SaaS and Federated Provisioning


Some quick thoughts on the idea of just-in-time (JIT) provisioning of users based on combined use of SAML and SPML between an organization and the SaaS vendor / service provider (or federated provisioning), which has been recently discussed in a variety of forums including Network World and the Burton Group

From a practical point of view SAML/SPML enabled JIT provisioning (or federated provisioning) is still in the category of ‘science project’ – theoretically possible, but currently an unrealistic approach in actual live customer environments.  Based on our discussions in the industry SaaS vendor support for SAML has been modest at best, SPML even less so, and without vendor implementation the approach doesn’t even get to square one.  While we’re fully supportive here at Conformity of SAML/SPML and the need for a more standards-based approach to user authentication and authorization across SaaS applications, we also recognize that customers need to address the SaaS provisioning problem today, which means working with the proprietary APIs and connectors that do exist.

Even in a theoretical world of fully SPML-enabled SaaS providers (if and when that day arrives), the fundamental challenge of attribute mapping will remain (as noted by Mark Diodati at the Burton Group).   Each application will continue to have its own individual set of user attributes that will have to be mapped back to the internal schema of the requesting provisioning service, certainly a non-trivial exercise.

There are also a variety of  business considerations the JIT model needs to account for that at worst could ‘break’, and at very minimum create significant impediments to actually implementing the model.  The vagaries of vendor licensing models, customer provisioning workflow and processes and role and permission change management are just a few of these considerations that need to be taken into account.

Stay tuned as we’ll soon have much more to say about SaaS, provisioning and user management…


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: