheels?



Attributes Roundish

User Provisioning

Near Roundish

Do we need things other than wheels?

How do you discover the identity services

of a service provider?

Besides RTFM?

How do you knowif they use

SAMLSCIM

proprietary attribute API

FIDO U2F?

How do we connect our orgs andour identity services?

How do we kickstart relationships without

paying p2p costs?

Hubs and axles for our roundish wheels

Remove the heavy lifting for providing

and consuming services

This is where we must go.

Our future

People and things more closely related

Identity asbusiness enabler

Right AccessRight PeopleRight Time

Right ExperienceRight PeopleRight Time


ThingsRight Time


ThingsRight TimeRight Place

We are going to shoulder a heavy

load.

Round wheelWorkable standards

Making and measuring progress

We need a set of design

considerations.

The Laws of Relationships• Acknowledgeabl

e• Actionable• Constrainable• Contextual

•Immutable •Provable•Revocable•Scalable•Transferrable

Identity Relationship Management

Working Group

Joni Brennan@jonibrennan

Allan Foster@guruallan

1. Adopt standards

If you don’t,you are inventing your own wheel

That is a short-term optimized strategy

at best.

If the current ones don’t work for you, bring out your use

cases.

Kelly Grizzle@kelly_grizzle

Nat Sakimura@_nat

Leif Johansson@leifjohansson

Maciej Machulak@mmachulak

John Bradley@ve7jtb

2. Help others to adopt

Build SDKsto help people use OpenID and SAML

Support open source implementations of

SCIM and OAuth

Start with your organization’s developers,

then help the community.

3. Demand standards

From your identity technology providers.

Demand standards

From your business service providers.

Demand standards

From your own developer teams.

Demand standards

If for no other reason than to kill off the need for

password vaulting.

Demand standards

A round wheel≠

the goal

A great spec is satisfying

A great spec is satisfying

Pamela Dingle

@pamelarosiedee

Chuck Mortimore

@cmort

Eve Maler

@xmlgrrl

David Brossard

@davidjbrossard

Susan Morrow

@avocoidentity

Brian Campbell

@__b_c

but it isn’t the end goal.

We reinvent the wheel,

we revisit and rebuild our standards

to get round, beautifully

functioning ones

to carry the loads we must shoulder,

to get us where we need to go

in this era of modern identity.

Thanks!

Technology

Do we have a round wheel? Thoughts on Identity standards