With the milestone release of our 7.0 version, we are completing a bi-directional bridge between the enterprise and the cloud.
Now you can adjust to the shifting enterprise security boundary, and you are free to move identity around the Internet.
Where SAML has served, and will continue to serve, the enterprise and connect it to specific cloud use cases, today we are introducing a PingFederate that addresses distributed identity at scale - namely billions of users, applications and resources across the Cloud.
The foundation of these features rests on two emerging standards: OpenID Connect and the System for Cross-Domain Identity Management (SCIM). The first addresses authentication and single sign-on in the Cloud era, and the other, basic bi-directional user account creation and deletion.
We are at the point where the theories about an identity layer for the Internet can finally start to cross onto the reality stage.
OpenID Connect's Identity Provider capabilities support a distributed environment; complement OAuth 2.0, added during our 6.x releases; and bring discovery, registration and single sign-on (SSO) capabilities.
These are the first gems of OpenID Connect, a decentralized design that continues to evolve.
In OpenID Connect, discovery allows the end-user to find their identity providers. Today, there are not many to choose from, but in the future this list could be substantial. This fundamental feature is important to scaling identity.
The other OpenID Connect feature of note is registration, which at its heart brings trust to a distributed identity infrastructure.
Applications are able to self-register with an identity provider and receive tokens that allow it to act on behalf of a user. In the past, this registration process has been manual and challenging to support.
And even though OpenID Connect's Dynamic Registration protocol will evolve with richer capabilities, the automated registration is ready to run.
The protocol also provides the missing SSO link that was not addressed by OAuth. It provides an ID token which, when communicated to an OAuth client, can serve to authenticate the user into that Client and so enable web SSO (comparable to a SAML assertion).
This is identity at scale as defined by today's implementation of OpenID Connect.
The other standard of note in PingFederate 7 is SCIM. It is the mechanism that allows identities to move around a cloud identity infrastructure that will never have a single repository.
The industry has a sorry history with standardized provisioning, but SCIM is limited in scope and is therefore focused on the right amount of account management.
We have done a lot of work to add SCIM deep into PingFederate, such as integration with directory synchronization. Requests for new account creations can be sent out to cloud services, and requests originating in the cloud can be accepted into on-premises systems. It's truly bi-directional and an example of the identity bridge capabilities available in PingFederate 7.
Support for OpenID Connect and SCIM are just two of many new features that speak to where identity management is headed, and what it will take to not only manage it but to optimize it across the enterprise and the cloud.