Connecting IdM services to SURFconext

Transcription

1 Connecting IdM services to SURFconext Project : SURFworks Projectyear : 2013 Releasedate : Version : 1.0 Summary This research compares the currently available IdMaaS services and assesses the market opportunities for IdMaaS for the Dutch R&E community. We conclude that Dutch Research & Higher Education institutes are generally not ready for a complete cloud offering of IAM services. By and large they lack a clear policy for adopting cloud services and have a reserved position towards IdMaaS due to the sensitive nature of the data involved and their awareness to comply to privacy regulations. Therefore, IdMaaS will not be an alternative for the on-premise IAM services in the Dutch R&E sector in the short term (1-3 years). Nevertheless, IdMaaS is seen as an attractive option for realising additional IAM functions. Deze publicatie verschijnt onder de Creative Commons licentie Naamsvermelding 3.0 Nederland. Meer informatie over de licentie is te vinden op

2 Colophon Programme line Part Activity Deliverable Access rights External party : SURFworks : SI-SDT : Connecting Services : g Connecting IdMaaS Services : Public : m7, Ludo Gorzeman, Peter Jurg, Ton Verschuren This project was made possible by the support of SURF, the collaborative organisation for higher education institutes and research institutes aimed at breakthrough innovations in ICT. More information on SURF is available on the website 2/38

3 6 Matters one should know about Connecting IdM services to SURFconext. Scenario What is it? Whom is it for? How does it work? What can one do with it? More information With the rise of cloud computing we also see IAM-as-a-Service, i.e. IAM in the cloud, being offered by more and more suppliers. This research compares different IdMaaS vendors and assesses the readiness of the community for adopting this new service model for IAM. A comparative research on IdMaaS suppliers and the readiness of the community for adopting this new service model for IAM. The target audience for this report consists of CIO s, ICT managers, IAM functional application managers, and the members of the SURF Special Interest Group for Identity Management in general. A shortlist of IdMaas suppliers were compared based on a number of criteria (both functional and non-funcitonal). The findings are presented in this report. Get an overview of the IdMaaS supplier landscape Eefje van der Harst (Eefje.vanderHarst@SURFnet.nl) 3/38

4 Contents 1. Background Purpose and target audience Approach for this report Disclaimer Identity and Access Management-as-a-Service Customer perspective Results Conclusions Annex: Longlist and shortlist of IdMaas suppliers Annex: CA Technologies Annex: Clavid Annex: CloudID Annex: Covisint Annex: iwelcome Annex: Microsoft Annex: Okta Annex: PingOne Annex: Sailpoint Annex: Traxion /38

5 1. Background Federated Identity & Access Management is in everyday use for the majority of the research and higher education (R&E) community in the Netherlands. Over one hundred institutes with almost one million users can use over one hundred services through the SURFconext federation, resulting in more than federated logins per day. SURFconext is a collaboration infrastructure that connects a number of basic building blocks for online collaboration: federated authentication and authorisation, so that users can securely access all kinds of available services via the same account that they use at their own institution; group management enabling access to content and functionalities, for example for a project team, to be managed centrally. These may be internal groups of the institution or groups from the SURFconext group management application; a standard data interface for exchanging activities, reports, and group information (OpenSocial) with cloud applications; cloud applications of various providers (for example Google Apps, Edugroepen, Sharespace, Liferay Social Office). SURFconext allows institutions to integrate internal and external online services, thus enabling them to offer users a collaboration environment within which they can access the online services that they require. Currently, an on-premise Identity & Access Management (IAM) facility, connected to SURFconext, is a common asset in the Dutch R&E community. With the rise of cloud computing we also see IAM-as-a-Service, i.e. IAM in the cloud, being offered by more and more suppliers. Hence the question arose if this new form of IAM is of interest to the Dutch R&E community and how it relates to SURFconext. Although IAMaaS would be the appropriate abbreviation for IAM-as-a-Service, in this report we will use the term IdMaaS (Identity Management-as-a-Service) since this is the common term used these days. 2. Purpose and target audience Commissioned by SURFnet and in close collaboration with SURFmarket, m7 conducted research into IdMaaS and the readiness of the community for adopting this new service model for IAM. The goal of the research is threefold: describe and compare the currently available IdMaaS services; assess the market opportunities for IdMaaS for the Dutch R&E community; select the most promising top 3 among the IdMaaS vendors and assist SURFmarket to include these vendors in its dynamic procurement system. The first goal concerns this report. The result of the latter goal is to lower the threshold for both the vendor and the customer to reach a favourable agreement to procure an IdMaaS service. As a result of this research SURFnet wants to assess the suitability of IdMaaS for the smaller institutions with little know-how about IAM, that are not yet connected to SURFconext. Is IdMaaS for this type of organisation a suitable solution to connect to SURFconext as an Identity Provider? The target audience for this report consists of CIO s, ICT managers, IAM functional application managers, and the members of the SURF Special Interest Group for Identity Management in general. 5/38

