17 Sep, 2020 | 3 min read

Open Standards Alone Do Not Save You From Vendor Lock-In

  • Ishara Karunarathna
  • Associate Technical Lead - WSO2

Photo by Henk Mohabier from Pexels

In the identity and access management (IAM) domain, open standards have become foundational. If you look at any existing IAM vendor, they preach about open standards and their compatibility a lot. Since open standards are a commodity no one can get a competitive advantage just by implementing open standards. This is why all vendors are in a continuous race to contribute new standards or implement those standards.

Then there's vendor lock-in. In the evaluation phase, we evaluate the ability to replace the product along with other criteria such as capability of implementing use cases, price, performance, etc. Without any debate, open standards help in this process. For example, if you want to implement single sign on (SSO) using OpenID connect, you can simply check the OIDC compliant IAM vendors in the OIDC certification page and select a few of them. Auth0, ForgeRock, Ping Identity, and WSO2 Identity Server will fit with the use case. Then the same client application can work with all these products once configurations are changed. Even if you want to implement an identity provisioning use case, you can pick one from the System for Cross-domain Identity Management (SCIM) specification compatible implementations.

This is not only limited to IAM, just think about your mobile phone. You may not worry about the mobile phone charger simply because you can use any USB-C charging cable even which is in a MacBook Pro. This is the beauty of open standards. It makes integration easy and avoids vendor lock-in. Furthermore to see the benefits of open standards, learn about the benefits of open standards. Are you going to say that open standards makes you free from vendor lock-in. Where is your mobile phone you bought a few years back? And how do you charge it? You may use a micro USB charging cable, because that’s what was popular at that time. Open standards continue to evolve over time, hence it is challenging during migration, or changing vendors after a few years.

Additionally, if we think about the OIDC login use case done in the vendor evaluation phase, we may be using the standard request and response format as it is. In the OIDC response also you will get user basic claims set JWT token. If this is the case we can claim that open standards help you not to lock-in to selected vendors. In reality, this is not the case. Most of the time even if you use the standard OIDC flow you may use a different claim set based on the business need. To get these claims, you may have to change configurations and extend the core product capabilities. Plus you may have stored this information with different schemas. This is a simple example of how IAM use cases go beyond basic open standards-based integration.

The CEO of Microsoft, Satya Nadella, once said: “Every company is a software company. You have to start thinking and operating like a digital company. It’s no longer just about procuring one solution and deploying one. It’s not about one simple software solution. It’s really you yourself thinking of your own future as a digital company.”

Open standards are the foundation but open standards alone do not make you free from vendor lock-in. Therefore these are the few other things you need to consider.

Ownership and Knowledge of Extensions

Most often you will extend the core capabilities of the product to cater to unique business needs. Hence if you clearly know and own these extensions, you can move away at any point and implement the same in a new system. Many vendors keep this knowledge within their team and that locks you into that platform even if you rely on open standards.

Understand the Product Implementation Thoroughly

Beyond IAM integration, there is a lot you have to do in the product to complete the use case. Different authentication mechanisms are configured, authorization policies may be engaged, and approval processes and provisioning mechanisms will be used. Deployment has to be done in a specific way to achieve a specific use case. If the system is alien to you as a customer, it will be challenging to move away or migrate. Hence make sure your internal development team are experts of the product you are using. It may not be a complete third party product but it is always best to familiarize yourself with the flows that you are using.

Open Standards + Open Source

Open standards alone may not give you freedom from vendor lock-in but open standards and open source can do so. Open standards will lay the foundation and open source will bring all the insights you to learn about the vendor you have selected, which eventually makes you free from vendor lock-in. Want to learn more about open source IAM? Check out my blog on debunking popular myths on open source IAM. You can also learn more about WSO2 Identity Server.