There are many third-party vendors that offer identity services that complement your existing identity store. For example, Ping Identity provides an identity platform that you can integrate with your on-premises directory (such as Active Directory) and your public cloud services (such as Microsoft Azure or Amazon AWS). Third-party identity services can help manage identities both on premises and in the cloud:
- On premises. To work with your existing solutions and help manage identities on premises, identity services often put servers, appliances or services on your internal network. This ensures a seamless integration and provides additional features, such as single sign-on. For example, you might integrate your Active Directory domain with a third-party identity provider and thereby enable certain users to authenticate through the third-party identity provider for SSO.
- Cloud. Organizations that want to take advantage of software-as-a-service (SaaS) and other cloud-based
applications need to also manage identities in the cloud. Some of them choose identity federation — they federate their on-premises authentication system directly with the cloud providers. But there is another option: using a cloud-based identity service, such as Microsoft Azure Active Directory or Amazon AWS Identity and Access Management. There are some pros with using a cloud-based identity service:
- You can have identity management without managing the associated infrastructure.
- You can quickly start using a cloud-based identity service, typically within just a few minutes.
- Cloud-based identity services are relatively inexpensive.
- Cloud-based identity services offer services worldwide, often in more places and at a bigger scale than most organizations can.
- The cloud provider often offers features not commonly found in on-premises environments. For example, a cloud provider can automatically detect suspicious sign-ins attempts, such as those from a different type of operating system than normal or from a different location than usual, because they have a large amount of data and can use artificial intelligence to spot suspicious logins.
- For services in the cloud, authentication is local, which often results in better performance than sending all authentication requests back to an on-premises identity service.
- You also need to be aware of the potential downsides:
- You lose control of the identity infrastructure. Because identity is a critical foundational service, some high-security organizations have policies that require complete control over the entire identity service. There is a risk in using an identity service in a public cloud, although the public cloud can sometimes be as secure or more secure than many corporate environments.
- You might not be able to use only the cloud-based identity service. Many companies have legacy apps and services that require an on-premises identity. Having to manage an on-premises identity infrastructure and a cloud-based identity system requires more time and effort than just managing an on-premises environment.
- If you want to use all the features of a cloud identity service, the costs rise. On-premises identity
infrastructures are not expensive compared to many other foundational services such as storage or networking.
- There might be a large effort required to use a cloud-based identity service. For example, you need to figure out new operational processes. You need to capture the auditing and log data and often bring it back to your on-premises environment for analysis. You might have to update, upgrade or deploy new software and services. For example, if you have an existing multi-factor authentication solution, it might not work seamlessly with your cloud-based identity service.
- Federated. Federation enables your organization to use their existing identities (such as those used to access your internal corporate systems) to access systems and resources outside of the company network. For example, if you use a cloud-based HR application on the internet, you can configure federation to enable employees to sign into the application with their corporate credentials. You can federate with vendors or partners. Federating between two organizations involves an agreement and software to enable your identities to become portable (and thus usable based on who you federate with). Federation typically provides the best user experience because users don’t have to remember additional passwords or manage additional identities.
- Other key facts about third-party identity services include:
- Often, you still need an on-premises directory service.
- Many third-party identity services started off as solutions for web-based applications. They have since to cover other use cases but still can’t be used for many day-to-day authentication scenarios. For example, most of them can’t authenticate users to their corporate laptops.
- Third-party identity services often offer single sign-on, multi-factor authentication and meta-directory services (pulling data from multiple directories into a single third-party directory).
- Many of the offerings are cloud-based, with a minimal on-premises footprint.
- Third-party identity services typically support SAML, OpenID Connect, WS-Federation, OAuth and WS Trust.