Justine Sacco, is a public relations officer, who worked for a media company called IAC, sent out this tweet to more than 4300 followers as she boarded a plane for South Africa from London's Heathrow Airport on 20th December, 2013, last year. While she was happily cruising to Cape Town, enjoying in-flight entertainment system or may be sleeping - her tweet went viral - across the world. By the time she landed in Cape Town, it was retweeted more than 3500 times and had more than 1700 favourites. She boarded the plane as an IAC employee, but at the time she landed in South Africa, she was unemployed - she was fired from IAC. That’s the power of social identity. Social Identity can take you from zero to hero as well as from hero to zero.
Twitter, Facebook. LinkedIn - all are part of your social identity. Anyway, if you want to take little humour out of this or Justine Sacco - this was what Gogo did. Gogo is a company which provides in-flight broadband internet.
Gartner predicts, by the end of 2015, that’s the next year, 50% of all new retail customer identities will be based on social network identities. This was below 5% by the end of 2012. Imagine the expected growth - from 5% to 50% - just in 3 years. That’s a clear reflection of the rate of adaptation. Facebook, at present - is only second to China and India in terms of its user base. By the end of 2013 - Facebook user base was around 1.23 billion. Compare that with India, its just behind - India is around 1.26 billion at the moment - while China leading at 1.39 billion. Facebook is catching up rapidly to beat all the countries in terms of its population. In fact the birth rate both in China and India is going down while Facebook adaptation is going up. Worried about Sri Lanka ? We have 2.2 million Sri Lankans on Facebook and that’s just more than 10% of the entire population.
If you have not thought about this yet - start thinking! Think about bridging enterprise identity with social identity - let them be your customers or even employees - let them bring in their own identity - the opportunity to grow is immense.
Consumerization talks about reorientation of product and service designs around the individual end-user. IT consumerization is an emerging topic or trend for last few years. This important trend is not just about new devices; it is about the entire relationship between IT and its user population. This trend also introduces significant security issues because critical IT assets need to be available — securely — to an increasingly distributed and diverse user base that is using consumer devices of their own choice. While the initial consumerization hype was focused on the bring your own device (BYOD) trend, we are now seeing the emergence of bring your own identity (BYOID) concept. The rise of BYOID is being driven by users' "identity fatigue." Users have too many accounts, too many usernames and too many passwords. When the competition is literally a click away, organizations must enable the easiest user experience possible or users migrate to sites that offer the simplest registration and login process. Many web sites have moved quickly to accept identities from popular online identity providers like Facebook, Google and LinkedIn.
A recent research done by the analyst firm Quocirca confirms that many businesses now have more external users than internal ones: in Europe 58 percent transact directly with users from other businesses and/or consumers; for the UK alone the figure is 65 percent. If you look at the history, most enterprises grow today via acquisitions, mergers and partnerships. In U.S only, mergers and acquisitions volume totaled to $865.1 billion in the first nine months of 2013, according to Dealogic. That’s a 39% increase over the same period a year ago — and the highest nine-month total since 2008.
What does this mean to enterprise identity management ? You would have to work with multiple heterogeneous user stores - authentication protocols - legacy systems and many more. BYOID (Bring Your Own IDentity) is not just about bridging social identity with enterprise identity - it is also about bridging different heterogeneous identities between different corporates or enterprises.
What drives BYOID? There is nothing new in BYOID. It can be even implemented with a decade old technology. Any guesses? That is SAML. SAML V1.0 became an OASIS standard in November 2002 and the V1.1 followed in September 2003. This has seen a significant success, gaining momentum in financial services, higher education, government, and other industry segments.
SAML was mostly used to facilitate web single sign on. It can be just within the same domain or between domains. SAML V2.0 - in 2005 - was built on that success. It unified the building blocks of federated identity in V1.1 with the inputs from Shibboleth initiative and the Liberty Alliance's Identity Federation Framework. It was a very critical step towards the full convergence for federated identity standards.
OpenID, in 2005 - followed the footsteps of SAML. It was initiated by the founder of LiveJournal - Brad Fitzpatrick. The basic principle behind both OpenID and SAML, is the same. Both can be used to facilitate web single on and cross-domain Identity Federation.
OpenID is more community friendly, user centric and decentralized. In mid-January 2008 - Yahoo added OpenID support - late July MySpace announced its support for OpenID - and late October Google joined the party. By December 2009 - there were more than 1 billion OpenID enabled accounts. It was a huge success in web single sign on - but started to fade - after OAuth 2.0 and OpenID Connect. One of the very popular and very first OpenID Provider - MyOpenID - was shut down on 1st of February this year. But SAML - still stable as it was ten years back.
