Coexistence: Thoughts from IIW14

Last week was the Internet Identity Workshop. It is hard to believe it is the 14^th IIW; it has definitely come along way in both attendance and content. I think the biggest takeaway from IIW for an enterprise IAM professional is – be ready to coexist.

Identity standards, such as OpenID Connect and SCIM, are evolving rapidly. There were no less than three sessions on SCIM at which the curious and the contributors wrangled out issues. (As I commented on Twitter, I really wish that IIW existed back when we were working on SPML – a lot of pain could have been avoided.) I am cautiously optimistic that SCIM will gain appreciable traction in the next year, and the same is true of OpenID Connect.

In the not too distant future, our SAML infrastructures are going to have to be comingled with our OAuth and OpenID Connect infrastructures. (I highly recommend reading the notes from the enterprise OAuth infrastructure session.) Our proprietary provisioning connectors will push attributes alongside our SPML and SCIM-based connectors.

Although we might be ready for coexistence at the protocol level, we certainly aren’t there at a policy and semantics level. Getting a complete picture of who a person is, what they access, and why do they have that access is only getting more complicated. Constructing administrative and runtime authorization policies that work in concert, across multiple protocols, is just not something that happens these days. Answering the question “who can do what “ still requires a human to be involved to correlate policy and audit information from a variety of sources. As our identity universe expands and we have to serve more constituents across more devices via more protocols, the need for better analytics and policy only continues to grow. That’ll make a good session for the next IIW…