WatchGuard Blog

(Re)Evaluate Workplace Access and Federation

One of the many difficulties faced by organizations has been how to create portability, reusability, and interoperability of digital identities from the on-premises realm to increasingly web-services-enabled environments. One of the earliest and most widely adopted approaches has been SAML (or Security Assertion Markup Language) and Identity Federation. 

A Brief History of SAML and Identity Federation

In simplest terms, SAML is the interoperability specification and protocols, defined in three roles: 

  1. The Subject (or Principal), a human user such as an employee
  2. The Identity Provider (IdP), a source of user attributes and credential information
  3. The Service Provider (SP), an application, system, or service the user wants to access.  

Identity federation is the notion of portability and reusability of digital identities. The ultimate goal is to enable users of one domain to securely access applications, data, and systems in a seamless way without redundant user management. Just like SAML, Web Services Federation (or WS-Fed) is standardized to ensure there are mechanisms to allow different realms to federate. 

Both SAML and Identity Federation have served an important role in Workforce Access Management, however, neither specify the method of authentication used by the identity provider. 

The Cloud-Era, Developers, and the Missing Identity Layer of the Internet

As developers rapidly began to build on public Cloud infrastructure and mobile platforms, it became clear the complexities of identity federation could be solved without any on-premises realms. Born out of the necessity to create the missing identity layer for Internet scale, the journey of user-centric OpenID began, as did the creation of OAuth – the industry-standard protocol for authorization. OAuth focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and many other connected devices. The advancement of authorization was followed by OpenID Connect. 

A Primer on OpenID Connect

OpenID Connect (OIDC) is a federation protocol built on the OAuth 2.0 framework that enables web services to externalize authentication functions to a third party. It enables clients to corroborate the identity of an end user based on authentications performed by authorization servers, as well as obtain basic profile information about the end user in an interoperable and JSON/RESTful manner.

Why is OpenID Connect (OIDC) important?

  • OIDC enables application owners and developers to authenticate human users across applications and websites without having to create, manage, and maintain identities.
  • With OIDC, you can provide single sign-on (SSO) and use existing enterprise or social accounts to access applications and thereby improve usability, security, and privacy.
  • OIDC provides consent management, support for hybrid and multi-Cloud environments, and also support for more client types than previously developed federation protocols.
  • OIDC improves user experience (UX) through lightweight authentication and authorization, fine-grained consent management, and added verification through MFA methods. 
  • OIDC is a replacement for SAML. 

At WatchGuard, we have been developing our Identity Fabric on WatchGuard Cloud to embrace these new authorization standards and identity federation protocols on our path to AuthPoint 2.0. In the meantime, learn more about How OpenID Connect works.

Want more information on protecting digital identities? Read over our recent blog post: (Re)Imagine Workplace Access Management