Separating Authentication and Authorization


Yesterday I was talking to Kelly Flanagan, BYU's CIO about the OpenID enabled wiki we have for the Internet Identity Workshop. I'd love to see BYU put an OpenID server on top of their directory. That way I could easily have my students authenticating on my wikis and blogs. Of course, BYU has all kinds of APIs for doing this, but I have use certain development environments, have permission, etc. Solutions like OpenID are much more loosely coupled.

Our discussion ultimately got down the distinction between authentication and authorization. OpenID is a pure authentication system. It doesn't even support attributes in the spec (although they could be contained at the OpenID URL). The problem is that most enterprise system conflate authentication and authorization--probably because authorization is what most people are ultimately after. As a result, most commercial access management systems are mostly about authorization and do authentication as an afterthought.

This morning I was talking to Andre Durrand, CEO of Ping Identity (disclaimer, I'm on their advisory board). We got into the same discussion. Authentication is underrated. What's more, you get some great benefits from the separation. One of the most important is being able to control access based on the type of authentication used. If you're integrating authentication and authorization, you can't easily offer simple services to folks who authenticated with OpenID or LID and higher risk services to folks who authenticate with a multi-factor authentication--unless the integrated system supports all of these.

The reality is that most people use access management systems like SiteMinder as authentication systems since many applications have authorization built-in. So, ironically, while access management systems focus 80% of their functionality on authorization, most of their uses are ignoring it. By disintegrating authentication from authorization functions, you can buy the right amount of what you need and even swap them out independently of each other as your needs change.