6 3. Approach for this report A small number of organisations connected to SURFconext was visited to learn their interest in and expectations of IdMaaS. Suggested by SURFnet and SURFmarket, we interviewed the responsible persons for either ICT or IAM of the following organisations, two academic hospitals and three universities: Leids Universitair Medisch Centrum (LUMC); VUmc; Hogeschool Utrecht; Universiteit Maastricht; Technische Universiteit Delft. We discussed their view on cloud computing in general, their current IAM service and features lacking, and assessed their willingness to move (part of) their on-premise IAM service to the cloud. In a seminar at the end of November we presented the results of our study and provoked discussion about the usefulness of IdMaaS for the SURF community. Based upon desk research 1 we compiled a longlist of some twenty IdMaaS vendors (refer to Annex: Longlist and shortlist of IdMaas suppliers). We studied their websites to find out what IAM functions they provide (refer also to the next chapter for a description of the IdMaaS services) and posed a number of questions about non-functional features by . Based upon a number of criteria we compiled a shortlist of ten vendors. Next a questionnaire was sent to these vendors, followed by if we got any response a meeting or teleconference to discuss their answers. Finally we filled out a template per vendor (refer to the annexes) and submitted it to them for review. A compilation of our findings is included in the chapter on results. 4. Disclaimer IdMaaS is a young industry, consisting of well-known players with fully developed IAM suites for on-premise use moving to the cloud and newcomers deploying in-house developed solutions or combinations of existing solutions (open source and commercial). Hence this report is a snapshot of a rapidly changing vendor landscape, where a first wave of takeovers and mergers is not unlikely. 5. Identity and Access Management-as-a-Service In the last few years many vendors of IAM suites have decomposed their offer into several smaller modules that offer particular IAM services. This trend obviously follows the trend of the last 5-10 years of performing IAM projects step by step. In the last 2 years the decomposition of IAM into several services has led to cloud offers for some demarcated IAM services. For example federation, single sign-on and provisioning to public cloud applications are services that are offered from the cloud. However, in the last year we see that more sophisticated services, especially self-service, access governance, and risk-based access, are also offered from the cloud. In this document we use a decomposition model for IAM that is depicted in Figure 1. 1 The Forrester Wave report on Enterprise Cloud Identity And Access Management, Q3 2012, proved an inspiring document for our research. 6/38

7 At the bottom of this picture we start with the underlying processes for registration, change and exit for identities that are already in place in the majority of organisations, Dutch higher education and research included. Therefore, we exclude the registration functionality for staff and students in our comparison assuming this is already in place as an on-premise process. For smaller organisations looking for a solution to connect as identity provider to SURFconext however, this functionality would be required as part of the IdMaaS offering. Usually though, their registration needs will be met by the guest registration functionality of the IdMaaS supplier. In larger organisations guest registration is sometimes a more diffuse process, where different parts of the organisation have their own process for it. So guest registration often can be improved by a central software solution that enforces one way of doing this. Below we discuss the other services in the picture and their role in IAM. We distinguish services that have a 10 year or more history, which we call classical IAM services, and IAM services that became popular in the last 2-3 years, which we call modern IAM services Classical IAM services Identity Vault / life cycle management An identity vault is a central user repository that contains the information necessary for account and role provisioning. So from here users get their account and basic access rights in different systems. On top of the identity vault the processes for life cycle management can be implemented. This defines existence of accounts and access rights for users depending on the state of their identity. Whether or not to implement a central Identity Vault mostly depends on the number of users and expected changes. Generally it is cost effective to implement a central Identity Vault for a couple of thousands identities User provisioning This service provides the provisioning of account information to all applications and authentication databases (see below) that need a user account in order to provide access to a user Role and group assignment Figure 1 Decomposition of IAM functions Which systems are appropriate for a user is defined by the roles a person has or to which groups a person belongs. Roles can be job description, department, location or other information, often provided by HR. Groups often have a more ad hoc character, like a project group. Life cycle management also handles changes in roles and groups and translates them into changes in access (if needed). Other approaches for access management like access request management and identity and access governance are described below. 7/38

8 Delegated admin Delegated admin can be used for distributed user account management within an organisation. Admin users can for example create and remove users, change access rights or perform self-service tasks on behalf of users Single sign-on (SSO) Single sign-on is a mechanism that allows the user to log in only once to have access to several services without logging in again. This service is mainly a technical implementation. The biggest challenge is to integrate desktop and web-sso Strong authentication This provides a central service for 2-factor authentication or otherwise stronger authentication methods than username and password that can be applied to several applications Self-service This is a central service by which end users can change or reset their password and maybe also change some personal information (this might be viewed upon as part of delegated admin, with delegation to the users themselves) Access request management Besides the information in HR (job description, department, location, etc.) users within an organisation will have specific tasks for which they need specific access. This can be established by so-called access request workflows. Line managers and application owners will have to approve requests by employees. It is utopian to think that such workflows can be used to manage all access rights in all applications. A lot of rights will still be entered in the applications without any workflow. In that case, Identity & Access Governance (see below) can help Reporting and auditing Reporting and auditing is useful for obtaining insight in access rights, delegated admin activity, self-service activity, provisioning, etc Modern IAM services Federation Federation can be used to enable web-sso, i.e. SSO for web-based services. It may also serve to let people from another organisation login to your services with the account from their own organisation and vice versa Identity and Access Governance (IAG) This is a service that will retrieve access rights from several applications, gather them and present the consolidated rights for review. Access rights can be labelled as low, medium or high risk and a manager can get an overview of what type of access their employees have (risk, license costs, etc.). He can then approve, change or withdraw access rights. With this approach access rights can still be entered in the applications themselves, but managers are alerted when new employees come in or access rights are changed. IAG can also help to detect violation of segregation of duty Cloud provisioning Cloud provisioning is not much different from account and role provisioning, but uses API s of Cloud Providers and open standards to provision and deprovision accounts and roles. 8/38

9 Identity-based device management Linking device management to identity management ensures that life cycle management is effective for personal devices and enables an organisation to define personal access rights for devices. It may also be used for risk-based access Risk-based access Risk-based access enables organisations to make access decisions on the behaviour of users. For example the location of a user should not suddenly change when a user is accessing services or a user should not access systems at unusual hours Social logon Social logon helps organisations to diminish user account management for individual users. They can login with a social media account. Since trust and security are not at a high level here, this mechanism is mostly used for providing customers access to (semi-) public information. For example for marketing purposes: an organisation wants to provide information to potential customers and at the same time wants to keep track of the activity and profile of those customers. Most IdMaaS cloud providers currently have a main focus on the modern IAM services, forming the biggest opportunity as most organisations have the classical IAM services already in place. Most of them are able to offer the classical IAM services from the cloud as well, though. Device management turned out to be an exception. Though device management is offered as a cloud service by many service providers, these services are quite often not part of the IdMaaS offering, but available as a separate service from the same supplier or from specialised suppliers. We will use the picture above in the annexes to this document to indicate what services are offered by the different IdMaaS providers. Furthermore, we will describe how the IdMaaS offering relates to the SURFconext service. Apart from a functional comparison of the IdMaaS suppliers, we looked at a number of non-functional aspects 2 : What privacy (data protection) regulations apply to the IdMaaS service? The EU Directive, the Safe Harbor Principles, or otherwise? Will the supplier comply with the International Standard for Assurance Engagements (ISAE) 3402 or Statement on Standards for Attestation Engagements (SSAE) 16 for their service auditor's statements 3? 2 For more information (in Dutch) refer to the checklist for contracts with cloud providers ( and the best practises on privacy for cloud providers ( The latter explains the standards for the certifications mentioned. 3 ISAE 3402 provides an international assurance standard for allowing public accountants (an independent third party) to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization s system of internal control over financial reporting. Hence ISAE 3402 provides assurance over outsourced business processes. ISAE 3402 includes the IT environment of the service organization and its security. SSAE 16 resembles ISAE 3402 and differs only for the specific case of US customers of service organizations. Hence it is not relevant for Dutch higher education institutes. Note that ISAE 3402 reports can be of type I or type II, the first being a snapshot, the latter reporting over a longer period with a minimum of 6 months. 9/38

