Gluu Blog

Follow us:
Back to Blog

Roadmap for Higher Education Institutions: Will New Identity Standards Achieve the Promise of Federated Identity?

Mike S. September 11, 2014

web_authn_authz_standards
“Market Strength” as defined by the number of applications that will support the protocol.

Will New Identity Standards Achieve the Promise of Federated Identity in Higher Education?

OAuth2 based identity standards bridge web and mobile security requirements and have critical developer and industry support.

See Also: Gluu Protocol Predictions

It is harder than you think to identify a person online. Verizon estimates that 80% of security breaches in 2013 were a result of a failure to do so correctly. Since the early 2000s, several standards have risen and fallen that defined a mechanism to identify a person using the Web. Some of these standards were presented as the panacea to security, but failed to realize any adoption. Some achieved moderate adoption, but never achieved the ubiquity of Internet standards like DNS or SMTP–where every domain on the Internet is expected to maintain a service.

No Web authentication standard has achieved even the level of adoption of LDAP. Standards in identity and security are crucial because the applications used by higher education institutions are heterogeneous: commercial, SaaS, open source and home grown applications all must share the same security infrastructure. When a person authenticates, they won’t notice the difference between one standard or another. But the institution’s IT staff is expected to understand the standards in enough detail to know which organizational cryptographic keys need to be protected and managed.

“SAML”–the Security Assertion Markup Language–is one such standard that has seen moderate adoption. But despite a concerted effort to evangelize SAML by Educause, Internet2 and other information technology leaders in education, thousands of campuses have not adopted it. Today a person is more likely to use their Facebook credentials to access a web or mobile resource than to use their university SAML credentials. The most successful SAML application has probably been Google Mail. Many campuses are using SAML to enable students to check their mail without having to store passwords on Google. But the number of SAML websites the average campus enables is usually pretty small, around a dozen is not uncommon.

The introduction of the iPhone in 2007 changed the requirements for online authentication, and pulled the rug out from under some of SAML’s core assumptions. The Web browser is not the only conduit for services. We use our mobile phones, tablets, and other devices to access a wide array of our online stuff. Largely completed by 2005, SAML was not designed to accommodate many of the patterns now commonly in use, like when a mobile application calls a backend API.

The big consumer IDPs like Google, Microsoft and Facebook figured how to get a significant number of people and websites to adopt their standard for Web authentication. How did they do it? They did a great job of listening to developers, and designed an authentication API that suited their preferences. And then the developers created great content. The advances made by Google and other consumer IDPs will greatly benefit higher education institutions.

For early adopters of SAML, the good news is that identity and trust management does not change with the introduction of a new identity federation API. Applications architected for SAML can be upgraded to support newer authentication APIs usually by changing a small amount of code, or hopefully by using a different plugin.

Likewise, multi-party federations like InCommon could also profile and support new protocols. Gluu has proposed the development of a new standard for JSON multi-party federation metadata, and standardizing OAuth2 federation endpoints. New protocols may also require the updates of definitions in documents like federation Participation Agreements, for example, Gluu publishes a sample agreement that defines terms like “Client Claims” and “OpenID Provider.”

Identity will continue to be a core enabler for higher education institutions. By affiliating with an institution, the person will gain access to resources–physical plant and network resources. In fact, instead of moving toward outsourcing identity to a central silo like Google, new standards will enable wide scale decentralization. We don’t want to require a Google account. But if institutions publish the same API as consumer IDPs, web site developers won’t have to implement any extra code to support an institution’s security infrastructure.

It is important to avoid adopting an aversion to “not-invented-here.” Innovation comes from unexpected places. By aligning with consumer standards for Identity, people will be able to use their university credentials to access even more content. The pace of innovation has not slowed down. The “Internet of Things” is creating even more requirements for inter-operable security. New standards will make this possible. And most likely, they will extend the OAuth2 standards originated in the consumer sector.[:ja]web_authn_authz_standards
“Market Strength” as defined by the number of applications that will support the protocol.

Will New Identity Standards Achieve the Promise of Federated Identity in Higher Education?

OAuth2 based identity standards bridge web and mobile security requirements and have critical developer and industry support.

See Also: Gluu Protocol Predictions

It is harder than you think to identify a person online. Verizon estimates that 80% of security breaches in 2013 were a result of a failure to do so correctly. Since the early 2000s, several standards have risen and fallen that defined a mechanism to identify a person using the Web. Some of these standards were presented as the panacea to security, but failed to realize any adoption. Some achieved moderate adoption, but never achieved the ubiquity of Internet standards like DNS or SMTP–where every domain on the Internet is expected to maintain a service.

No Web authentication standard has achieved even the level of adoption of LDAP. Standards in identity and security are crucial because the applications used by higher education institutions are heterogeneous: commercial, SaaS, open source and home grown applications all must share the same security infrastructure. When a person authenticates, they won’t notice the difference between one standard or another. But the institution’s IT staff is expected to understand the standards in enough detail to know which organizational cryptographic keys need to be protected and managed.

“SAML”–the Security Assertion Markup Language–is one such standard that has seen moderate adoption. But despite a concerted effort to evangelize SAML by Educause, Internet2 and other information technology leaders in education, thousands of campuses have not adopted it. Today a person is more likely to use their Facebook credentials to access a web or mobile resource than to use their university SAML credentials. The most successful SAML application has probably been Google Mail. Many campuses are using SAML to enable students to check their mail without having to store passwords on Google. But the number of SAML websites the average campus enables is usually pretty small, around a dozen is not uncommon.

