The next eighteen months or so will see the emergence of two new ID-related standards that should transform the way that mobile devices are integrated with business applications of all types.
According to Thomas Pedersen, the CEO of ID management specialist, OneLogin, the management of the relationship between the growing range of mobile devices and enterprise business systems is one that is becoming vital. Not only that, the weaknesses of current tools for collaboration between the two environments are starting to show through.
The new standards are known as NAPPS, which stands for Native Applications, and SCIM, the System for Cross-domain Identity Management.
NAPPS will be the first to appear, according to Pedersen. It is expected to be ratified as a standard by the third quarter of this year, with the first applications of it appearing in production environments by the end of the year.
“The current primary tool, MDM (Mobile Device Management), no longer solves today’s problems,” Pedersen said. “it cannot distinguish between consumer and business users, and it has no ID awareness.”
The latter, of course, is now becoming a major issue with mobile devices as they increasingly become the primary client device for staff in a growing number of businesses. As Pedersen pointed out, it is becoming increasingly common for start-up businesses to bypass the PC entirely and equip their staff with tablets and smartphones. This makes poor ID management a problem in need of an urgent solution.
Providing this is the primary target behind the development of NAPPS, which has come out of an OpenID working group. The goal is to define a profile of OpenID Connect (OIDC) that will enable a standardised cross-application Single Sign-On (SSO) experience for both consumer-centric and enterprise applications.
The profile will introduce the role of a Token Agent. This takes the form of a dedicated software component that, once it has been able to get the user authenticated (like any other OAuth or OIDC client), is able to obtain appropriate security tokens representing that user from a cloud identity server for other native applications.
In practice this means that staff, whether at their desk or working on the other side of the world, access a portal service their employer’s systems. Here, they authenticate themselves and, having completed that successfully, have access to all the applications in their work environment without the need to log-on to each individually.
Importantly, because the profile will, when complete, build on and extend the existing standard of OIDC, the Token Agent and cloud identity server need not be developed by the same entity (i.e. same identity vendor or enterprise). A Token Agent built by one vendor work with an identity server built or run by another. Consequently, customers need not fear lock-in.
SCIM, which is designed to make managing user identities in cloud-based applications and services easier,is not expected to appear in a ratified form until 2015. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols.
According to Pedersen, SCIM is set to become the key standard for provisioning mobile devices, particularly the work environment, working alongside the Security Assertion Mark-up Language (SAML), the increasingly widely accepted data format for exchanging authentication and authorisation data between parties such as identity providers and service providers, such as SaaS vendors.
OneLogin recently published a survey of SaaS vendors which showed the SAML is now widely accepted by SaaS vendors, with 67% of them already using it and a further 19% planning to within the next 12 months. Most of the major business systems SaaS vendors, such as Netsuite, Salesforce and WorkDay, are already using it.
Pedersen sees SCIM being widely accepted as well because it will help manage users’ connections with applications, reducing the chance of errors due to connections left open and accessible, and well as managing user provisioning when they log on from any mobile device or PC.
“It will make services more secure by reducing the mistakes that users seem prone to,” he said. “It will also make de-provisioning users, for example once they leave a company, a very simple task. Everyone knows of someone who still has the ability to login on a previous employer’s system simply because they have not been removed from it.”
The other advantage of these new standards is that they are specifically designed to work with mobile device interfaces. As Pedersen pointed out, browser technologies and mobiles do not make very good bedfellows, and getting ID and SSO tools to work well and with sufficient richness of capability on such a combination has proved difficult.
He also acknowledged the possibility that, as tablets and smartphones come to dominate the world of the business client device and the PC continues to decline, the place of browser technologies as the lingua franca of applications and service connectivity and user interfacing may itself start to diminish.
“I do see it as a possibility,” he said, “though I would not want to speculate about where or when it might start, or how much impact it might have.”