10 ISO certificate 4? This will ensure that the service is secure and will be audited regularly. What SLA is offered? For a service that enables users to log on a good uptime of the service, short response times when a disruption occurs and a globally acceptable performance are important SLA parameters. Is data escrow supported? If so, an exit or migration to another supplier will be easier, because such a service can make sure that the customer s data will be available, even if the supplier is bankrupt or suffers from a large calamity. We did not include the costs of the IdMaaS offerings in our research. But we did ask the vendors for their cost models. On what parameters are their tariffs based? Apart from an one-time set-up fee, the license costs can be based upon the following parameters: number and type (internal or external) of users; number of authentications per period of time; number of connected cloud applications; number of administrators in the cloud platform; the two-factor authentication methods used; support level. 6. Customer perspective None of the organisations interviewed has defined a policy for the cloud yet, although some are in the process of defining one. And some collaborate in the SURF Cloud Taskforce, hence the topic has their interest. Main reasons for adopting cloud services in general are an improvement of the quality of the services offered, increased agility, and a change from a capital expenditures to an operational expenditures cost model including reduced manpower for application management and support. But due to the sensitive nature of IAM (accounts, personal data, access to licensed content and services) the migration to a completely cloud-based IAM service is unlikely in the short term. All organisations claim to hold on to a local registration process for employees and students, a local identity store including lifecycle management, and due to the sometimes very extensive on-premise application landscape to a mainly local provisioning process. The academic hospitals interviewed even claimed that they cannot move their identity store to the cloud because of the data protection regulations in force. But the authors of this report do not think this is true, because IdMaaS can be considered to be a technical solution for IAM that has to adhere to the same legislation as on-premise IAM. To summarise the viewpoint of the organisations interviewed, IdMaaS is not considered to be an alternative for the basic, classical IAM functions. At the seminar, however, the majority of the institutions indicated an interest in IdMaaS because their current onpremise IAM solution is bound for replacement in the near future. Nevertheless, IdMaaS is seen as an attractive option for realising additional IAM functions, such as strong authentication, improved self-service, guest registration (especially in the context of virtual organisations or collaboration teams), provisioning to cloud applications, and possibly in the longer term social logon and identity-based (mobile) device management. This was confirmed during the seminar, where two third of the attendants showed their interest in IdMaaS within a three-year term. On the other hand, a quarter of the audience thinks that IdMaaS may not be a solution for them, 4 Though ISAE 3402 covers IT security, it is not very specific about the security measures and its relevance for IT security depends on the third party who issues the report and the auditor of the customer who verifies it. ISO is a pragmatic certification that ensures that certain measurements are taken and therefore may offer additional assurance. 10/38

