I just finished up a few days listening to analysts and talking to customers at the Gartner Identity and Access Management conference in Los Angeles. The message coming out of the conference is the same from both customers and the analysts.
The current identity and access management stack is too complex and expensive to quickly address emerging trends. IT and security are furiously working to respond to line of business requests to move information into mobile applications for remote employees. Processes between the business and partners need to be integrated to facilitate better visibility and delivery of goods and services.
Powering these mobile applications and integration projects are APIs, web services and modern HTML applications. As these technologies have been rushed into use, existing access and security models have been stretched to fill the holes and new requirements have emerged.
As the Gartner conference highlights, it is time to assess the needs of the business and move IAM in a direction that is flexible, responsive and lightweight. New standards like OAuth 2.0 and OpenID Connect are the foundation for those capabilities.
Into this environment, we released PingAccess this week. PingAccess complements PingFederate's capabilities for authentication and federation to bring control and access to web applications and APIs. Additionally, our engineering team has woven support for OpenID Connect and OAuth tightly into the product.
With PingAccess, we have the first web session token based on standards. OpenID Connect introduced the JSON Web Token (JWT) and it is a great container for identity information as well as web session information. Using the JWT opens up new possibilities for integration with applications.As customers build new web applications, those apps themselves will be able to access identity information through open source libraries. (See the great work done with JOSE and the available libraries by Brian Campbell).
Additionally, PingAccess closes the loop for OAuth 2.0 as a resource server. PingAccess validates the OAuth token validation and then intelligently caches the validation on behalf of the API. You are able to protect your APIs with OAuth without changing any code.
We have built PingAccess like all our products at Ping. It bridges the divide between open standards and proprietary security models. PingAccess can be integrated into any application to help you move further down the road to flexible, standards based Identity and access management.