This week I am at the European e-Identity Management Conference in London. This afternoon I am speaking about identity mediation to the cloud. I'm focusing on the role of a Cloud Service Broker, using a Security Token Service for conversion between identity token types. There is a tendency to focus on the newer token types (OAuth, OpenID) but the biggest requirement is often to support the more established (and often proprietary) identity token types such as the CA SiteMinder smsession token. Mediating these to the Cloud, enabling single sign-on to the Cloud is the great value of a Cloud Service Broker working in conjunction with a Security Token Service (STS).
"Unified Field of Cloud and Enterprise"
Kim Cameron from Microsoft just gave an entertaining talk here (he joked that he is called "The Father of Identity" so often that he wonders "maybe it was something that happened when I was drunk"). Referencing David Linthicum's "Data-Integration Buzzkill for Cloud Computing" piece, he explained that you cannot consider Cloud-based systems separate from enterprise infrastructure "or indeed from other Cloud-based systems you are using from other providers", instead it is part of a "kind of unified field of cloud and enterprise". He spoke of the hybrid infrastructure of Cloud and Enterprise.
He explained that a key identity issue is that you must consider not only authentication to cloud providers (user provisioning, password synchronization) but also the larger task of managing authorization data (who is allowed to access which resource). The Authorization management problem is "exponentially larger" than the authentication problem.
To address this, he laid out an architecture which makes use of a Security Token Service (STS) to issue claims (such as "this user is aged over 21", "this user's manager is XXXX") which are then used for authorization decisions. The Security Token Service is a key piece of this "Identity Backbone for the Cloud", as laid out by Kim Cameron.
Blog author: Mark O'Neill
Featured Articles
Recorded Webinars
Videos
Podcasts
Blog Archive
-
►
2012
(14)
-
►
January
(7)
- Scheduling reports on API usage
- Gateways and Load Balancers
- Who manages Application Gateways?
- Kin Lane's API Management Service Provider Roundup...
- Mapping from Google login, with OpenID, to Oracle ...
- Returning JSON fault information to JQuery-based A...
- How to change the default alert email subject line...
-
►
January
(7)
-
►
2011
(93)
-
►
December
(10)
- Testing HTTP Authentication to a Web API
- NFC - a "hand wavy" technology that may succeed
- Checking against a CRL from a Mutual SSL connectio...
- Leveraging Cloud Computing for the Financial Servi...
- Identity propagation from the Vordel Gateway with ...
- Using Vordel SOAPbox to send a SAMLResponse struct...
- Configuring a dynamic CRL lookup on the Vordel Gat...
- Rutrell Yasin on "what to look for in a SOA App Ga...
- From XBRL to Westminster
- How to call a Web Service or API "Off to the side"...
-
►
September
(10)
- Automated API testing
- Issuing a SAML Assertion with a simple STS on the ...
- Authentication using custom tokens with the Vordel...
- Catch the Vordel and Forrester Webinar next week: ...
- Free Vordel Workshop next month - Hotel Nikko, San...
- Content-based routing, with conversion for SOAP to...
- How to authenticate then issue a SAML assertion in...
- You know you're a geek when...
- Speaking at Oracle Open World - Tuesday October 4t...
- CRLs and browsers, and how a Gateway can help
-
►
December
(10)
Recommended Reading
-
Open, Cloud, Confusion2 days ago
-
Nanode thermometer1 week ago
-
Envy and the Facebook IPO1 week ago