Identity Management and On-demand Software

TheCompany is both a producer and a consumer of on-demand software.

Identity management with on-demand software is challenging.

There are a number of scenarios:

1. TheCompany is the Application Service Provider (ASP). A client requires Single Sign-on (SSO) for users already authenticated in the client's domain.


2. TheCompany is the consumer of an on-demand web app hosted elsewhere. TheCompany requires that access to the on-demand web app be limited to a subset of its corporate users.


3. TheCompany is at once the producer and consumer: it has deployed on its "extranet" a web app that should only be accessed by a subset of corporate users.

Centralized user management needs to be part of the solution because the proliferation of user data stores would make rapid provisioning and de-provisioning of users very challenging. Also centralized user management potentially enables the "paper trail" needed for regulatory compliance with, for example, SOX or HIPAA.

One solution for all three scenarios is delegated authentication that integrates with the Corporate Directory (LDAP).

With delegated authentication there is an identity provider -- sxip in our picture. The on-demand app redirects the user to the identity provider, and the identity provider authenticates the user with the Corporate Directory. SAML is used to pass authentication and, if needed, authorization information between the identity provider and the service provider.

This is a Single Sign-on solution.

Sxip sells a product called Sxip Access for ASPs which is a delegated, single sign-on with SAML authentication solution.

Currently SAML delegated authentication solutions are more mature and more secure than OpenID delegated authentication solutions. However, in the future the possibility of a convergence between OpenID and SAML is growing.

Technorati Tags: OpenID, SAML