The introduction of the iPhone in 2007 changed the requirements for online authentication, and pulled the rug out from under some of SAML’s core assumptions. The Web browser is not the only conduit for services. We use our mobile phones, tablets, and other devices to access a wide array of our online stuff. Largely completed by 2005, SAML was not designed to accommodate many of the patterns now commonly in use, like when a mobile application calls a backend API.

The big consumer IDPs like Google, Microsoft and Facebook figured how to get a significant number of people and websites to adopt their standard for Web authentication. How did they do it? They did a great job of listening to developers, and designed an authentication API that suited their preferences. And then the developers created great content. The advances made by Google and other consumer IDPs will greatly benefit higher education institutions.

For early adopters of SAML, the good news is that identity and trust management does not change with the introduction of a new identity federation API. Applications architected for SAML can be upgraded to support newer authentication APIs usually by changing a small amount of code, or hopefully by using a different plugin.

Likewise, multi-party federations like InCommon could also profile and support new protocols. Gluu has proposed the development of a new standard for JSON multi-party federation metadata, and standardizing OAuth2 federation endpoints. New protocols may also require the updates of definitions in documents like federation Participation Agreements, for example, Gluu publishes a sample agreement that defines terms like “Client Claims” and “OpenID Provider.”

Identity will continue to be a core enabler for higher education institutions. By affiliating with an institution, the person will gain access to resources–physical plant and network resources. In fact, instead of moving toward outsourcing identity to a central silo like Google, new standards will enable wide scale decentralization. We don’t want to require a Google account. But if institutions publish the same API as consumer IDPs, web site developers won’t have to implement any extra code to support an institution’s security infrastructure.

It is important to avoid adopting an aversion to “not-invented-here.” Innovation comes from unexpected places. By aligning with consumer standards for Identity, people will be able to use their university credentials to access even more content. The pace of innovation has not slowed down. The “Internet of Things” is creating even more requirements for inter-operable security. New standards will make this possible. And most likely, they will extend the OAuth2 standards originated in the consumer sector.[:es]web_authn_authz_standards
“Market Strength” as defined by the number of applications that will support the protocol.

Will New Identity Standards Achieve the Promise of Federated Identity in Higher Education?

OAuth2 based identity standards bridge web and mobile security requirements and have critical developer and industry support.

See Also: Gluu Protocol Predictions

It is harder than you think to identify a person online. Verizon estimates that 80% of security breaches in 2013 were a result of a failure to do so correctly. Since the early 2000s, several standards have risen and fallen that defined a mechanism to identify a person using the Web. Some of these standards were presented as the panacea to security, but failed to realize any adoption. Some achieved moderate adoption, but never achieved the ubiquity of Internet standards like DNS or SMTP–where every domain on the Internet is expected to maintain a service.

No Web authentication standard has achieved even the level of adoption of LDAP. Standards in identity and security are crucial because the applications used by higher education institutions are heterogeneous: commercial, SaaS, open source and home grown applications all must share the same security infrastructure. When a person authenticates, they won’t notice the difference between one standard or another. But the institution’s IT staff is expected to understand the standards in enough detail to know which organizational cryptographic keys need to be protected and managed.

“SAML”–the Security Assertion Markup Language–is one such standard that has seen moderate adoption. But despite a concerted effort to evangelize SAML by Educause, Internet2 and other information technology leaders in education, thousands of campuses have not adopted it. Today a person is more likely to use their Facebook credentials to access a web or mobile resource than to use their university SAML credentials. The most successful SAML application has probably been Google Mail. Many campuses are using SAML to enable students to check their mail without having to store passwords on Google. But the number of SAML websites the average campus enables is usually pretty small, around a dozen is not uncommon.

The introduction of the iPhone in 2007 changed the requirements for online authentication, and pulled the rug out from under some of SAML’s core assumptions. The Web browser is not the only conduit for services. We use our mobile phones, tablets, and other devices to access a wide array of our online stuff. Largely completed by 2005, SAML was not designed to accommodate many of the patterns now commonly in use, like when a mobile application calls a backend API.

The big consumer IDPs like Google, Microsoft and Facebook figured how to get a significant number of people and websites to adopt their standard for Web authentication. How did they do it? They did a great job of listening to developers, and designed an authentication API that suited their preferences. And then the developers created great content. The advances made by Google and other consumer IDPs will greatly benefit higher education institutions.

For early adopters of SAML, the good news is that identity and trust management does not change with the introduction of a new identity federation API. Applications architected for SAML can be upgraded to support newer authentication APIs usually by changing a small amount of code, or hopefully by using a different plugin.

Likewise, multi-party federations like InCommon could also profile and support new protocols. Gluu has proposed the development of a new standard for JSON multi-party federation metadata, and standardizing OAuth2 federation endpoints. New protocols may also require the updates of definitions in documents like federation Participation Agreements, for example, Gluu publishes a sample agreement that defines terms like “Client Claims” and “OpenID Provider.”

Identity will continue to be a core enabler for higher education institutions. By affiliating with an institution, the person will gain access to resources–physical plant and network resources. In fact, instead of moving toward outsourcing identity to a central silo like Google, new standards will enable wide scale decentralization. We don’t want to require a Google account. But if institutions publish the same API as consumer IDPs, web site developers won’t have to implement any extra code to support an institution’s security infrastructure.

It is important to avoid adopting an aversion to “not-invented-here.” Innovation comes from unexpected places. By aligning with consumer standards for Identity, people will be able to use their university credentials to access even more content. The pace of innovation has not slowed down. The “Internet of Things” is creating even more requirements for inter-operable security. New standards will make this possible. And most likely, they will extend the OAuth2 standards originated in the consumer sector.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.