Leadership Brief

Cloud SSO is not sufficient: What else do you need?

Cloud-based identity services have come a long way in the past several years, make sure you’re keeping up with what’s available and what you need.

Dave Kearns


1 Recommendations

One common feature of Cloud-based IAM/IAG is Cloud Single Sign-On. Users can access all their Cloud services – and existing web applications that run on-premises, as well as business partner web applications – through that portal. Login is provided either via SAML (Security Assertion Markup Language) or by way of the OAuth protocol (perhaps running underneath another service such as OpenID Connect) as the most important Identity Federation standards, although other protocols and services may emerge.

This is good. This is necessary. But this is not sufficient. Demands for greater efficiency and lower costs means that the cloud-based services must do more. We see two possibilities moving forward:

  • Cloud-based IAM/IAG that provides Identity Provisioning and Access Governance capabilities as a Cloud service; or
  • a combination of identity federation, self-service registration, directory services, and access management solutions, all provided as a Cloud service (IDaaS).

The former serves as a way to integrate cloud services with traditional on-premise IAM, or even as a direct replacement, while the latter is considered a better approach for integrating non-employee users – the so-called “externals”, such as partners, vendors, contractors and clients.

While the two may converge, we recommend you choose one or the other now – based on your current needs – as any convergence will be accompanied by a direct path from these solutions.

Those that do not begin now to move in these directions may be doomed to playing “catch up” for many years to come. Failure to do so could seriously damage your organization in the future.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.