Before organizations move applications to the cloud, they need to consider various aspects of identity management from provisioning users and authentication to access control and authorization. While provisioning takes care of creating users and managing them through the lifecycle, authentication is critical to establishing the identity and is a prerequisite to providing required access to resources.
Challenges of authentications include not only credential management and strong authentication but also manageability and user experience. Different types of cloud providers and users have differing authentication requirements. While SaaS and PaaS providers offer built-in authentication mechanism and also support authentication delegation, In IaaS administrators and application users need to be managed separately. Organizations building their own private clouds try to leverage existing enterprise standards. In all these cases it is important to stick to standards based methods rather than using proprietary methods as it helps in scaling, management and investment protection.
Organizations are growing beyond traditional boundaries and enabling partners, customers and remote users to access different applications with different privilege levels. Users need to move between different environments and maintain their provisioned access levels. In the cloud environments, identity federation is emerging as a key enabler to authenticate users using identity providers (IdP). This requires secure exchange of identity attributes between the service provider (SP) and the IdP.
Service Provider (SP): Applications deployed in the cloud or in the enterprises
Identity Provider (IdP): An authoritative source authentication for users of service
Various identity federation standards have emerged including SAML, WS-Federation, OpenID and CardSpace. While OpenID and CardSpace are frameworks that allow users to manage their own identities SAML and WS-Federation provide centralized control of identities and allow the federation among trusted parties.
Federation also enables Single Sign-On (SSO) for users as they access applications deployed across enterprises and in the cloud.
SAML for Web SSO
SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a user between an identity provider and a service provider. SAML 2.0 enables web-based authentication and authorization including single sign-on (SSO).