The Schwartz
Cloud Report

Blog archive

Ping to Offer Federated ID Management in the Cloud

While software-as-a-service applications such as Cisco WebEx, Google Apps, Microsoft Office 365 and Salesforce.com, among others, are becoming a popular way of letting organizations deliver apps to their employees, they come with an added level of baggage: managing user authentication.

Every SaaS-based app has its own login and authentication mechanism, meaning users have to separately sign into those systems. Likewise, IT has no central means of managing that authentication when an employee joins or leaves a company (or has a change in role). While directories such as Microsoft's Active Directory have helped provide single sign-on to enterprise apps, third parties such as Ping Identity, Okta and Symplified offer tools that provide connectivity to apps not accessible via AD, including SaaS-based apps. But those are expensive and complex, hence typically used by large enterprises.

Ping Identity this week said it will start offering a service in April called PingOne that will provide an alternative and/or adjunct to PingFederate, the company's premises-based identity management platform. PingOne itself is Saas-based, it will run in a cloud developed by Ping and distributed to Amazon Web Services EC2 service.

In effect PingOne, which will start at $5,000 and cost $5 per user per month, will provide single sign-on to enterprise systems and SaaS-based apps alike via Active Directory or an organization's preferred LDAP-based authentication platform. Ping claims it has 800 customers using its flagship PingFederate software, 90 percent of which are large enterprises.

But smaller and mid-sized enterprises, though they typically run Active Directory, are reticent to deploy additional software to add federated identity management, and in fact many have passed on Microsoft's own free add-on, Active Direction Federation Services (ADFS).

With PingOne, customers won't need to install any software, other than an agent in Active Directory which connects it to the cloud-based PingOne. "With that one connection to the switch you can now reach all your different SaaS vendors or applications providers," said Jonathan Buckley, VP of Ping's On-Demand Business. "This changes federation, which has been a one-to-one to one networking game."

By moving federated identity management to the cloud, organizations don't need administrators who are knowledgeable about authentication protocols like OAuth, OpenID and SAML, Buckley added. "The tools are designed with a junior to mid level IT manager in mind," he said.

Ping is not the first vendor to bring federated identity management to the cloud – Covisint offers a vertical industry portal that offers single sign-on as has Symplified and Okta. But Buckley said Ping is trying to bring federated identity management to the masses.

"The model they are pursuing is a very horizontal version of what a number of folks have done in a more vertical space with more limited circles of trust," said Forrester Research analyst Eve Maler. "I think they are trying to build an ecosystem that is global and that could be interesting if they attract the right players on the identity-producing side and the identity-consuming side, namely a lot of SaaS services."

Another effect of these cloud-based identity management services is their potential to lessen the dependence on Active Directory, said Gartner analyst Mark Diodati. PingOne promises to make that happen via its implementation of directory synchronization, Diotati said.

PingOne looks closely at an enterprise's Active Directory and detects any changes, and if so replicates them to PingOne. Specifically, if someone adds a user to an LDAP group, or moves him or her to a new organizational unit or gives it a specific attribute, that change will automatically replicate to PingOne.

"The ability to do that directory synchronization, getting identities into the hosted part of it, and also the single sign-on, are extremely difficult to do without on-premises components to pull it off," Diodati said.

Ping stresses that passwords and authentication data are not stored in the cloud. But it stands to reason many companies will have to balance the appeal of simplifying authentication and management of access rights to multiple SaaS-based apps with the novelty of extending that function into the cloud. Do you think customers will be reluctant to move federated identity management to the cloud or will they relish the simplification and cost reduction it promises? Drop me a line at [email protected].

Posted by Jeffrey Schwartz on March 21, 2012


Featured