The digital identity landscape is a messy space dotted with ratholes and littered with acronyms: SAML, SCIM, OIDC, OAuth, JIT, OIDC, API, GAM, SOC2, and, of course, WTF! Companies need a single source of truth for identities and a place that handles their lifecycle from birth to death. And they do this through identity management.
It’s a giant pain.
Every company starts its journey across that landscape toward Identity Management Nirvana in the same way. They start with accidental admins and as they grow they move toward Total Identity Management Automation, an imaginary destination where all things identity Just Work™.
The goal of automation is to simplify the work needed to connect multiple identities to multiple services. This includes
- Creating. How are identities brought into existence?
- Provisioning. How does each service know the details about the user, such as the name, role, email, etc?
- Authenticating. How does a user prove they are who they say are?
- Authorizing. How does the service know the user is allowed access to a resource?
- Deprovisioning. How does the service know the user should be removed?
- Updating. How does the service know that something about the user has changed?
- Retiring: when an identity is no longer used, it’s retired. (For compliance purposes, this is not always possible. For that, we need archiving – keeping an identity’s history and resources, but no longer allowing new use of the identity.)
YeshID exists to make this journey easier. We’ve created a map based on the experiences of the explorers we’ve talked to and our own experience as a fast-growing startup with big ambitions. If you want to be able to create, provision, authenticate, authorize, deprovision, update, and retire users in different applications in the simplest, cheapest, and most operationally efficient way, you need to know where you are and where you’re going.
We are partnering with companies that value operational ease and security. If you’re a candidate, you probably don’t have time to read the rest of this blog – tl; dr – sign up for YeshID’s beta.
But if you can put down one of the balls you’re juggling for a bit (don’t drop it, please!) let me describe the adoption journey.
Make it fast! Make it easy! I have a business to run.
This is the starting point. Manual application management seems straightforward for startups. They have a small number of employees and a few apps. Accidental admins are able to manage everything from memory while juggling other balls. It’s simple and easy. And cheap! (or so it seems)
Enter Google Workspace as your first identity platform–and email service. They use OpenID and OpenID Connect (OIDC) The “Login with Google” button simplifies sign-up and sign-on and authentication. And it improves security. It also provides a centralized view. Administrators can use the Google Admin console to determine certain users’ app access, device access, and more.
Administrators still have to log in to each application for provisioning, setting permissions, and deprovisioning.
Memory Fades Away: time to adopt process & documentation.
As a startup grows, personal memory is no longer sufficient. The more employees and applications the harder to keep track of who has access to what. It’s time to start embracing the power of documentation to streamline identity and application management.
Companies we’ve talked to have used spreadsheets, docs, Confluence, or Notion. They complement these systems with ticketing systems like JIRA, GitHub, or Slack. The process is documented, and the ticketing system helps ensure that each administrator handles what needs handling. In theory, users submit requests through the ticketing system. But informality and the need for speed in small companies means that many requests bypass the documented process. Users go directly to an admin by email, slack, or hallway conversation.
APIs and GAM are cheaper IdP options
Woah! That’s a lot of acronyms. Let me break it down.
So if you’re a technical company, engineering usually ends up responsible for provisioning. And they want to build products, not be IT. They discover that most SaaS services have APIs that they can use to automate the job. And it’s free. So they start playing around with simple scripts and automation. Google Apps Manager (GAM) is free and can be used to provision the Google side of the house. And free API access to your SaaS apps covers the rest. WIN!
Although there are some good options for normalizing read-only access to SaaS applications (like Steampipe, an Open Source solution), there is no open-source normalization of APIs for write access. This means developers have to custom-write onboarding and offboarding scripts and often times different groups just handle access permissions because it is too complicated to program (permissions in SFDC for a sales engineer who covers the TOLA region but does backup for APJ sales).
IDP enablement of the SAML and SCIM tax
More acronyms. In theory, nirvana is the stage where we can automate all things identity (at least sort of) using Security Assertion Markup Language (SAML to its friends.) SAML defines an interface through which services can exchange identity-related information. A System for Cross-domain Identity Management (SCIM) was introduced to help automate some of these tasks.
Now keep in mind, SAML and SCIM enabled by third-party IdPs are not cheap. First, you have to subscribe to an Identity Provider that has created a lot of SAML integrations (no one wants to write their own). Next, you need to figure out from that documentation that you sort of kept (or look at QuickBooks on who you are paying) what applications you are managing. You then need to identify which SaaS applications use SAML integration and sign up for the SAML-enabled tier, which often means 2x cost per seat. No biggie. Or is it? If you’re still a startup, you need to keep costs down, and this doesn’t do that.
However, it does make repeat provisioning, deprovisioniong, auditing, etc. a lot easier. And that really might be worth the time you save when you are a big company.
Conclusion
I’ll say it again. The digital identity landscape is a messy space dotted with ratholes and littered with acronyms. If you’ve gotten this far, you know a lot of them: SAML, SCIM, OIDC, OAuth, JIT, OIDC, API, GAM, SOC2, and WTF! If you value operational ease and security and you managed to find the time to read this blog (or at least skim through it or–let’s get real–skip to the end) you can sign up for our Beta!
Let’s make identity better.
