As-a-service, probably the second most commonly used term in enterprise IT nowadays, beyond the ever popular ‘Cloud’ buzzword. We’ve all heard of Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) amongst others, but Identity-as-a-Service is a word that is mused around my office more often than not. This is certainly a growing space, with familar names such as Microsoft, IBM & Oracle, but these companies are not the ones gaining traction, OneLogin, Auth0 and the market leader; Okta (Gartner, Aug 2019 & Forrester Q2 2019). Up until recently, I’ve only heard of it being mentioned as a security product, but can it do more
So what is IDaaS? Good question! I struggled to describe it in a single sentence, so I did what every good geek does, go to the people in the know.
IDaaS is cloud-based authentication built and operated by a third-party provider.Okta | https://www.okta.com/identity-101/idaas/
Identity as a service (IDaaS) is a SaaS-based IAM offering that allows organizations to use single sign-on (SSO using SAML or OIDC), authentication and access controls to provide secure access to their growing number of software and SaaS applications.Ping Identity | https://www.pingidentity.com/en/resources/client-library/articles/identity-as-a-service-idaas.html
Traditionally, Enterprise IT teams have used one tool, and one tool only to control their identities, Active Directory (AD), and more recently, those who have clung onto the Microsoft toolset, Azure AD, but as toolsets move away from the datacenter, away from desktop apps, and into the cloud and on web-based applications – how relevant is AD and what, if anything does IDaaS offer that AD can’t?
The best way of looking at this is to look at the basic feature sets that AD offers, and compare with a typical IDaaS offering
|Via third-party integration
|Windows / MacOSX /
IOS / Android
|Web app authentication
|Yes, via SAML / OAuth
Active Directory, despite its age and lack of development, at scale, still holds a lot of value – especially for enterprises who heavily rely on legacy thick-client applications, but as you move towards SaaS delivered applications, such as Office365, Salesforce, Workday, etc – integration with AD is cumbersome, having to use tools such as ADFS which lacks the intelligence you see in the leaders in the IDaaS space.
For the ‘Microsoft houses’, in other words businesses who are engrained in the Microsoft ecosystem, the obvious solution is using AzureAD, especially is Office365 is your collaboration suite of choice. For most businesses, AzureAD does the perfect job, and Microsoft have come on leaps and bounds in recent years to make the transition to standalone on-premise AD to a hybrid solution. From experience however, there are significant technical challenges for it to work seamlessly, reliant on the Microsoft ‘scheduled’ tasks to kick in, not to mention confusion around which license package or module is required to enable features such as condiitional access, or a fully featured MFA solution.
Enterprises who maybe aren’t fully-Microsoft, or prefer to adopt a layered approach to product choice and security may look elsewhere to those market leaders; the Okta’s, Ping’s and OneLogin’s of the world. For them, the ability to onboard those user directories from Active Directory, Google, etc are critical, and typically I’ve found their tools are superb, replicating new AD users, field changes, or accounts instantly. Once this integration is in place, its a matter of adding some of your web apps, configuring SAML or oAuth and away you go.
From personal experience, once you’ve onboarded an application, controlling access to that application is highly customisable. Controls can be based on user, originating IP address, browser, or even device in some circumstances, prompting for other factors of authentication such as push notifications or additional security questions.
Some of the vendors are now even starting to develop integrations into HR systems such as Workday for data mastering, Okta being one of them.
Essentially the HR system acts as the data master for employees, when a change is made with that user, such as a name change, a new member of staff, or someone leaving the business, it instantly sends that data onto the IDaaS which in turn updates the 3rd party directories (AD, Google, etc) or applications (Office365, Salesforce, etc) in a downstream fashion. This isn’t possible for everything, it relies on functions such as SCIM or an API to allow that provisioning, but its slowly becoming more commonplace with apps such as Workspace One, LucidCharts, DropBox and Slack, amongst others.
Going back to the original question, is IDaaS more than just a security tool? Well yes, I think it is. The process automation that can be achieved by implementing these tools for a enterprise with thousands of employees is priceless. Another question I’ve been asking myself though is whether IDaaS is one of those must-have purchases for a business nowadays – that all depends on your business strategy and roadmap. Are you planning on using more SaaS going forward? How do you plan to secure access to them? Is there a requirement within your business to automate onboarding and offboarding of your employees? Do you have lots of domains and struggle to manage them? All of these are great use cases for pretty much all of the IDaaS vendors, but just remember, this is a toolset which is in its infancy, and is heavily reliant on the developers of your apps to be compliant with standards such as SAML and SCIM to really extract the value out of it – but its something that its well worth keeping your eye on.