The delivery of software has fundamentally changed over the last decade. SaaS applications have enjoyed broad adoption across SMB’s and large enterprises. But let’s not get carried away… not all enterprise IT services will move to SaaS.
The Intersection of SaaS, Enterprise Software, and Open Source IAM
The delivery of software has fundamentally changed over the last decade. SaaS applications have enjoyed broad adoption across SMB’s and large enterprises. But let’s not get carried away… not all enterprise IT services will move to SaaS. And when it comes to the keys to the kingdom enterprise identity and credential managementSaaS clearly comes up short.
The most compelling reasons NOT to outsource your identity and access management operations to a SaaS multi-tenant cloud provider include:
Security: For many companies, a trust model where a third party holds the private keys used for signing security messages is not acceptable. For other organizations, they are bothered that if a breach occurs, they may not be notified. As a customer of a SaaS, you may not have root access on the compromised servers, handicapping your ability to figure out what happened. Net-net, SaaS authentication providers offer a trust model that is just not quite right for many organizations.
Compliance: When personal data resides on a third party’s server, ensuring that you comply with the relevant government data-protection regulations can be a challenge. At a minimum, it raises questions that need to be addressed that would not be a consideration if the authentication server is located on your organization’s private network.
Flexibility:SaaS systems are not as flexible in implementing unique business logic for authentication. There are many new authentication offerings: mobile, biometric, cognitive, tokens. Organizations don’t want to be limited to the measly number of officially supported (and probably over-priced) authentication options. Also, the workflow for authentication includes more than just the part about “how to identify the person.” API’s that perform fraud detection, central logging, intrusion detection, threat sharing and other services may need to be integrated as part of the authentication flow. For example, a company may want to present a message “You have never logged in from country before, we will send you an email to confirm.” Enabling companies to implement flexible business rules for authentication has not been a strong point for SaaS authentication offerings.
Price: For customer facing applications, the “per user” pricing model just doesn’t work. It would mean a commission to the SaaS IDP on every customer sold. Even per connection metering can add up. Although the typical number of SAML relationships has been low for organizations, OpenID Connect will likely increase the number of partners.
There’s no silver bullet when it comes to implementing a comprehensive authentication and authorization (AA) service. Building and operating a stack of open source identity and access management software can be a challenge for organizations. A subscription to the Gluu Server offers a support model for open source and an alternative to SaaS: a “hybrid cloud” solution.
Gluu customers provide the IAAS service (compute, persist, network, backup). The Gluu Server is deployed on a server instance, and Gluu can provide support, deployment, configuration management, monitoring, and SLA reporting services. Unlike SaaS services, Gluu does not persist personally identifiable information on our central systems. Our primary mission is operational support for the people who are at the front line of security for their organizations.
The Gluu Server leverages standards such as OAuth2, OpenID Connect, UMA, SAML 2.0, and SCIM to enable federated single sign-on (SSO) and trust elevation. The Gluu Server is used by universities, government agencies, and companies to secure employee facing and consumer network services.
Note: mostly large organizations.
So if your domain authenticates a lot of people (employees, customers or partners), if your domain has complicated authentication requirements, if you need to trust some of your partners to authenticate their own people (i.e. inbound SAML), if you have a lot of connections to applications that want to use your IDP, if you are a paranoid organization that wants more control of the PII (or you even want to actually see the code!), in general… if you have anything but plain vanilla SaaS applications and a small number of users, you may want to consider alternatives to SaaS.