The Future of Cloud Identity Security and SSO: OpenID Connect
After a decade of creating hundreds, if not thousands of online user accounts and passwords, most people are in need of some form of consolidated, secure, Internet identity. OpenID Connect 1.0 is poised to be the ubiquitous standard that will allow users to whittle their online presence down to a few chosen user accounts, making the days of extraneous usernames and passwords an internet relic like dial up modems and AOL.
Although the OpenID Connect standard is still being finalized, what is shaping up via the hard work of many contributors including Google, Microsoft, Yahoo, and Gluu, is nothing short of revolutionary. What makes the case for adoption more powerful and likely is that this group of contributors, namely Google, Microsoft and Yahoo, collectively serves and provides identity to a critical mass of American consumers, and their joint support for one standard method of authentication will provide an overwhelming reason for website implementation.
Beyond the benefits of consolidated internet identity for consumers, OpenID Connect will also provide the foundation for a far more efficient and scalable enterprise federated single sign-on solution. While SAML is the dominant protocol for achieving secure attribute exchange and single sign-on today, the identity community and most experts agree the benefits of using OpenID Connect will far outweigh SAML, and that OpenID Connect will eventually replace SAML as the dominant protocol for SSO.
What’s changed from OpenID 2.0?
- Support for native client applications
- Provider discovery using e-mail address format
- UserInfo endpoint for simple “Connect” capability
- Designed to work well on mobile phones
- Uses JSON/REST, rather than XML
- Support for encryption and higher LOAs
- Support for distributed and aggregated claims
- Support for session management, including logout
- Support for self-issued identity providers
SAML to OpenID Connect Jargon Translations:
SAML IDP = OpenID Connect Provider (OP)
SAML SP = OpenID Connect RP
SAML Attributes = OpenID Connect Scopes (groups of attributes)
How to Prepare for OpenID Connect
People: As a pure user, there’s not much you need to do to prepare for OpenID Connect. Once the standard is finished, you will surely be informed because the odds are you own a gmail, yahoo mail, or hotmail/msn account for email. All those emails will be OpenID Connect-ready once the standard is finalized. Additionally, the user experience is based on Facebook Connect, which will provide a familiar flow to login and attribute release.
Organizations: If you’re an organization (hypothetically speaking) that provides users with an email account, you will probably want to launch (1) an OpenID Connect Provider (“OP”), like the open source OX platform or the commercial Gluu Server where people at your organizations can authenticate and, (2) launch an OpenID Connect discovery service so Internet web sites can “validate” your users.
Website Owners & Managers: For website owners and managers, you should consider adding support for OpenID Connect 1.0 into your release roadmap. The good news for web sites is that OpenID Connect is relatively lightweight — it uses JSON, REST, etc — and there are client libraries out there in Java, Python and other popular programming platforms. Additionally, plugins are on the way for widely deployed CMS systems like WordPress and Liferay.