Anil John
Making Digital Services Secure and Trustworthy

Anil John

Purity and Pragmatism in Standards Profile Compliance

 Tweet  Share  Share  Comment  Print  Email

Profiles of standards allow for interoperability and standards based implementation across disparate systems. As such, they are critical from an enterprise perspective to ensure that investments and choices made regarding technical infrastructure are not vendor specific, and the conformance to a profile can be independently verified to ensure interoperability. I've written about this before, but in this blog post, wanted to focus a bit more on the choices available to relying parties when it comes to conforming to identity federation protocol profiles.

My perspective is shaped by the needs of relying parties, so what I am focused on is the CSP-RP Interface as shown in the graphic above. Typically an organization requires that its applications, which are in the relying party role, only communicate using a specific protocol profile. Provided that the protocol profile chosen is flexible and full featured, this choice allows the organization to leverage existing expertise in implementation, makes testing and verification consistent, and reduces the cost of integration.

But in this scenario, how does an organization take advantage of new protocols? Couple of options are:

  1. Directly support additional protocol profiles at the RP. While this is a valid approach, it negates many of the benefits of supporting a single last mile integration profile. In addition, it requires the organization to develop and maintain multiple protocol profiles. But at the same time, if the number of RPs in the enterprise is low and there is in house technical expertise to understand and implement, some organizations may find this to be a viable option.
  2. Use a "broker-in-the-middle" approach to normalize multiple CSP supported protocols to a single RP supported protocol profile. A broker typically acts as an RP to the actual CSP, and as a CSP to the actual RP. As such, the point of integration with the real RP can always be profile compliant. In addition to the infrastructure and O&M costs of the broker, there is also the requirement that the broker be a trusted entity and has been designed (and independently verified) to support the profile requirements of the RP.

Any additional options that folks are currently using?

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone