Enterprise Provisioning vs. Federated Provisioning

* The differences/similarities between Enterprise Provisioning and Federated Provisioning

When last we spoke I left you thinking about deprovisioning both your people from apps you don't control or your apps from people you don't control. It's a big issue with software-as-a-service (SaaS) and federated provisioning. It was the Burton Group's Ian Glazer who said: "...there should be no reason why deprovsioning from an application like Salesforce.com is any harder than deprovisioning from LDAP." And, in truth, maybe it isn't.

When last we spoke I left you thinking about deprovisioning both your people from apps you don't control or your apps from people you don't control. It's a big issue with software-as-a-service (SaaS) and federated provisioning. It was the Burton Group's Ian Glazer who said: "...there should be no reason why deprovisioning from an application like Salesforce.com is any harder than deprovisioning from LDAP." And, in truth, maybe it isn't.

The problem with SaaS apps is that typically they have a separate login for the user, one not tied (from the SaaS perspective) to your network login. For the most part we use Single Sign-on (SSO) technologies to automate connection to the SaaS app, even stick a widget in the local browser to make it easy for your users to get to the app. But once that user is no longer associated with your organization simply cutting off their network login won’t stop them from accessing the SaaS application.

The savvy user, and one bent on “savaging” the application data (or, perhaps, they might say “liberating” the data) can just as easily log in directly to the SaaS app by way of the service provider. And, according to Oracle’s Nishant Kaushik: “This is where federated provisioning is not like regular provisioning (as we know it today). There are a number of things needed here that regular provisioning isn't set up for. The standards-based interaction between the federation server and the provisioning server isn't defined today, and SPML is not set up to accept SAML tokens as data inputs.” In other words, there’s no way to tell the SaaS service provider to turn off your access. According to Glazer: “In the approaches we have seen, when a new account gets built it has an expiration date associated with it that gets updated on every login. After some period of time without an authentication, the account is suspended or deleted.” Not exactly “real time” and certainly not “just-in-time.”

But it might just be possible.

The Pamela Project’s Pam Dingle points out: “Ian and Nishant, in debating differences/similarities between Enterprise Provisioning and Federated Provisioning, seem to be forgetting a critical difference between old-school provisioning and federated provisioning — the combination that federated provisioning provides of provisioning and AAA [Authentication, Authorization, Accounting] services coming from the same authoritative source and working in conjunction.”

Given your organization (A), it’s servers (As) and users (Au) and a service provider (SP) with applications (SPa), Dingle describes a federation scenario in which all authentication of Au takes place at SPa – even those users attempting to log in directly to the SP. This is the typical federation ceremony with the SP as relying party and the As as the identity provider. So deprovisioning would be instantaneous – once you’ve turned off Au’s account at As there can be no authentication so the SP would deny access to the Spa. This involves standard, traditional provisioning within organization A and standard, traditional federation between A and the SP. Seems like a good answer to me, and one anyone (with provisioning and federation already in place) can use today.

But what about transferring account data between A and the SP in a standardized way in keeping with good provisioning principles? SPML and SAML won’t work, at least as currently constituted. Is there another way? Come back next time and find out.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10