Mary Ruddy

A member of the Gartner Blog Network

Mary Ruddy
Research Director
1 year at Gartner
26 years IT Industry

Mary Ruddy is a Research Director on the GTP Identity and Privacy Strategies team. Read Full Bio

One Small Step for OpenID Connect, a Giant Leap for the Evolution of Identity Management

by Mary Ruddy  |  February 28, 2014  |  3 Comments

The announcement that the OpenID Foundation membership had ratified the OpenID Connect standard marks a major milestone in the evolution of digital identities.

Organizations that have been holding off on using OpenID Connect because it wasn’t yet an “official standard” should now feel comfortable with using it. OpenID Connect has been stable for a couple of years. It has been through 5 rounds of identity community interoperability testing and is being used in production by companies such as Google and Deutsche Telecom.

In a world where digital connections are becoming ubiquitous, the ability to create and evolve “networking” standards to meet new needs has become a more important skill. In creating OpenID Connect, the third generation of OpenID protocols, the OpenID foundation managed to balance having a core team that is small enough that the standard is concise and internally consistent, with being part of a community that is large enough to vet the standard and drive adoption. This in itself is a major accomplishment. Some standards organizations bring too many “cooks” into the process too soon.

OpenID Connect has been designed like the game of GO. It makes it very easy to do simple things such as enabling a website to accept OpenID Connect identities; yet also makes it possible for organizations to support more complex use cases including issuing secure (higher level of assurance (LOA)) identities. Like SAML, it supports signed and encrypted tokens, but OpenID Connect tokens are designed for today’s REST-based application development practices. It uses the new compact JSON Web Tokens (JWTs), which can be digitally signed or encrypted, for session ID tokens and OAuth access tokens. JWTs in turn, rely on the new JOSE specification (JSON Object Signing and Encryption.)

OpenID Connect leverages learnings from many identity standards that preceded it, including SAML, WS-Federation, OAuth and OpenID 2.0. It can be considered a superset profile of OAuth 2.0. So it is new, but it already has the wisdom of experience. OpenID Connect is designed to be much easier to use than SAML. But what is really wonderful about OpenID Connect is that it is good enough. Now when a group needs to work on a new identity use case (e.g. SSO for mobile) they use OpenID Connect as a starting point rather than feeling the need to start from scratch.

Kudos to the specification team and to the companies who sponsored them!


Category: Uncategorized     Tags:

Another Step for Federation Standards (SAML) and Cloud Infrastructure

by Mary Ruddy  |  November 15, 2013  |  Comments Off

Amazon Web Services (AWS) has announced initial support for the SAML (Security Assertion Markup Language) 2.0 open identity federation standard. This will enable federated single sign-on (SSO) “empowering users to sign into the AWS Management Console or make programmatic calls to AWS APIs, by using assertions from a SAML-compliant identity provider (IdP).”

This is good news for the many companies with an investment in the SAML standard, and a big step towards bridging the gap between enterprise use of identity standards and support for identity standards in infrastructure-as-a- service (IaaS) and platform-as-a-service (PaaS). It still leaves unaddressed identity standard support for user authentication to applications hosted within AWS. It would be great if AWS would provide security token service (STS) support to make it easier for new applications built on AWS to accept user identities based on federation standards. Lots of new cloud applications are being built on AWS. If more of them were built using identity standards, the world would be a safer and more convenient place.  

Hopefully this is the first of many related announcements that will someday also include JIT provisioning to help on board engineers; and support for OAuth 2.0, OpenID Connect and SCIM standards.

Comments Off

Category: Uncategorized     Tags:

A warm welcome to the Shibboleth Consortium!

by Mary Ruddy  |  May 20, 2013  |  Comments Off

Congratulations to the Shibboleth project on the launch of the Shibboleth Consortium .

The Shibboleth project is an open-source implementation of SAML that is widely used by research and educational institutions. It is great to see the official launch of the international Consortium, which will provide a mechanism for the Shibboleth community to make financial contributions to the Shibboleth project. The Consortium is intended to be a lightweight support function for the Shibboleth project. The creation of the Consortium will enable the Shibboleth project to focus on its technical work.

