James Thew - Fotolia

Manage Learn to apply best practices and optimize your operations.

Cloud apps benefit from identity management architecture

Implementing a federated identity management architecture for cloud apps enables flexibility. Learn about the benefits of building a security tier that improves the user experience.

All cloud applications need a secure authorization framework for connecting users with the resources behind modern applications. But this can create a challenge for users who already struggle with managing a growing number of passwords and credentials. One of the leading topics at the WSO2Con conference in San Francisco was how enterprises could implement a federated identity management architecture to improve user experience and reduce development time.

Isabelle Mauny, vice president of product management at WSO2, said, "Organizations need to think about implementing a security tier into their architectures to provide flexibility." The security tier can help harmonize security and authorization across different authorization infrastructures. This kind of identity service bus is akin to the traditional enterprise service bus in that it can bring parity to legacy authentication mechanisms, standardized lightweight directory access protocol (LDAP) servers, cloud apps like Salesforce, and social media credentials.

One of the key use cases of a centralized security tier is to enable single sign-on across multiple enterprise, partner and cloud services. It also can make it easier to create a cloud gateway to access applications running across multiple back ends so that developers spend less time implementing a new security framework for each service. A federated identity management architecture also unifies the user experience across different channels like Web, mobile apps, voice and social media.

Bridging silos of security

The organic growth of legacy applications and modern cloud apps has led to two main gaps between authentication infrastructure based on the gatekeepers and the data formats. The gatekeeper functionality asserts that a user or app is who they say they are by using passwords, biometrics or physical access to a device. The gatekeeper functionally can be hosted and managed in a centralized enterprise LDAP service, a cloud provider like Google or Facebook, or in individual applications. These "keys" are sometimes combined in multifactor authentication schemes for higher security.

The data formats are the ways information about users and their privileges are stored in different systems. There can be variations in encryption schemes, the terms used to describe entities like "user" or "userID," and the characteristics and privileges of these entities.

The basic idea behind a federated identity management architecture is to create an authentication tier that sits in the middle of multiple authorization infrastructures. This needs to be done in such a way that user credentials are never passed around directly in case one of the gatekeepers is compromised. The federated tier lets developers write apps that communicate by using a common set of APIs rather than having to master the APIs of the services behind them.

"The federate gateway also needs to be able to transform and translate the data formats," Mauny said. This lets developers create references to entities and their privileges in a consistent format. She recommends that architects think about this process for unifying credentials similar to the way that master data management (MDM) is used to clean and enhance data across multiple silos to provide a coherent and accurate system of record. MDM is sometimes combined with other tools and apps to clean bad information or add additional information from public databases like Hoovers, social media sites and Experian.

Provide a coherent user experience

West Interactive is using a federated identity management architecture to provide a coherent user experience across multiple channels. The company provides customer support services for telcos, cable operators, hospitals and other enterprises. Andrew Bird, senior vice president of product development and engineering at West Interactive, said users are often frustrated that they have to restart their inquiries about a particular problem when interacting with the company via a phone call or the Web.

"Customers need consistency across the board when contacting a vendor," Bird said. He recommends that enterprises unify different channels using federated security to connect information that ties together the business processes associated with a user's journey in making a transaction or resolving a problem.

For example, if someone orders a new cable service on the Web, the interactive voice response system should pull up information on the status of this order automatically when they call in. If a user calls an airline 10 minutes before their plane is leaving, the back-end application might present options relating to their flight rather than forcing the user to navigate a standard phone menu tree. Bird said this approach also makes it possible to start building more proactive business processes that relate to things a user says on social media.

Don't reinvent the wheel

The Texas Advanced Computing Center (TACC) provides supercomputer services for tens of thousands of scientists at university and government institutions. Joe Stubbs, software developer and research scientist at TACC, said they have implemented eight cloud portals relating to life sciences, weather and astronomy that access the same supercomputers. Over the years, TACC has implemented a separate cloud portal and access infrastructure for each scientific field. This has created a lot of work for developers reimplementing all the services behind the cloud portal, including authorization.

This also has made life more difficult for the scientific users who need to create a separate login for each portal they use. Furthermore, TACC has had to manually verify that each user works at the institution they claim. The users also cannot share information and data across their different accounts set up on these different cloud portals. Stubbs said they are now in the process of creating a cloud authentication service that leverages the existing campus login credentials shared through the InCommon federated authentication service.

Users will be able to log in to the system via their campus username and password to access any of the TACC portals. This will reduce the burden of manually verifying that the users work at the campus. Stubbs said this approach will make it possible to use the same services to roll out new cloud portals, which will let developers focus more time on differentiating features of these portals rather than reinventing the wheel.

Next Steps

Using federated identity for mobile apps

How to lock down your cloud

Identity management best practices

Dig Deeper on Cloud computing security