«

»

Adios Active Directory Services

Over the past couple years I had long and passionate discussions on the subject I am discussing in this article. Here is the deal… I believe computer corporate directory services, such as Active Directory, are doomed to extinction. However, before I start discussing my theory I have to say that I know that many will disagree.

 

(1)

The use of open standard for authorization (oAuth) is so common these days that we don’t even takes notice of that anymore. If you are not familiar with oAuth, in simple terms, OAuth is an authentication protocol that allows users to approve an application to act on their behalf without sharing their password.

There are few different open standards like Security Assertion Markup Language (SAML) and OpenID competing in this space, but let’s ignore that and focus on their purpose.

The use of OAuth on the Internet is becoming so common that it is actually starting to blur what service is actually holding the original user identity. As an example, Klout is authenticated using Twitter credentials, but Twitter is authenticated using Google credentials.

 

851562_569606143062000_1511151546_n

6a00d8345203ba69e20120a6f61520970b-800wi

 

(2)

What is starting to become more common these days is the use of corporate active directory credentials to authenticate users via OAuth to Software-as-a-Service (SaaS) applications such as SalesForce, SAP and WorkDay.

Solutions like VMware’s Horizon App Manager and few others on the market are already extending and unifying private and public cloud resources. Essentially, these tools are a service hub extension for corporate Microsoft Active Directory and other directory services that will be used to authenticate users on public and private cloud services.

Microsoft also has already announced that Microsoft Azure will support a federated model where organizations will be able to use internal Active Directory credentials to manage cloud resources.

In the pictures below you see Horizon Workspace and how users may use their corporate credentials to authenticate to multiple cloud services, including personal services like Facebook and LinkedIn.

 

screenshot1

screenshot2

 

(3)

At this point we are just one step away from actually using public credible identity services as a trusted source to allow access to internal corporate systems and resources – and that’s where the discussion starts.

I personally believe that this will happen naturally overtime. Organizations and users will start to accept using their personal credentials, such as Google and LinkedIn to login to corporate SaaS applications. Furthermore I believe that overtime those public trusted identity sources will be providing authentication to corporate internal services like Secure VPNs or File servers.

If you start thinking this way you will start to notice that corporate internal directory services are non-essential services to organizations.

Of course, these opens up a big discussion about security since OAuth makes extensive use of many kinds of tokens (access tokens, refresh tokens, authorization codes), and once a trusted source is compromised a hacker would possibly have access to corporate resources.

We used to the same thing about securing resources on the cloud and despite the discussions organizations are rapidly moving their workloads to the cloud and public cloud services. So, why not outsource security to an organization like Google, Microsoft or RSA through the use of open standard for authorization services?

 

What are your thoughts?

 

This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net.

2 comments

1 ping

  1. Steve Tout (@stevetout)

    I’m not sure how an authorization protocol will be the demise of the corporate directory. There are many more objects and schemas used in AD and other directories than user authn/authz attributes and many which do not support OAuth or need federated SSO. 🙂

  2. Andre Leibovici

    Steve,

    That is a good point. We would certainly require applications to stop using AD schema changes and so on. In some ways this is already happening with consumerization and new devices that are coming into the workplace. As an example I use MAC and this is not connected to AD. Also, applications are moving to the cloud and many of them do not utilize AD concepts any longer.

    In the future, only Microsoft applications will make use of AD objects – or maybe even MS apps will forgo that. Simply look at the new Microsoft strategy to manage Windows moving forward, it’s MDM API’s, not AD.

    -Andre

  1. Newsletter: June 21, 2015 | Notes from MWhite

    […] Active Directory Services This is an interesting and thoughtful article from Andre.  I do believe he has a point about how AD might end up being slowly replaced by SaaS […]

Leave a Reply