Salesforce.com Challenges Active Directory with Single Sign-On Service
Salesforce.com's storied strategy of displacing premise-based apps with Software as a Service (SaaS) went deeper this week with the company's release of Salesforce Identity. The single sign on service aims to displace traditional software like Active Directory as the central repository for user authentication.
The company's new Salesforce Identity service extends beyond traditional enterprise directories like Active Directory by connecting employees, customers and business partners to any application, device or service, said Chuck Mortimore, Salesforce.com's vice president of product management, identity and security. In addition, ISVs and customers can white-label that single sign-on service into their applications.
Salesforce Identity is not the first SaaS single sign-on offering. A number of third parties, including Centrify, Okta, Ping Identity, SailPoint, Symplified and quite a handful of other players, now offer single sign-on services. I noted late last year that identity management as a service would be a key area of expansion in 2013.
Indeed, Microsoft this year brought Active Directory to the cloud with Windows Azure Active Directory, which Microsoft said at June's TechEd has processed 265 billion authentication requests from around the world. In addition, Brad Anderson, corporate VP of the Microsoft Windows Server and System Center group services, said that Windows Azure Active Directory processed more than 1 million authentication requests in a period of two minutes, or 9,000 per second.
Salesforce Identity supports all the key authentication standards, including OAuth, System for Cross-domain Identity Management (SCIM), Security Assertion Markup Language (SAML) and OpenID Connect, which allows IT to synchronize directories ranging from Facebook, PayPal, Amazon and Google to Active Directory.
"You can leverage your existing Active Directory, automatically synchronize users between the two, drive authorization out of existing Active Directory Groups and have those drive profiles and permissions and authorizations to any application brokered to the Salesforce Identity platform," Mortimore explained.
Mortimore avoided saying whether Salesforce is gunning to displace traditional authentication systems such as Active Directory, but reading between the lines, that appears to be the goal.
"The identity marketplace is going through a transition," he said. "The old mechanisms of dealing with identity are not really working for the new use cases in front of customers. You see all sorts of different organizations and identity management organizations trying to deal with this reality. Your LDAP directory isn't necessarily going to be the path forward for all of these applications that are no longer inside your firewall."
In addition to applications, Mortimore explained traditional directories were designed to manage identities of employees, while now IT must address identity management of customers and partners and attributes on devices not owned by the enterprise.
"I see solutions like Salesforce Identity initially interacting with existing on-premises directories, but providing a new cloud-based native identity store option for 'long-tail' external identities such as employees of small partners," said Forrester analyst Eve Maler.
Salesforce's move into the identity management space has been long anticipated. The company announced plans for Salesforce Identity at its annual Dreamforce conference last year. Salesforce has also played a key role in several of the standards committees. Gartner analyst Ian Glazer said IT is demanding identity and access management services interwoven with their SaaS-based applications. Salesforce has added identity management services across its entire platform, including Force.com, he noted.
"This announcement represents a fundamental change in the IAM [identity and access management] market in which non-traditional identity companies such as Salesforce are aggressively entering the market with hopes of major disruption," Glazer said. Yet despite that goal, Glazer doesn't see organizations displacing Active Directory with Salesforce Identity.
"I definitely see organizations using Salesforce Identity (or its competitors), but not with the express goal of replacing AD [Active Directory]," Glazer said. "As enterprise computing moves more toward mobile and cloud computing, the value of AD is diminished. As an enterprise directory, AD will remain [in] usage and meaningful, but the locus of control will shift away from AD and it will likely not be the default source of authentication and authorization services in a post-PC world."
KuppingerCole analyst Mike Small noted in a blog post Tuesday that Salesforce.com has long offered an identity service in its traditional CRM and related offerings. Small pointed out that Salesforce Identity includes an extensible cloud directory and the optional Salesforce Identity Connect module, built on ForgeRock's Open Identity Stack, which bridges between existing on-premise directories and Salesforce Identity. Another appealing capability, Small noted, is that Salesforce Identity's monitoring and reporting capabilities let organizations create user activity and compliance reports.
"Through this platform -- Salesforce.com [is] seeking to change the way in which identities are managed by organizations," Small noted. "To alter the perspective away from one focused on internal IT systems and users to an outward-looking one focused on customers and partners whilst retaining internal control: integrating enterprise identity with CRM."
How will the release of Salesforce Identity change the way you manage access to your applications?
Posted by Jeffrey Schwartz on 10/18/2013 at 1:57 PM