OpenID Connect - has some history. It has its roots in OAuth 2.0 - although its been developed outside IETF - under the OpenID Foundation. OAuth 2.0 is a framework for delegated authorization. Its a misconception to think it does authentication. OpenID Connect is the one built on top of OAuth 2.0 to do authentication. Would you agree ? Most probably not. Facebook only supports OAuth 2.0 - then how come we login to web sites with “Login with Facebook” - if it is not for authentication. No it is not. If you understand OAuth to some extent you know - after the token dance you end up with an access token. That is the only token given to your website by the Facebook - and it does not contain any of your identity information. These websites, follow a workaround - they use that access token - to talk to a user endpoint exposed by the Facebook to get the user’s identity. Facebook validates the access token and returns back the user identity. This was the driving force for OpenID Connect. With OpenID Connect - you will get an ID token along with the access token. The ID token represents user’s identity. As in the case of SAML and OpenID, both OAuth and OpenID Connect can be used for web single sign on and cross domain identity federation.
Building a setup from scratch to fit into these standards is not hard. Say you’ve got Liferay - which supports OpenID. You can enable federated login to Liferay, to a partner - who is having an OpenID Provider, deployed over its own user store. Similarly, if you have a SAML 2 Identity Provider deployed in your environment - you can federate that identity to cloud service providers like Salesforce or Google Apps. Basically, that means - the users from your domain will be able to login into Salesforce or Google Apps using their corporate LDAP credentials. That’s the easy part of BYOID.
How do you handle a situation where you have a partnership, and now applications running in your domain - secured with SAML 2.0 - should be accessible to your partner, who is only having an OpenID Connect Identity Provider.If you support true BYOID - with no code changes - you should be able to let a user from the partner domain with an OpenID Connect token - to log into your application which is secured with SAML 2.0. Internet Identity always - has an unsolved problem. Very frequently you will see new standards and profiles emerging up. SAML was dominating the last decade and still to some extent - OpenID Connect and JWT could be dominating the next. As we go on - as we move one - there will be lot of legacy around us.
In my view, any identity management system to qualify to support BYOID - should simply go beyond standard support for Identity Federation protocols.That era is over. Time to think - time to rethink - how would you mediate, transform identity tokens between different standards or protocols. I should let someone login to my SAML secured service provider, with an OpenID Connect token from a third party Identity Provider. I should let users to bring their own identity from Facebook - to access SAML secured enterprise Salesforce account or the Google Apps account. That’s where we want to be - in terms of BYOID.
WSO2 Identity Server 5.0.0, which was released in last May is a massive step towards that. For those who are new to WSO2 Identity Server, let me quickly explain what it is. WSO2 Identity Server is an open source Identity and Entitlement management server, which supports SAML 2.0, OpenID, OAuth 2.0, OpenID Connect, XACML 3.0, SCIM, WS-Federation (passive) and many other identity federation patterns.
Twitter, Facebook. LinkedIn - all are part of your social identity. Anyway, if you want to take little humour out of this or Justine Sacco - this was what Gogo did. Gogo is a company which provides in-flight broadband internet.
Gartner predicts, by the end of 2015, that’s the next year, 50% of all new retail customer identities will be based on social network identities. This was below 5% by the end of 2012. Imagine the expected growth - from 5% to 50% - just in 3 years. That’s a clear reflection of the rate of adaptation. Facebook, at present - is only second to China and India in terms of its user base. By the end of 2013 - Facebook user base was around 1.23 billion. Compare that with India, its just behind - India is around 1.26 billion at the moment - while China leading at 1.39 billion. Facebook is catching up rapidly to beat all the countries in terms of its population. In fact the birth rate both in China and India is going down while Facebook adaptation is going up. Worried about Sri Lanka ? We have 2.2 million Sri Lankans on Facebook and that’s just more than 10% of the entire population.
If you have not thought about this yet - start thinking! Think about bridging enterprise identity with social identity - let them be your customers or even employees - let them bring in their own identity - the opportunity to grow is immense.
Consumerization talks about reorientation of product and service designs around the individual end-user. IT consumerization is an emerging topic or trend for last few years. This important trend is not just about new devices; it is about the entire relationship between IT and its user population. This trend also introduces significant security issues because critical IT assets need to be available — securely — to an increasingly distributed and diverse user base that is using consumer devices of their own choice. While the initial consumerization hype was focused on the bring your own device (BYOD) trend, we are now seeing the emergence of bring your own identity (BYOID) concept. The rise of BYOID is being driven by users' "identity fatigue." Users have too many accounts, too many usernames and too many passwords. When the competition is literally a click away, organizations must enable the easiest user experience possible or users migrate to sites that offer the simplest registration and login process. Many web sites have moved quickly to accept identities from popular online identity providers like Facebook, Google and LinkedIn.
