Gluu Web Authentication / SSO Protocol Adoption Predictions
Its hard to make accurate predictions about adoption for SSO protocols. Its impossible to make a detailed model when the known inputs are so vast. With that inherent disclaimer about the difficulty of forecasting, the following graph represents Gluu’s view about the likely adoption and un-adoption of three very important web authentication standards: SAML, CAS, and OAuth2 (specifically OpenID Connect).
It makes sense to start any conversation about web authentication standards with the grand-daddy of Web SSO, the Security Assertion Markup Language–SAML. This is the current leading standard for enterprise inter-domain authentication. It is widely supported by off-the-shelf software, and major SaaS vendors like Google, SalesForce, WorkDay, Box, Amazon, and many others. SAML is the basis for extensive B2B, government and educational networks around the globe. Gluu’s prediction is that providing SAML endpoints and services will be critical for domains for years to come. In the next 15 years or so, organizations will look to consolidate on OAuth2 based trust networks, and will look to end-of-life and de-commission SAML relationships.
The “Central Authentication Server” defined one of the first Web SSO protocols. Its a simple to use API, and supported by several open CMS platforms. Backed by LDAP, it was a good choice for many organizations to centralize username / password authentication. It also allowed access control based on network address, to restrict which servers can use the enterprise web authentication service. With the availability of newer, more functional authentication standards, like SAML and OpenID Connect, new applications should be directed away from CAS. Older applications should also be asked to upgrade to one of the newer protocols. CAS was great, but there are better options now.
OpenID Connect is a profile of OAuth2 that provides several services related to authentication. In years past, federation experts thought OpenID would be ubiquitous. Then a smaller subset of federation experts thought OpenID 2 would be ubiquitous. However, the community has coalesced, and now a large group of federation experts are predicting that OpenID Connect will become ubiquitous. Its a risky position, but it holds up when you look at some simple indicators:
- Support of large consumer IDPs: Google, Microsoft, Yahoo probably Facebook
- Consolidation of several protocol communities such as OpenID, Oauth2, WS-*, a subset of the SAML community.
- Move in consumer market to JSON/REST Authentication API’s
- Explosion of mobile applications requiring better authentication API’s for non-web interactions
- Expanded role of a “client” acting as an agent of the Person to access Web APIs
- New standards that are building on OpenID Connect authentication, such as UMA and the new OpenID Connect Native SSO working group.
- Even Scott Cantor has acknowledged at InCommon Camp that Shibboleth 3.0 is being designed to make it easier to support OpenID Connect in the future!
So we’re going out on a limb here… and predict that OpenID Connect is actually going to catch on this time. We are also perhaps going to help our own cause by providing a scalable, production quality open source implementation of OpenID Connect: oxAuth.
If anyone disagrees or agrees with the admittedly arbitrarily drawn graphs above, feel free to comment below!