How to create a Governable Identity Model- Paul Fremantle, Enterprise Features

I constantly see and hear about examples of identity and security issues that come are due to poor governance. For example, I have come across companies where ex-employees still have their Salesforce accounts six months after they’ve left. At other times, there is a simple black-and-white access control model: either the employee has full access or no access. If that sounds too simple to be true, think about the system that caused the Wikileaks problem!

There are two prime causes for this. First, there are too many identities. Each of us knows we have tens if not hundreds of identities on different systems, and there is no overall control of those identities. Second, there are too many places where permissions are checked—or not checked. On the whole, we rely on each application to implement permissions, and there is a huge lack of consistency between these systems.

One approach to solving this would be to apply a manual governance process: setting up many policies and procedures around each system to ensure the right thing happens. Unfortunately this kind of governance model is very human-intensive and error prone.

Ideally we want to automate the governance model, so that the minimum human effort leads to the greatest amount of security. There are two key technologies that can help here:


The Security Assertion Markup Language v2 (SAML2) is a standard for XML-based identity tokens. These tokens give us two big benefits: single-sign on and federated identity. SAML2 can help unify as many systems as possible around a single identity. For example, you can configure Salesforce to accept SAML2 tokens from your internal identity model. Any time you lose employees and remove them from your LDAP system, they are automatically shut out of Salesforce. This is an example of federating the identity from your internal model into Salesforce. Single-sign-on also helps your users because it makes life quicker, easier and simpler.

How does SAML2 do this? The key benefit of SAML2 is that the user authenticates to a single “identity server.” Then this server creates a token, which is trusted for a limited time by the target. The token can contain a variety of information (“claims”). These claims then can be used as part of any authorization process. For example, a claim could assert that the user is logging in from a secure network.


The XML Access Control Markup Language (XACML) does for authorization what SAML2 does for authentication. It allows a single policy based model for who can access which resources. XACML is very powerful too. It can work in conjunction with SAML2 to create very rich security models. For example, you can allow different access to users who are logged into a secure computer on a secure network as opposed to users coming via their laptop from Starbucks.

XACML does this by being able to capture complex “entitlement” logic into the Policy. The Policy is an XML file that can be stored in a smart registry. For example a policy might state that user Paul may access a salary update process between 9AM and 5PM GMT if Paul is in the role of manager.

In order to put these technologies into a governance perspective, it is useful to use an analogy. One of the strongest ways that companies have managed governance in the application world is through the use of an enterprise service bus (ESB). There are a few key approaches that make this work:

  • Using policy and metadata instead of code.
  • Putting central logs in place.
  • Moving towards a canonical model and transforming legacy systems into that.

It turns out we can learn exactly the same lessons for identity.

  • Using XACML to have a consistent model and way of defining authorization and entitlement using policies instead of hard-coding them into applications.
  • Using common auditing across your policy enforcement points (PEPs) to ensure a single central audit log.
  • Using SAML2 as a canonical model for identity and bridging that into legacy systems as much as possible.

With this kind of model, governance becomes much more simple and automated. Removing a user’s login permission can remove the login from everything. Authorization can be based on policies, which can be managed using processes. Even remote systems like Salesforce will still be included in the audit because, when a user signs in via SAML2, the SAML2 token server will create an audit event.

Of course SAML2 and XACML are not the only technologies that help with identity governance. In particular OpenID and OAuth are complementary technologies that are supported by a number of websites and Web-based systems like Liferay and Drupal. Unfortunately to cover all these technologies in detail would end up in a whole book!

Good governance is hard. It’s usually painful, but fundamentally it is the key to strong security. The key, in my opinion, to getting great governance is to use the right tools and techniques to automate governance as much as possible. SAML2, XACML and the associated technologies are a great start doing this.

About The Author: Paul Fremantle is CTO and co-founder of WSO2, a company focused on providing lean, open source enterprise middleware. WSO2 participates in many open standards organizations including OASIS and the OpenID Foundation. WSO2 offers an identity solution that supports identity governance using SAML2 and XACML.