Ian Glazer

A member of the Gartner Blog Network

Ian Glazer
Research Vice President and Agenda Manager
4 years at Gartner
16 years IT industry

Ian Glazer is a research vice president and agenda manager on the Identity and Privacy Strategies team. He leads IdPS' coverage for authorization and privacy. Topics within these two main areas include externalized authorization management, XACML, federated authorization, privacy by design, and privacy programs. Read Full Bio

Coverage Areas:

A glimpse of the future: Salesforce Identity

by Ian Glazer  |  September 19, 2012  |  8 Comments

Today salesforce.com unveiled its entrance into the identity market, with a set of identity capabilities, and the market may never be the same. Salesforce.com’s identity capabilities include a federation identity and service provider as well as some user provisioning services. These capabilities use the existing Salesforce user store (and associated schema) as its identity repository that can then be referenced and leveraged via the other identity services.  Furthermore, these identity services are not just available in classic salesforce.com, but in Force.com and Heroku applications as well.

You’re likely asking, “Federation and user provisioning – how is that a glimpse of the future?” Taken in isolation, you are right; federation and user provisioning aren’t futuristic or anything special to crow about. But the crucial thing to note is that salesforce.com isn’t thinking about identity in isolation, and isn’t deploying identity in isolation. Salesforce.com isn’t offering identity by itself but instead offering identity within the context of PaaS, delivered, managed, and licensed as such. Become a Salesforce customer and you get identity, not as a side dish added in for free, but something baked right into the applications. It is also crucial to note that salesforce.com went well beyond just integrating its own bits, but instead is offering identity services to help integrate and manage non-Salesforce services and identities.

These identity services, with undoubtedly more to come, are woven into not only crucial business applications (like CRM) but into salesforce.com’s PaaS infrastructure. Identity just happens! This is the future of identity services. Identity gets delivered in the context of something the business and IT as a whole cares about.

From a market perspective, this is a huge deal. Cloud-delivered federation and web SSO providers are going to feel salesforce.com’s presence in a major way. New market battlelines are being drawn. The old fight between identity suite vendors will give way to the new fights between salesforce.com, Microsoft Office365 + Azure, and Oracle Public Cloud. This changes the balance of the identity ecosystem and it is too early to tell how smaller identity vendors will fit in this coming world.

I know full well that an announcement does not happily deployed customer make, and salesforce.com will have to prove to the market it can deliver all of this magically identity goodness. But I will give them credit for taking a standards-based approach by not only supporting SAML 1.1 and 2.0 but also OAuth, OpenID Connect, and SCIM. Not only does standards support facilitate identity services, they also will make integrating Salesforce Identity to your identity bridge and on-premise identity infrastructure far easier than if salesforce.com took a proprietary approach. Furthermore, as our upcoming “2013 Planning for Identity and Privacy” will point out, this sort of delivery of identity services can only happen when those services are standards based.

If announcements like this are any indicate, next 18 months are shaping up to be some of the most interesting in the history of identity management.


Category: cloud Federated Identity federation IAM Identity Management Market     Tags: , ,

8 responses so far ↓

  • 1 Lance Peterman   September 19, 2012 at 12:14 pm

    Curious to see how SF manages enterprise demand for this. Our preference is to use SSO against our IdP vs. theirs. Given how differently we treat our sales force, however, I could see a business case for having a separate SF identity and let SCIM manage the provisioning events if the offering is as robust as it sounds.

  • 2 Ian Glazer   September 19, 2012 at 12:32 pm

    I think your pattern you describe is pretty common. But using Salesforce’s IdP to do onward SSO to things like Concur for your sales team might be a fairly compelling pattern as well. I’ll be curious to see how much just-in-time provisioning SF will be able to do.

  • 3 Roland Tepp   September 20, 2012 at 5:02 am

    Its good to see a big business like SalesForce seeing the bigger picture in the federated services.

    Let’s hope they pull it off and can show the general business world what the potential business value of such services can be.

    (I do have a painful memory of few years back when I tried to sell the idea of using federated identity to a business people building a SaaS platform and basically banging my head against the brick wall of misunderstanding)

  • 4 Identity at Defrag « Defrag 2012   September 20, 2012 at 9:08 am

    […] forward to 2012 (has it taken THIS LONG?). Yesterday, Salesforce.com announced their Identity offering. And, for whatever reason, something clicked for me. I’ve spent the last six years digging […]

  • 5 Brendon J. Wilson   September 20, 2012 at 6:29 pm

    Any mention of strong authentication in the mix? It seems weird to have everyone talk about consolidating identity without addressing the vulnerability of relying on username / password-based authentication…

  • 6 Ian Glazer   September 20, 2012 at 6:33 pm

    I believe I saw otp and oob SMS mechanisms, but I need to dig and confirm

  • 7 Brendon J. Wilson   September 25, 2012 at 11:47 pm

    Hmm, I’m wondering if that conversation might not go a little something like:

    Wonk: “Hey, let’s put all our stuff in the cloud behind a single sign-on system to simplify access and drive down costs.”

    Security/compliance guy: “And what about protecting it from malicious access?”

    Wonk: “Uh, well, we could deploy expensive hardware tokens, mobile phone apps (assuming people’s phones support them – not everyone has an iPhone or Android), or slow, failure-prone OOB SMS?”

  • 8 Brendon J. Wilson   September 25, 2012 at 11:47 pm

    *Sound of trapdoor opening under Wonk’s feet*