For the last years the implementation of cloud services by organisations and users has grown exponentially. Our e-mail, our storing systems and the tools that we use in our everyday life are no longer installed in our work device, what makes it possible for us to adjust the cost to what we really need and to make any variations to extend it in case that we need to. However, we deal with different problems when we are working with different applications from different manufacturers stored in a mysterious “Cloud”.
One of the most worrying problems we find is authentication. Who are we delegating on for this task? Where are the passwords stored? What about user information? Do I have to introduce my user and a password in every application?
The solution on which SaaS (Software as Service) providers bet is federation. Based on a set of “federated” applications that trust completely the authentication and authorisation of older users in a third central server. It follows the same principles that the older authentication protocols such as Kerberos would, but it solves the problems that it had and orients the service to the web world.
Illustration 1: “non federated” applications
Illustration 2: “federated” applications
Once that we have decided to federate our applications, we need to choose what technology we are going to use. There are three solutions that outstand for it: SAML, oAuth and Open ID. Even though there are essential differences among them, they do not compete, but offer solutions for different needs.
OpenID, sponsored by providers such as Google, Facebook, Microsoft, yahoo, etc. is oriented to users that consume services on the web every day and its is widely expanded in the social network world. oAuth, on its part, is created for all the “apps” that look for authentication on the Cloud.
SAML was created for the enterprise world. Even though its implementation is more complex than OpenID’s, it provides robust and secure features that are essential for the application in big corporations.
SAML (Security Assertion Markup Language) is not a new technology. Its first version was registered in 2001 and version 2.0, used nowadays, was released in March 2005. It was something extraordinary by then, as it was not common for companies to decide externalising any service putting it on someone else’s hands far from their offices. It was not until several years later than, with the growth of Cloud environments, SAML was consolidated in the cloud services providers, making appearance in the applications of big manufacturers such as Microsoft, Citrix, Google, etc.
Illustration 3: SAML 2.0 architecture
SAML provides mechanisms to detect that a user has signed in any of these applications, avoiding to ask again for the user and password if the same user needs to access other application in the same environment, creating a federated environment. It is also not necessary that remote applications store the user data, which provides a single user and password and avoids that critical data, such as passwords, “travel” around the web.
SAML architecture has two basic components:
• Service Provider (SP): it is present in each application and capable of delegating users authentication and authorisation in another service.
• Identity Provider (IdP): it is in charge of maintaining user information, receiving the access request from applications and deciding whether the user can access the application or if user and password need to be written again.
Service providers offer an easy configuration SP, but the company needs a tool that features IdP functionalities and user authentication.
WBSVision is an example of IdP tool, an Open Source product that features multiple functionalities related to Identity Management without any of the inconveniences of private software. These are its functionalities:
• Directory for user storage and authentication
• IdM engine for provision and workflows execution
• IdP Role for SSO with SAML
As a conclusion, we can state that Identity management in Cloud environments is essential for big organisations, not only to manage in local users of many applications, but also to avoid security problems that this type of administration may cause. A Single Sign On system is great to improve user experience. SAML provides both things in a single “enterprise” environment. If decide to choose a project with the Open world advantages, WBSVision offers, without a doubt, the most complete solution.
