A highlight of PingFederate 7 is support for new identity standards: SCIM (System for Cross-domain Identity Management) and OpenID Connect. SCIM is a provisioning standard currently managed by the Internet Engineering Task Force (IETF). It is an automated standard that provides inbound and outbound user provisioning for corporate directories and SaaS providers, replacing proprietary or manual provisioning methods. OpenID Connect, an emerging authentication and authorisation standard from the OpenID Foundation, consolidates access control for both web and APIs into one, making it easier to secure web applications and their underlying APIs.
Businesses today need to build federated relationships with customers, suppliers and channel partners to succeed. SaaS providers want their applications to appear as an extension of the security and identity management infrastructure their enterprise customers already have. The challenge is to build these cross-domain relationships while balancing the need for security and convenience.
The problem, according to Forrester Research, is that, “In today’s dynamic environment, IT should have the ability to enable all legitimate access by workforce members to software-as-a-service (SaaS) apps and by partners to internal apps — and block all illegitimate access. Unfortunately, most organizations have built multiple user stores that often lack quality data. This doesn’t scale well as the adoption of SaaS apps grows and the number of partners increases.”
Automating provisioning with SCIM across domains ensures that legitimate users can access their applications easily while unauthorised users cannot. Support for SCIM in PingFederate 7 reduces potential threats that can result from accounts left open after an employee leaves an organisation. Using PingFederate 7, identity providers can automate user provisioning from an organisation’s identity store into SaaS applications, replacing a time-intensive manual or proprietary process. A service provider, such as an HR SaaS application chosen to manage employee information, can also provision a user back into its customer’s organisation as part of an on-boarding process.
With the proliferation of mobile and web applications, passing identity details to target applications requires developers to write an increasing amount of code. This adds complexity, cost and time to each application development effort and lacks scalability. With OpenID Connect’s lightweight, API-friendly framework, developers can extend identity details maintained in existing identity management products in a consistent and secure manner to cloud and mobile apps.
New support for OpenID Connect in PingFederate 7 gives IT a future path for an Internet-scale identity and access management solution that doesn’t compromise security. With PingFederate 7, developers gain a pathway to include identity in any application using the IT organisation’s existing policies and investments in a centralised access management system.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.