A recent research done by the analyst firm Quocirca confirms that many businesses now have more external users than internal ones: in Europe 58 percent transact directly with users from other businesses and/or consumers; for the UK alone the figure is 65 percent. If you look at the history, most enterprises grow today via acquisitions, mergers and partnerships. In U.S only, mergers and acquisitions volume totaled to $865.1 billion in the first nine months of 2013, according to Dealogic. That’s a 39% increase over the same period a year ago — and the highest nine-month total since 2008.
What does this mean to enterprise identity management ? You would have to work with multiple heterogeneous user stores - authentication protocols - legacy systems and many more. BYOID (Bring Your Own IDentity) is not just about bridging social identity with enterprise identity - it is also about bridging different heterogeneous identities between different corporates or enterprises.
What drives BYOID? There is nothing new in BYOID. It can be even implemented with a decade old technology. Any guesses? That is SAML. SAML V1.0 became an OASIS standard in November 2002 and the V1.1 followed in September 2003. This has seen a significant success, gaining momentum in financial services, higher education, government, and other industry segments.
SAML was mostly used to facilitate web single sign on. It can be just within the same domain or between domains. SAML V2.0 - in 2005 - was built on that success. It unified the building blocks of federated identity in V1.1 with the inputs from Shibboleth initiative and the Liberty Alliance's Identity Federation Framework. It was a very critical step towards the full convergence for federated identity standards.
OpenID, in 2005 - followed the footsteps of SAML. It was initiated by the founder of LiveJournal - Brad Fitzpatrick. The basic principle behind both OpenID and SAML, is the same. Both can be used to facilitate web single on and cross-domain Identity Federation.
OpenID is more community friendly, user centric and decentralized. In mid-January 2008 - Yahoo added OpenID support - late July MySpace announced its support for OpenID - and late October Google joined the party. By December 2009 - there were more than 1 billion OpenID enabled accounts. It was a huge success in web single sign on - but started to fade - after OAuth 2.0 and OpenID Connect. One of the very popular and very first OpenID Provider - MyOpenID - was shut down on 1st of February this year. But SAML - still stable as it was ten years back.
OpenID Connect - has some history. It has its roots in OAuth 2.0 - although its been developed outside IETF - under the OpenID Foundation. OAuth 2.0 is a framework for delegated authorization. Its a misconception to think it does authentication. OpenID Connect is the one built on top of OAuth 2.0 to do authentication. Would you agree ? Most probably not. Facebook only supports OAuth 2.0 - then how come we login to web sites with “Login with Facebook” - if it is not for authentication. No it is not. If you understand OAuth to some extent you know - after the token dance you end up with an access token. That is the only token given to your website by the Facebook - and it does not contain any of your identity information. These websites, follow a workaround - they use that access token - to talk to a user endpoint exposed by the Facebook to get the user’s identity. Facebook validates the access token and returns back the user identity. This was the driving force for OpenID Connect. With OpenID Connect - you will get an ID token along with the access token. The ID token represents user’s identity. As in the case of SAML and OpenID, both OAuth and OpenID Connect can be used for web single sign on and cross domain identity federation.
Building a setup from scratch to fit into these standards is not hard. Say you’ve got Liferay - which supports OpenID. You can enable federated login to Liferay, to a partner - who is having an OpenID Provider, deployed over its own user store. Similarly, if you have a SAML 2 Identity Provider deployed in your environment - you can federate that identity to cloud service providers like Salesforce or Google Apps. Basically, that means - the users from your domain will be able to login into Salesforce or Google Apps using their corporate LDAP credentials. That’s the easy part of BYOID.
How do you handle a situation where you have a partnership, and now applications running in your domain - secured with SAML 2.0 - should be accessible to your partner, who is only having an OpenID Connect Identity Provider.If you support true BYOID - with no code changes - you should be able to let a user from the partner domain with an OpenID Connect token - to log into your application which is secured with SAML 2.0. Internet Identity always - has an unsolved problem. Very frequently you will see new standards and profiles emerging up. SAML was dominating the last decade and still to some extent - OpenID Connect and JWT could be dominating the next. As we go on - as we move one - there will be lot of legacy around us.
In my view, any identity management system to qualify to support BYOID - should simply go beyond standard support for Identity Federation protocols.That era is over. Time to think - time to rethink - how would you mediate, transform identity tokens between different standards or protocols. I should let someone login to my SAML secured service provider, with an OpenID Connect token from a third party Identity Provider. I should let users to bring their own identity from Facebook - to access SAML secured enterprise Salesforce account or the Google Apps account. That’s where we want to be - in terms of BYOID.
WSO2 Identity Server 5.0.0, which was released in last May is a massive step towards that. For those who are new to WSO2 Identity Server, let me quickly explain what it is. WSO2 Identity Server is an open source Identity and Entitlement management server, which supports SAML 2.0, OpenID, OAuth 2.0, OpenID Connect, XACML 3.0, SCIM, WS-Federation (passive) and many other identity federation patterns.