11 because their business processes are not generic enough and they are unwilling or unable to adjust to more generic processes. A remarkable finding was the fact that the modern Identity & Access Governance approach does not have the attention of Dutch Research & Higher Education at the moment, so a cloud offer for this functionality is currently not on their wish list. 7. Results This chapter contains the results of our research of the IdMaaS vendors on the shortlist. We describe the current state of affairs in the IdMaaS landscape in the context of the Dutch situation. Not all suppliers responded to our questionnaire or to our request to review our findings. If so, it will be mentioned in the annex concerned. The IdMaaS market is young, but rapidly developing. During our research we came across several suppliers that were not on our initial longlist. Some suppliers build their offering based upon their own intellectual property; some use products from the wellknown classical IAM vendors. Some suppliers offer their service since a number of years, but the majority introduced their IdMaaS offering in the last two years. Not surprisingly, the set of IAM functions offered and their maturity strongly varies per supplier. A number of suppliers mainly focus on offering as many out-of-the-box connections to cloud applications as possible, usually presented through a user or admin dashboard. Choose your cloud application, click and go is the adagio here. Others try to cover as many IAM functions as possible, trying to compete with onpremise IAM suites. Still others offer a wide variety of two-factor authentication options. Whereas the IAM functions offered are easy to find on the suppliers website, the nonfunctionals are harder to obtain. But where an SLA is important for any cloud application ( *-as-a-service ), for IAM a number of specific non-functional requirements are critical, due to the nature of the data concerned. Here information security standards, like ISO 27001, and third-party audit formats like ISAE 3402 and SSAE 16 come in. Together they provide an indication how safe your user s data and privacy are in the suppliers cloud platform. Of course, the suppliers are aware of these issues and some are in the process of regionalising their cloud (data centres) in order to adhere better to the Dutch and EU data protection regulations. When it comes to the positioning of the IdMaaS offering with respect to SURFconext there is a varying degree in overlap of functions offered. Actually the majority of IdMaaS suppliers offer technical services that can be used to build a federation like SURFconext. They offer authentication using SAML (and OpenID connect), web SSO for cloud applications and social logon, just like SURFconext offers. However, they only provide technical solutions, whereas SURFconext offers a complete federation with central facilities that make connecting to a large number of services a breeze and a trust framework that helps to diminish the burden of arranging agreements with many service providers. Using an IdMaaS supplier, institutions will have the technical possibilities of a federation, but will not have the federation itself. In general this makes the IdMaaS services less attractive because the added value is limited. However, there are still some areas where SURFconext does not offer functionality and IdMaaS providers do. Some examples: Two-factor authentication; SSO to cloud applications not included in SURFconext; Guest registration; Device management; Provisioning to cloud applications; On-premise provisioning, identity vault and SSO. 11/38

12 A general observation across all suppliers is that support for the group API of SURFconext is lacking. The consequence is that group information used in the SURFconext connected cloud applications will not be available in the cloud applications connected to the IdMaaS supplier s platform. SSO, however, between the supplier s and SURFconext domains won t be a problem. One of the non-functional aspects that will be of interest to a prospective customer of an IdMaaS service is the supplier s ability to execute: how many comparable organisations are among the supplier s customers; how easy is it to set up the service and how long does it take for the service to be operational; how well is support organised; is the supplier already active or not on the Dutch market, etc. And with respect to the latter aspect: is the supplier inclined to connect to SURFconext? Note however, that the ability to execute is beyond the scope of our research, partly due to the lack of response on the subject from a number of vendors. In the annexes a short description of the supplier and its offering is given. The table below summarises our findings for the functional and non-functional aspects. The table shows that not surprisingly federation techniques and SSO are supported by all suppliers. Identity & Access Governance, device management and to a lesser extent access request management are still rather rare. Auditing and reporting are generally implemented in a basic form. Those suppliers rated mature (blue) for this function usually provide an interface for a Security Information and Event Management system. A remark about provisioning needs to be made. Although the table shows that user and cloud provisioning is generally well supported, suppliers indicated that in practise provisioning is far from trivial. Some suppliers claim to provide provisioning to cloud applications only if they support standards like SPML and SCIM, for which support in applications is not very common at the moment. And some interpret provisioning as justin-time provisioning 5, while generally ahead-of-time provisioning 6 is required. For the latter usually custom interfaces need to be implemented. Overall, the classical IAM functions show better support than the modern ones. Discussions with suppliers showed that many of them are still developing their solutions and have support for many of the modern IAM functions on their roadmap. On the non-functional side, the fact that not all suppliers indicate to adhere to the EU privacy regulations shows their sometimes limited interest in de Dutch (European) market. Support for data escrow is provided by the majority of the suppliers, which should ease a (periodic) change of IdMaaS supplier, e.g. after a tender. The approach taken and the sometimes meagre response from the vendors prevent us from appointing a top 3 of best suppliers. Moreover, the choice for a suitable IdMaaS solution strongly depends on the specific IAM functions required by an organisation. 5 Just-in-time (JIT) provisioning creates a profile for the user in the application at the time of first login. 6 Ahead-of-time (AOT) provisioning creates a profile for the user in the application before the first login. 12/38

13 The legend reads: Traxion Sailpoint Ping Okta Microsoft iwelcom e Covisint CloudID Clavid CA Modern IAM device mgmt risk-based xs social logon federation IAG cloud provisioning Classical IAM SSO 2FA selfservice access req mgmt reporting & auditing LCM user provisioning roles & groups DA guest registration 13/38

