The quest for a perfect IDaaS solution

Every discussion about security should start with a discussion about identity and access management. It’s that important and therefore the quest for a perfect IDaaS solution is a painful but needed journey. One could of course choose to build its own identity and access management systems/software, but most of the time companies don’t have the necessary time and resources to do that since we’re seeing crazy release cycles nowadays. Going towards IDaaS is therefore a natural choice in a lot of circumstances. But do we really have a “perfect for every scenario” IDaaS solution somewhere out there? Let’s see!

The enterprise world

I personally witnessed a profound transformation of the enterprise world from a setup where almost each enterprise was an isolated island, where all resources were provided from inside the company to a much more flexible, collaborative and scalable setup. This change was drive by two main factors in my opinion:

  1. The explosion of SaaS applications
  2. The more collaborative business model that we have today, where there often are different companies with different expertise working together on a single project, product or service.

Choosing an IDaaS solution for an enterprise is not necessarily easy, since there are a lot such services out there: Microsoft Azure AD, Okta, Auth0, Ping Federate and many more. However, I think that for enterprises Microsoft Azure AD might be the best solution. First of all because most enterprises still rely on Active Directory and getting your users synchronized from the local directory to Azure AD is really a piece of cake. Setting up federation using ADFS is also trivial in comparison to similar services where more steps are required and where things can go real bad real quick.

Second, with Azure AD you mostly get all the features that all other services offer. That’s another interesting point of discussion since it’s really not possible to find the perfect IDaaS provider only by comparing the features offered by different providers. These features are widely the same so in the end it comes down to an entire ecosystem and finding the provider that integrates the best with the existing IT ecosystem in the company.

As a conclusion, I would say that for enterprises that are using Active Directory and look for an IDaaS solution to have a central control plane for all topics related to identity and access management, then Microsoft Azure AD is likely the best fit.

The consumer world

The consumer applications world is totally similar. Here you don’t usually have an homogeneous environment that you need to integrate with and IDaaS solution. You’ll most likely need to build such a directory. Further, you’ll never know what devices your users will use and you basically have a lot less control. However, making your users create a new profile each time is not what consumers want, so you’ll have to rely on third party identity providers like Facebook, Google, GitHub and so on.

The IDaaS market for the consumer world is also reach, because most of the providers mentioned earlier are fully OpenId Connect and OAuth 2.0 compliant. However, since the consumer world is so different than the enterprise world, the best choice is not necessarily obvious. Microsoft Azure AD B2C could be a choice for those that are familiar with the Microsoft ecosystem. In the end, customers like Real Madrid are using it. Still, Azure AD B2C wouldn’t be my first choice for consumer apps. I’ve already written a piece on the challenges I faced working with Azure AD B2C, so please check this article for more insights. Charlie Chen also compared Azure AD B2C to Auth0 and Okta and you might also want to read the article because there is some real good information in it.

As a conclusion, Microsoft Azure AD might not be the optimal choice for an IDaaS solution for consumer applications, due to the fact that it’s difficult to integrate with modern front end frameworks, the inability to access claims on the id token and for the overall more complicated setup when comparing to Auth0 or Okta. On the other hand, for small applications, Google Firebase might be a goo choice, while Auth0 or Okta might be solutions best suited for consumer applications with more complex IDaaS needs.

What about real multi-tenant applications?

With the explosion of SaaS apps, the concept of multi-tenant applications becomes more important. In fact, almost everybody is talking about multi-tenant applications. Still, in my opinion there is a huge problem in how multi-tenancy is perceived and implemented in SaaS applications. We have a lot of multi-tenant SaaS applications designed for enterprises. We also have a huge amount of SaaS applications designed for consumers. What we really miss is a huge amount of multi-tenant applications that are designed to be used by both enterprise customers and consumers. These are, in my opinion the real multi-tenant applications!

Microsoft Azure AD is out of question here. Such a design is theoretically possible but you would have to maintain and keep in sync Azure AD, Azure AD B2B and Azure AD B2C. Overall, I think this might be a nightmare. Auto on the other side is easy to integrate both with enterprise identity providers (like Active Directory, Azure AD and many more) and consumer identity providers (like Facebook, Google and so on). I have not a lot of experience with Okta and other IDaaS solutions, but based on reports I’ve read it seams that you can’t connect them to as many IDPs as Auth0. Hence, Auth0 would be, in my opinion, the clear winner in this category.

Conclusion

The quest for a perfect IDaaS solution is not easy and it’s almost clear that you won’t find a solution that perfectly fits all the scenarios you can think of. An IDaaS solution might be perfect for a certain project, product or service, while it might drastically fail in another. From my experience, Microsoft Azure AD is a goo fit for enterprise applications, while Firebase, Auth0 and Okta might be better suited for consumer applications. For “real” multi-tenant applications Auth0 is, once again a best fit.

Disclaimer: I have worked for many years with Azure Active Directory. Auth0 is also a service that I used several times. I tested Okta occasionally. I didn’t play around or used other IDaaS solutions so it might be that there are some solutions that would perform better in some scenarios than the IDaaS providers that I’ve mentioned here. I am not affiliated in any way with Microsoft, Auth0, Google or Okta and this article only reflects my personal experience. Also, the main idea of this article is not to promote certain products or services, but underline that each product/service might have strengths and weaknesses that we need to take into consideration when searching for an ideal IDaaS solution to integrate in a certain project.

 

Leave a Reply

Your email address will not be published. Required fields are marked *