Hosting an IDP is hard, so its natural that organizations will look to the cloud to satisfy the requirement. Based on storage of the private key, we can break down the solutions into three broad categories:
1: Dedicated Server : HSM
For these customers, the integrity of the signing is extremely critical. Therefore, they want to maintain a dedicated server on their network, and attach an HSM (http://en.wikipedia.org/wiki/Hardware_security_module). The HSM helps ensure that the private key cannot be exported. An HSM is normally used for important root keys, like Verisign, or federations like InCommon. The Gluu Server can be used in conjunction with an HSM to satisfy this requirement.
2: Dedicated Server
For these customers, the private key is stored on the file system of a dedicated server to which the customer has root access. The opportunity for the key to be compromised is greater, but the company controls the server firewall, can run intrusion detection, threat analysis software, and in the case of a breach, can access system logs to perform a thorough forensic analysis of the breach.
3: Shared Server
With a shared server, the IDP for many customers is hosted on one physical server. Therefore, the hosting provider is responsible for managing the private keys on behalf of its customers. In the event of a breach, the customer cannot have root access on the IDP because this might give them access to the data of other multi-tenant customers, or to internal systems of the hosting provider. There are several shared Server platforms: Okta, OneLogin, SaleForce, PingOne, Bitium, StormPath (just to name a few). Gluu decided not to enter this crowded market. If the customer has a small budget, than this solution may make sense. It costs around $150/month to dedicate a server to be your domain IDP, so if you only have 10 employees, you’d probably rather pay $5/month per user on a multi-tenant system. Also, its implicit here that such a small organization would not care as much about preserving the integrity of they key, or performing a detailed forensic analysis in the event of a breach.
Subscribe to Get News and Product Updates
our RSS Feed