As the use of federation technology becomes more and more mainstream, it is important that there are a variety of options for acquiring and consuming federation technology. Open source is a key option. Another important option in some industries is an operating identity federation hub such as the InCommon Federation. The InCommon Federation operates an identity trust framework used by almost 6 million end-users in higher education institutions. Hundreds of educational and research institutions leverage the Shibboleth software as part of this federation.

Comments Off

Category: Uncategorized     Tags:

Evolution of Modern Federation

by Mary Ruddy  |  April 24, 2013  |  Comments Off

One of the first areas I’m focusing on at Garter is identity federation. SaaS, mobile, social identities and IDaaS are driving new federation challenges. Federation architecture is evolving rapidly to meet these new needs and becoming more central to identity and access management (IAM).

Because of all this change, organizations need to think more broadly about their federation requirements.  The federation space is a now huge and there are many perspectives.  There is so much happening in the federation space that I’m publishing my initial federation research as a two part series.  The first research note, Evaluation Criteria for Federation Technology, is now available to GTP subscribers.  Organizations evaluating federation solutions require a complete list of criteria to objectively assess and compare products. This document identifies a forward-looking list of criteria to be considered when adopting an enterprise-grade federation solution.

The second research note in the series will be a companion piece on modern trends in federation and their effect on Identity and Access Management (IAM) architecture.  This document will help you find the signal amidst all the noise.

Even two documents can’t begin to cover everything about federation, and it was difficult to determine what to include, but these first two documents will provide some guideposts.

Comments Off

Category: Uncategorized     Tags:

What Does Federated Identity Mean in a World of Modern Identity and Access Management?

by Mary Ruddy  |  February 15, 2013  |  2 Comments

The forces of cloud, mobile devices, social media and electronic data (context) continue to drive new waves of change in the Identity and Access Management (IAM) space. (Gartner calls these forces the Nexus of Forces.) Originally the phrase “federated identity” meant that that partners could use their own logins to access enterprise resources, or an employee could access multiple systems from different without having to login multiple times using different credentials (Single Sign-On.)  Specific technologies and standards were developed to support these use cases. Now new challenges and opportunities are driving new types of IAM. For example, some companies are allowing customers to login using social media credentials (Facebook, Gmail, etc.)  This is also leveraging “electronic identity credentials and attributes across system domains to support real-time sessions or transactions”, but it uses very different technologies.  Does this mean that federation is becoming more important (based on the general functional definition of federation?) Or does this mean that federation is becoming less important because a smaller percentage of transactions use traditional federation tools in a traditional way? Normally one resolves such questions by using the definition preferred by the buyer or end user, but end users tend to talk about reusing logins , and buyers of IAM software typically refer to SSO.  In general, neither group talks about identity federation.  I’ve been tasked to think about the future of federated identity and I’ve been thrashing back and forth about whether “federation” is becoming more prevalent or going away. One thing is certain, the boundaries on the old narrow definition of federation are blurring and increasingly the word federation doesn’t bring clarity to the discussion.


Category: Uncategorized     Tags:

SAML Single Sign-Off

by Mary Ruddy  |  February 11, 2013  |  Comments Off

Single Sign-On (federated and enterprise) is part of my initial core coverage area. One of the classic challenges with Single Sign-On (SSO) is that is it single sign-on and not single sign-off. So I was very pleased to see that the OASIS Security Services (SAML) TC has recently approved and published the SAML V2.0 Asynchronous Single Logout Profile Extension Version 1.0 Committee Specification 01.  This new extension allows “the initiator to indicate that it does not expect to receive a response from the session authority”.  This helps UI design in “deployments that want the identity provider to control the user experience during logout.”  It is important that we keep chipping away at the challenges of single sign-off.

Comments Off

Category: Uncategorized     Tags:

Hello World

by Mary Ruddy  |  February 5, 2013  |  1 Comment

It has been a wild first few months at Gartner. IAM Summit, was my first time presenting at a Gartner event (Amazon Web Services and Identity; and Identity Bridges: enabling Hybrid Cloud Architectures) as a Gartner employee rather than as a guest. The Summit’s three days went too fast and I wish there had been more time to talk with those who were there. Now that I’m almost settled in, I’m looking forward to blogging here. 


1 Comment »

Category: Uncategorized     Tags: