Ping Identity > Blogs > PingTalk 

PingTalk Blog

After three years of development, the OpenID Connect protocol is out for final review and the timing could not be better as the mobile computing industry is hungry for an open identity infrastructure.

Tuesday, Mike Jones, board member and OpenID Connect working group member at the OpenID Foundation and standards architect at Microsoft, sat at a table during the fall Internet Identity Workshop (IIW) evaluating comments and making edits to the spec, which was sent to its final release stage on Oct. 15.

The previous day at the foundation's meeting, Jones asked members for their final reviews in a development process that began in 2010 and is shaping up to be worth the wait.

OpenID Connect is coming to completion just as a hub model for identity is taking shape among mobile operators, service providers and identity initiatives around the world such as NSTIC in the U.S. and the U.K.'s Identity Assurance Program (IDAP), which will go operational next month.

"It's hubba, hubba time," said Don Thibeau, chairman and president of the Open Identity Exchange (OIX) and executive director of the OpenID Foundation, making reference to the way the global digital identity infrastructure is shaping into a hub model. He said the road that links mobile and identity is complete and the two are streaking toward that union, with OpenID Connect now an additive in the fuel.

Interest is high among service providers, vendors, consortiums, and governments, but perhaps the most significant development involves work between OIX and the U.K.'s IDAP leaders.

A number of U.K. mobile providers have enlisted OIX in evaluating OpenID Connect to fill in a piece of their identity strategy. The group attended last summer's Cloud Identity Summit conference to meet with OpenID Connect leaders and inspect the technology.


It's no secret we advocate for automating federation and enabling it to happen on a grand scale. To meet those goals, we are investing our expertise and resources into future identity infrastructure and industry efforts that we think are key to the evolution of our industry.

This week, Ping, along with Microsoft and SecureKey, became the newest board members at the Open Identity Exchange (OIX) with an eye on helping complete the last bit of technology we believe is needed to achieve a complete lifecycle of automated federation.


There's a new standard aimed at the cloud and this one is focused squarely on a significant gap - authorization.

The Cloud Authorization (CloudAuthZ) technical committee (TC) spun up Dec. 4 at the Organization for the Advancement of Structured Information Standards (OASIS) to tackle standards for determining the most optimal way to enforce policies on who can do what within a cloud environment.


Mountain View, Calif. - The group working on a specification for standards-based user provisioning in the cloud is holding true to its charter as it works toward completion, but it is discussing future steps that could include new schema options and extensions.

The effort to standardized the System for Cross-domain Identity Management (SCIM) protocol landed in the Internet Engineering Task Force in July and it quickly became apparent that the spec holds hidden gems for some with specific needs around directory and identity and access management software.

SCIM is a REST-based data access protocol for provisioning and managing user identity in the cloud. It supports creating, editing, deleting, querying and retrieving user resources. The intent is to create a fast and efficient way for enterprises to provide access to cloud services.


The Kantara Initiative has published the latest revision of its data-sharing protocol that includes updates targeted at higher education.

User-Managed Access (UMA) supports secure, private and user-controlled sharing of data between and among individuals, groups and organizations. It is being incubated by Kantara and gaining interest at the IETF as part of the post-OAuth 2.0 work. UMA is built on OAuth.

This fifth revision of UMA takes on the use case of students sharing college transcripts. The revision helps students share those transcripts in a timely, trustworthy, and secure way.


In July, noted identity expert Bob Blakley called the National Strategy for Trusted Identities in Cyberspace (NSTIC) an historic opportunity to re-define identity and access management.

Last week, NSTIC fueled the opportunity by funding with $9 million five organizations (out of 186) that proposed pilot programs.

One of those selected was Criterion Systems, whose pilot proposal for an attribute exchange network (AXN) included a number of supporting organizations and companies including Ping Identity.

Team Criterion plans eight pilots for its program over the next two years that will address creation of the AXN, which ties together identity providers, relying parties and attribute providers into a federation that can more accurately validate an end-user's identity using selected data such as age, address, or mobile phone number aggregated from a number of trusted attribute providers.

The pilot services goals include replacing passwords, allowing individuals to prove online they are who they claim to be, and enhanced privacy.

Funded with nearly $4 million, the pilots involve retail, financial services, healthcare, and government entities. (Note: $1.97 million of the grant has been awarded; the other half hinges of Congressional budget approval in fiscal 2013).

