Posted on August 18, 2011 by Marc Boorshtein
Questions to ask when considering what authentication to integrate into your application (Part 2)
In my last blog post I covered some basic terminology which is used when looking at authentication and identity federation. In this installment I'll talk about some of the questions to ask when considering what authentication to integrate into your application.
Question 1 : Are there any regulations I need to meet?
Are there requirements from auditors or based on the sensitivity of the information in the application? This is often the case in the Federal Government where Smart Card authentication user SSL Certificates is required, or with sensitive information where 2 factors of authentication are needed. Determining what kind of authentication is required is rarely a cut-and-dry decision since there is rarely a document or policy that says “your app must be 2 factor”. Instead its usually a risk based decision where the risk of loss and penalties is weighed against implementation cost and usability.
This is an important question when considering federation protocols as well. Some protocols, like SAML2, have built in ways to tell you, as the SP, how the user authenticated. This way you can restrict access based on not just who the user is but how they authenticated as well.
Question 2 : Who's using this application?
Different user populations are often tied to different authentication and federation protocols. If your application is targeted to the B2C market and are looking to use social networking you'll be looking at OAuth. If your application is used by enterprise users you'll be looking at SAML2.
If your users are part of a specific community you should find out if there is an Identity as a Service (IdaaS) provider. For instance if you are building an application for supply chain management there might already be an IdaaS provider in your industry. Integrating with one of these providers can vastly simplify your deployment.
Question 3 : Where is user data stored?
The flip side to any authentication process is user data. I might have validated that you are you, but what do I need to know about you? What department are you in? What groups do you have access to? Most authentication and federation systems have the ability to push user data as part of the authentication process, but applications don't know how to access it. Most applications require user data to be in either a directory or database.
While there are many more questions to ask during an implementation, these three questions are the first ones I ask and are generally a good start. In the last installment of this series of blogs, I'll talk about Web Access Managers and if you should deploy one.