O’Reilly Submission: Cloud Identity CookbookThis entry was posted in Gluu, OX and tagged active directory, cloud identity, cloud identity security, data federation, data sharing, federated identity, oauth 2.0, openid connect, radius, saml, SAML IdP, shibboleth, single sign on, Single Sign-On on .
Mike’s submission to O’Reilly Media… Please SHARE and let us know what you think!
I’d like to propose a cookbook on how domains can use open source technology to implement open standards for cloud identity.
Domains utilize open standards like LDAP for username/password authentication, and in conjunction with RADIUS, can support a strong authentication service. However, your average website or mobile app doesn’t want to implement RADIUS–JSON/REST is preferred, as evidenced by the proliferation of OAuth2 (a JSON/REST standard) authentication API connectors published on Everyauth http://everyauth.com.
Finally, the OpenID Connect standard, will provide a ubiquitous OAuth2 profile for Web authentication and… “client registration, user claims, client claims, discovery and session management”… which is jargon for the information the app or website will need from your domain to function.
With the backing of major consumer identity providers like Google, Facebook and Microsoft. websites will gravitate towards OpenID Connect, which is also the clear front-runner by industry analysts like Forrester. Eve Maler’s “Zero Trust Identity Standards Q3 2012” puts OpenID Connect on the “Significant Success” trajectory, heading for adoption perhaps as high as Kerberos, X.509 and LDAP.
Despite the flurry of excitement about OpenID Connect, existing standards continue to be important. RADIUS is used for WIFI, VPN, and physical access systems. SAML is widely deployed in both the enterprise and higher education communities. For example, 26 countries have higher education SAML federations listed on the Shibboleth Wikipedia page http://en.wikipedia.org/wiki/Shibboleth_(Internet2)#Federations, which enable authentication for millions of people each day.
If you are the IT guy at your domain, undertaking to deliver a SAML-RADIUS-LDAP-OAuth2 infrastructure may seem like an insurmountable task, which is why I am proposing a “cookbook” that will go into detail about how existing open source tools can be used to deliver an enterprise-grade authentication / authorization service that will exceed the current functionality of the best available commercial products.
The central ingredient of the Cloud Identity recipe will be the OX platfrom: http://ox.gluu.org. OX provides an administrative trust management web site, that enables a system administrator at a domain to manage SAML and OAuth2 configurations to enable people at the domain to use websites or mobile apps that support one of these open standards.
The recipe would also cover the basics needed to operate the supporting LDAP infrastructure, and details on how RADIUS can be leveraged to control access to WIFI networks using commodity wireless access points.
In order for a domain to deploy an effective Cloud Identity solution, several mission critical components have to work together. I think this book is needed to do justice to documenting that recipe. With the help of your editors, I think we can make the technology accessible to a wide audience.