Building Your Identity Bridge to the Cloud

Securely connect your on-premises identity with cloud services

Most identity professionals are highly focused on their particular area of responsibility and don’t have a lot of time to broaden their knowledge to other areas that are related to—but don’t directly affect—their day-to-day jobs. This makes it challenging to have an awareness (let alone an understanding) of the different types of identity services that have sprung up in recent years. As the maxim goes, “You don’t know what you don’t know.”

In May, Gartner analyst Mark Diodati published a report entitled “Identity Bridges: Uniting Users and Applications Across the Hybrid Cloud.” This report summarizes the evolution of a product segment that I've been writing about in this column since I joined Windows IT Pro. Diodati calls this product an identity bridge, which is an appropriate name because it bridges the traditional on-premises identity management system (IAM) such as Active Directory (AD) to cloud-based services that need these identities. All working identity professionals need to become conversant with the capabilities encompassed by identity bridges, because they will be expected to understand and perhaps recommend what their company needs to implement its own bridges to the cloud.

Incidentally, Diodati might not have intended it, but I can't resist mentioning that the term identity bridge also nicely parallels Norse mythology. (No, I have never attended Comic-Con, but I did grow up watching Thor cartoons after school.) Bifrost is also a bridge: the rainbow bridge to the Norse god's home of Asgard. Bifrost connects the world we're familiar with (mortals, or on-premises identity) with the unfamiliar, ethereal world in the clouds (immortals, or cloud-based services). You could stretch the Norse analogy even further to say the god Heimdallr is the equivalent of the identity router component of many identity bridges, guarding the bridge against transgressions. I'm surprised that Nordic Edge, a federation software company that Intel purchased to jumpstart its entry into this market, never picked up on this analogy. Now you can go watch Thor and say you're doing identity research!

Diodati’s report nicely summarizes the many different types of products and capabilities that might be required to provide seamless and secure identity to cloud services, from the well known and mature to the still emerging. Although vendors vary in their products’ competencies, some of the capabilities that identity bridges can provide are as follows:

  • Federation for single sign-on (SSO) authentication (AuthN) to the cloud service. A key component of this capability is the ability to transform security tokens from a standard accepted in one realm (e.g., Kerberos tickets in an AD environment) to a standard accepted in another realm (e.g., SAML tokens in a web service environment or OAuth tokens in a mobile environment). For more information, see my article “Ease Cloud Security Concerns with Federated Identity.”
  • Directory synchronization. This is typically one way, from the identity provider (e.g., your company’s AD implementation) to the service provider (the target cloud service) to ensure that changes made to the identity provider, such as disabling an account, are immediately replicated to the service provider. For more information, see my article “Identity Predictions.”
  • Just-in-Time (JIT) provisioning. A JIT provisioning capability ensures that an account is created at the service provider only when a user first attempts to access the service. Among other advantages, this means that a company isn’t charged for user access to a service until it actually begins using it. Note, however, that JIT provisioning covers only the creation of the account; updates to and deletion of the account must be handled by another method.
  • Authorization (AuthZ) services to determine who can access which services.
  • Virtual Directory Services (VDS) provides an aggregate view into what might be many separate enterprise identity stores. For more information, see my article “The Rise of Virtual Directory Servers.”
  • Password vaulting. Although identity federation is the strategic direction for providing secure authentication for cloud services, the reality today is that smaller Software as a Service (SaaS) providers aren’t generally set up to support federation. Instead, they rely on inputting a user ID and password to authenticate users to their service. Password vaulting stores a user’s credentials in the identity service and replays them to the SaaS website as if the user was directly logging on. (Incidentally, this is how the LastPass browser add-on provides its autofill and autologin authentication functions.) I’ve seen the password-vaulting capability mentioned only as part of Identity as a Service (IDaaS) solutions.

Some identity bridges—for example, Microsoft’s Active Directory Federation Service (AD FS)—don’t have a SaaS component ( Windows Azure AD notwithstanding), but many are tightly integrated with an identity-management service or are entirely service-based. Mobile device management, which can distribute authentication credentials to smartphones and tablets, has quickly become a standard capability.

Like many markets, the identity bridge market was pioneered by startups that offered unique, single-purpose products. As this market matures, the startups grow into larger companies with broader product portfolios and greater capabilities in their products, often combining two or three identity-related capabilities. These small companies are often acquired by larger players seeking to jump into this area or to quickly add capability to their existing products. This maturity also gives rise to a class of products that Diodati calls super bridges, which have a superset of services such as storage and network load balancing that go beyond identity services alone.

This report is a great way to quickly understand the different aspects of these identity bridging technologies and who the key players are in the market. It’s evolving rapidly, so although most of the base technologies will still apply at this time next year, I expect that many of the players will have changed. And as if to underscore these changes—and his faith in the future expansion of this market segment—Diodati left Gartner in August to join Ping Identity. Download the “ Identity Bridge + Identity-as-a-Service: Where Will It Take You?” report from Ping Identity's website. I’ll continue to pay close attention to this area and keep you aware of interesting developments and information you need to know.

Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.