14 Non-functionals Adhere to privacy regulations Third-party audit conformity ISO SLA Escrow support Table 1 Comparison of IdMaaS suppliers Some more background information: All providers offer good functionality for cloud provisioning, federated login and SSO for cloud applications. Additionally they all offer good functionality for onpremise SSO. Clavid is an exception, they only provide authentication, not provisioning. Covisint is the most experienced IdMaaS provider as they were an IdMaaS provider avant la lettre in the automotive industry. Their offer is highly standardized though, so customizations may be expensive. In terms of overall functionality they have the best score. Okta and CA seem not very interested in the Dutch educational market. That is what we deduce from the fact that they were not very responsive. Traxion indicated that their focus is not on education anymore. For specific types of functionality we would recommend the following suppliers: o Two-factor authentication: Clavid and iwelcome. o SSO to cloud applications not included in SURFconext: all. o Guest registration: Covisint and iwelcome. o Device management: Covisint. o Provisioning to cloud applications: all but Clavid. On-premise provisioning and identity vault are functions that most suppliers do not offer (yet) in a way that can meet the rather complex business rules of the Dutch higher education community, but that appears to be a matter of time. Instead, at the moment, most suppliers do provide simple provisioning tools. If an institution plans to make provisioning simpler though, most suppliers are able to help out. 14/38

15 8. Conclusions Dutch Research & Higher Education institutes are generally not ready for a complete cloud offering of IAM services. By and large they lack a clear policy for adopting cloud services and have a reserved position towards IdMaaS due to the sensitive nature of the data involved and their awareness to comply to privacy regulations. Therefore, IdMaaS will not be an alternative for the on-premise IAM services in the Dutch R&E sector in the short term (1-3 years). For federation and SSO the institutes mainly use SURFconext. SURFconext might also offer strong and step-up authentication in the near future. Thus the overlap between the IAM functions offered by SURFconext and IdMaaS suppliers will likely grow. On the other hand some IdMaaS vendors try to connect as many cloud applications to their platform as possible, whereas SURFconext generally connects (niche) applications for the R&E community. Depending on the need for cloud applications, the SSO domain of the IdMaaS solution may be of interest. On the other hand several cloud IAM providers support the modern IAM functionalities the institutes are looking for. However, the core business of the providers lies mostly in functionality that is offered by SURFconext. Furthermore Dutch cloud IAM providers are inclined to provide additional features outside of the regular cloud spectrum, like guest registration and improved self-service. One of the modern IAM functions, identity-based device management, is rarely part of the IdMaaS offering today. This function is mainly the domain of specialised suppliers. That may change in the near future, though, since this feature is on some IdMaaS suppliers roadmap. Support for the group functions supported by SURFconext seems entirely lacking among the current IdMaaS suppliers. Moreover also within SURFconext not many applications support this yet. On the SURFconext side it would be worth investigating the future of this function. The approach taken and the sometimes meagre response from the vendors prevent us from appointing a top 3 of best suppliers. Moreover, the choice for a suitable IdMaaS solution strongly depends on the specific IAM functions required by an organisation. The factors mentioned above make the Dutch R&E market less attractive for the IdMaaS vendors. They could try to target the smaller institutions and sell them the whole IdMaaS package (including the connection to SURFconext as an identity provider), but the volumes will be low. Dutch R&E institutes adopting IdMaaS must be aware that cost effectiveness will only be achieved if they are willing to adjust actually simplify their business processes so that technical implementation becomes less complex. Institutes will probably only do this in the context of a cloud-based strategy, where increasingly on-premise applications are replaced by cloud-based or SaaS solutions. Such a strategy will eventually take away the necessity for on-premise IAM anyway. Because IdMaaS is a young and rapidly developing industry, a reiteration of this research in one or two years is recommended. Then the current mismatch between the demand and supply side of IdMaaS for Dutch R&E may be reassessed. 15/38

