Last week was the Internet Identity Workshop. It is hard to believe it is the 14th IIW; it has definitely come along way in both attendance and content. I think the biggest takeaway from IIW for an enterprise IAM professional is – be ready to coexist.
Identity standards, such as OpenID Connect and SCIM, are evolving rapidly. There were no less than three sessions on SCIM at which the curious and the contributors wrangled out issues. (As I commented on Twitter, I really wish that IIW existed back when we were working on SPML – a lot of pain could have been avoided.) I am cautiously optimistic that SCIM will gain appreciable traction in the next year, and the same is true of OpenID Connect.
In the not too distant future, our SAML infrastructures are going to have to be comingled with our OAuth and OpenID Connect infrastructures. (I highly recommend reading the notes from the enterprise OAuth infrastructure session.) Our proprietary provisioning connectors will push attributes alongside our SPML and SCIM-based connectors.
Although we might be ready for coexistence at the protocol level, we certainly aren’t there at a policy and semantics level. Getting a complete picture of who a person is, what they access, and why do they have that access is only getting more complicated. Constructing administrative and runtime authorization policies that work in concert, across multiple protocols, is just not something that happens these days. Answering the question “who can do what “ still requires a human to be involved to correlate policy and audit information from a variety of sources. As our identity universe expands and we have to serve more constituents across more devices via more protocols, the need for better analytics and policy only continues to grow. That’ll make a good session for the next IIW…
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.