It's a pilot for sure, but not a pie in the sky.

The groundwork was put down last year when ID Dataweb participated in creation of an attribute exchange infrastructure for a project called Street Identity.


Regardless of how revolutionary a technology appears to visionaries often it takes a giant to validate the message and the market.

Thank you, Salesforce.com.

Hello, federated identity and identity-as-a-service.

In one powerful motion this morning, Salesforce CEO Mark Benioff moved the identity game from the side stage to center stage.

The tools, the technologies and the standards that are now de facto in the identity space received the validation stamp from a billion-dollar juggernaut.

I'm not suggesting it guarantees success, but the curtain is up and the big show is on.

At its annual Dreamforce conference, which opened today, the company announced Salesforce Identity, a platform that will provide single sign-on across all Salesforce applications. It's an access control strategy that gives Salesforce users a single log-in to all the platform's apps.

But it also has other important elements. There is a federation piece to integrate non-Salesforce apps/data and a provisioning part for adding, deleting and managing users.

And It's all based on standards, OAuth, OpenID Connect and SCIM, all of which we have talked about here for years.

Make no mistake, Salesforce is not launching the identity market, there are dozens of vendors and hundreds of enterprises here already, but Salesforce now has the megaphone. Greetings identity management vendors, ID architects, and CSOs, did you feel your boat rise?

Salesforce Identity isn't an add-on that makes for nice marketing materials and a generous up-sell. It's baked into the platform. It's the way identity should be delivered; integrated and expected.


San Diego - Nearly 75% of companies deploying an emerging, standardized provisioning protocol are doing so to link internal systems, according to a company that helped write the specification and was first to support it.

Directory provider UnboundID in January rolled out an implementation of the Simple Cloud Identity Management protocol (SCIM; now known as System for Cross-Domain Identity Management at the IETF) and three-quarters of those that have adopted it are provisioning users across their internal mix of platforms.

Another 25% are using it for what the SCIM creators envisioned; enterprises avoiding the headache of writing another connector. Those companies are linking to software-as-a-service providers via SCIM to provision users to cloud services, namely Salesforce.com.

'We turned a protocol and schema problem into a mapping problem, which is easier to solve. I map my SCIM thing to my LDAP thing," said Trey Drake, an architect for Unbound ID and an editor of the SCIM specification.

He appeared last week as part of a roundtable hosted by Gartner analyst Mark Diodati at the Catalyst Conference. Others on the panel were SCIM specification contributors Patrick Harding, CTO of Ping Identity, and Darran Rolls, enterprise security specialist at SailPoint.


Interested in playing it?

Today starts your chance. The group that will try to build the pieces, standards and policies of an infrastructure that could put passwords on a shelf in the Computer History Museum is holding its historic first meeting.

The Internet Ecosystem Steering Group for the National Strategy for Trusted Identities in Cyberspace (NSTIC) is convening in Chicago (and online) and the opening line of its Workplan Outline is simple:

"Imagine if you could arrive at a website already holding a secure credential for authentication - eliminating the need to create yet another username and password."

The goal - eliminate the word "imagine." But the process for doing so is difficult.

The considerations include privacy, security, interoperability, accountability, liability and how to build that into digital infrastructure.

The work begins in the context of hundreds of millions of passwords stolen online in the past seven months from A(pple) to Z(appos).


Vail, Colo. – OpenID Connect is the new kid on the block that desires to do the right thing and live up to high hopes for its success, but it still has some growing up to do.

That was the message at the Cloud Identity Summit last week from Patrick Harding, CTO of Ping Identity.

That assessment was a dominant theme of Harding’s keynote where he outlined changing security needs of the enterprise in a new age of computing that includes clouds, connected apps and roaming users with devices.

“What we are seeing right now is that the enterprise is starting to become a platform,” said Harding.

He said the scale of that platform is its most striking feature, including applications that are increasingly connected via the Web and APIs, the mobility of users who can be anywhere, and the proliferation of devices among those users including smartphones, tablets and laptops.

“There needs to be changes in how the enterprise exposes data,” Harding said.

He explored the notion that a token economy is upon the enterprise where tokens are the currency used for access control, federation and single sign-on, creating sessions, and most important, replacing passwords.

SAML and OAuth meet today’s needs, and you should consider OpenID Connect when placing a strategic importance on becoming an enterprise platform,” Harding said.