16 Annex: Longlist and shortlist of IdMaas suppliers The following suppliers were included on the longlist and shortlist for this project, based on the criteria below: Supplier Shortlist Explanation (if not on shortlist) (y/n) Capitar n Not ready in time for this report CA Technologies y Clavid y CloudID y Covisint y Gluu n Did not satisfy shortlist criteria iwelcome y Lighthousegateway n Did not satisfy shortlist criteria Microsoft y Okta y Ping y Sailpoint y Salford Software n Not a general-purpose IdMaaS solution Simeio n Did not satisfy shortlist criteria Symantec n Did not satisfy shortlist criteria Symplified n Did not satisfy shortlist criteria Traxion y Vasco Data Security n Not a general-purpose IdMaaS solution Verizon n Did not satisfy shortlist criteria Criteria for the shortlist 7 : Functional criteria: Is provisioning supported? Is SSO supported, both for on-premise and cloud applications? Is strong (two-factor) authentication supported? Is guest registration supported? Is self-service and access request management supported? Is access governance provided? Non-functional criteria: Does the vendor adhere to the EU privacy or Safe Harbor principles? Did the vendor respond to our questions? Applying these criteria resulted in omitting vendors with a single or very few IAM functions. Hence organisations seeking only a very limited set of IAM functions in the cloud should evaluate the IdMaaS landscape based on their own criteria. 7 Note: because there is a federation in place (SURFconext), the list of criteria is not a generally applicable list for IdMaaS, but tailored to the situation in the Netherlands. 16/38

17 Annex: CA Technologies Supplier CA Technologies, USA, is a well-known company with a wide range of software and SaaS solutions. Their SiteMinder product was one of the first IAM products. Review of this annex received: no. Product: CloudMinder URL: CloudMinder is as the name suggests the SaaS version of CA s existing IAM products like IdentityMinder and SiteMinder. In fact it is a suite of products just like the onpremise versions. It provides an interface to an on-premise AD or LDAP user store and does provisioning to both on-premise and cloud applications (using SCIM). An overview is given in the picture below. Figure 2 Overview of CloudMinder Guest registration is part of the offering as is role management. A complete set of self service and delegated administration functions is available, including access request management. SSO includes on-premise and cloud applications. Various two-factor authentication options are offered as part of CloudMinder Advanced Authentication. Social login is supported. No information about our non-functional requirements could be obtained. 17/38

18 The picture below summarises the main features of CloudMinder: Legend: Figure 3 CA's IdMaaS functional decomposition Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? With its track record in IAM CA offers a robust and mature cloud-based service that could add value for an organisation in addition to SURFconext. 18/38

19 Annex: Clavid Supplier Clavid AG is a privately-owned Swiss company with IAM services based on in-house developed software as its core product. Since 2007 Clavid runs an OpenID identity provider with users from over 50 countries. The company s main focus is on two-factor authentication and SSO. Review of this annex received: yes. Product: Clavid URL: Clavid runs its IdMaaS service since Three operational models are offered: pure cloud, on-premise maintained by Clavid, or on-premise maintained by customer. For this report we only take the cloud mode into consideration. Their architecture is depicted in the following figure: Figure 4 Overview of Clavid Clavid features two main elements: the Internet Identity Provider and Authentication as a Service. The Internet Identity Provider connects to an on-premise user store (AD, LDAP, HR system). It offers provisioning to on-premise but not to cloud applications. Guests can be registered in the Internet Identity Provider. Roles are not supported. Selfservice for selection of two-factor methods, login settings, password reset, usage history is supported. Delegated administration is not supported. SSO is one of the main distinctive services of Clavid, covering both on-premise and cloud applications, even with the possibility of protocol translations between e.g. SAML and OAuth. 19/38

20 Two-factor authentication is Clavid s main focus, so an extensive set of protocols, tokens, and methods is supported. Even SURFnet s tiqr! The required authentication strength (using NIST levels 8 ) and corresponding method can be configured per application. On the non-functional side the following applies to Clavid: Clavid runs in a Swiss data center and adheres to the Swiss privacy regulations, which pose less restrictions upon data processing than the EU Directive. Clavid is certified for ISAE No SLA details are available. Third-party data escrow is supported. The picture below summarises the main features of Clavid: Legend: Figure 5 Clavid's IdMaaS functional decomposition Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? Clavid s main strength lies in their support for strong authentication and is rather unique in the extent of their features. The number of out-of-the-box interfaces with cloud applications is rather limited. But any standards-based application can be coupled rapidly. Clavid has realised a (test) connection to SURFconext already. A demo showed a federated login with username and password through SURFconext for a test application connected to Clavid s SSO platform. And subsequently a second-factor authentication through Clavid to gain access to the test application. A nice example of step-up authentication. 8 U.S. National Institute of Standards and Technology. The levels are specified in their standard SP /38