Doing access management with the help of cloud-based services is a pretty comfortable proposition by now. For more than a decade, we've been doing federated single sign-on to and from apps that are themselves in external domains. Looking at the recent Forrester Wave™ on enterprise cloud identity and access management, all three vendors we identified as leaders specialize in various kinds of cloud-app SSO and access control — the cloud identity 1.0 ur-scenario. (Join us tomorrow, September 20, for a client webinar to review this Wave!)
What about identity management in the cloud? It's been harder to find. Two other vendors we looked at in the Wave provide cloud interfaces to familiar on-premises provisioning solutions such as the IBM and Oracle suites. And all the vendors rely on hooking into an organization's on-premises directory as the single source of truth.
Okay, then, what about putting that single source of truth into a store with a cloud-native interface, as my colleague Andras discussed on our Security & Risk blogs recently? That’s even more rare — but the writing is on the wall. Microsoft went bold with its Windows Azure Active Directory moves, providing non-LDAP RESTful interfaces. Cool. (I’d like it to support SCIM as well, though, since you ask.)
Two even newer cool examples of a cloud changeup in identity storage and management: On September 5, Okta announced a partnership with Workday that enables it to offer employee identity management as a cloud-native proposition. And today, announced what looks to be an insanely comprehensive V1 of a cloud-native IM+AM offering, with provisioning workflow and reporting options that leverage the increasingly mature Salesforce Platform. Other service providers we consider to be cloud IAM dark horses, given these recent moves: Google, Intuit, and Amazon.
Here’s what we at Forrester think this all means:
  • Enterprise IT gets more choices. Credible, comprehensive cloud-native IAM will put serious pressure on the classic on-premises suites, increasing choice for enterprises bitten by the SaaS bug.
  • LDAP’s hold on IT begins to weaken. LDAP as the standard directory interface just became “legacy,” though it won’t be disappearing anytime soon. While SCIM is no more than an 80/20 replacement at the moment, it gains significant momentum from’s backing. (Hey, wasn’t LDAP the 80/20 point for X.500?)
  • The federation broker landscape will broaden. We believe many of the SaaS players managing significant business-user populations will find it attractive to move into a horizontal federation broker role, joining Ping Identity with its PingOne service.
What do you think? Let us know in the comments!