IDaaS, Everything but the Directory Sync

Back in 2011, Marc Andreesen famously declared that “Software is eating the world.” We have seen this come to fruition, although today I would update this declaration to be “SaaS is eating the world.” SaaS and the subscription-based delivery of business applications have become the preferred consumption model for most organizations. Market analyst firm IDC predicts that virtually all software vendors will have fully shifted to a SaaS delivery model by 2018[1].

We love our SaaS. And what’s not to love? The pay-as-you-go pricing is business-friendly. It enables velocity of scale (up or down), reduces local infrastructure footprint, lowers capital costs, yada yada yada – if you are reading this blog, you probably already know all this stuff.

But here’s the thing with SaaS, we still need to implement IT security controls. While we rely on the service provider to secure the platform, we need to ensure access to our SaaS-delivered business apps is well protected. The threat of compromised accounts is arguably the biggest security risk to adopting public cloud SaaS offerings. We can’t have employees using weak or shared passwords for these apps, and sticky notes on the user’s desk make us cringe. However, strong password policies make it hard for employees, especially if they must change them regularly.

We need an identity and access management solution for cloud apps that enables strong policy without putting the administrative burden on users or IT staff. And of course, we want this delivered in an identity as a service (IDaaS) model. There are some good IDaaS offerings on the market today, like those from Ping Identity and Okta. These solutions offer SSO and SAML-based federation for cloud-based apps. Your employees simply authenticate to the IDaaS and have seamless access to all their cloud apps. Simple, easy, secure access to the cloud apps they need.

Sounds great, right? Just copy or synchronize your on-premises user directory to the IDaaS vendor’s platform, configure some SAML-enabled SaaS applications and you are ready to federate. Wait, what? Copy my directory to the cloud? Let me think about that…

We all want the simplicity and security benefits of SSO for cloud and SaaS, but having copies of the corporate directory in a 3rd party’s platform is not for everyone. While I truly believe that service providers take security seriously, they also can be a frequent attack target because of the sensitive data they host. Limiting risk in the cloud just makes good security sense.

The reports of the on-premises directory’s death have been greatly exaggerated. At F5, we have customers that just don’t want expose their directories to the public cloud. However, there is a way to get all the benefits of IDaaS without the need to put your directory in the IDaaS platform – what is known as SAML identity chaining. This is where the IDaaS federation identity provider (IdP) can redirect to an on-premises IdP, like the F5 BIG-IP APM, that has secure access to the on-premises corporate directory. Employees can be transparently authenticated via the on-premises directory and the appropriate SAML assertion can be provided to the back to the IDaaS for federated SSO to SaaS apps.

This IdP chaining model also enables on-premises access policies to be extended to cloud applications. Multi-factor authentication (MFA) and contextual-based policy access for apps can also be added. Pretty cool right?

If you are considering implementing IDaaS but have reservations about sharing your corporate directory in the cloud, IdP chaining can help ease your concerns. Most market-leading IDaaS vendors support IdP chaining and F5 BIG-IP APM has experience working with just about all of them. Go forth and IDaaS without fear...

[1] IDC Worldwide and Regional Public IT Cloud Services Forecast, 2015–2019