SaaS to SCIM: Show Me the Money!

I’m on my annual pilgrimage to the Gartner Catalyst conference in San Diego this week, and obviously one of the topics of interest has been standards. In his ‘Hitchhikers Guide to Identity’ talk (a blatant ripoff of mine!), Patrick talked about Standards being one of the pillars of the emerging Identiverse. And in the always entertaining ‘Identity Standards Smackdown’ that Ian Glazer moderates, SCIM and SAML tied as the “winners” (an obviously rigged result since Pam’s OpenID Connect was clearly superior. I mean, she had robots!).

The twitter talk regarding SCIM led Rohit Gupta to ask the following question:


It’s a good question. Rohit and I (along with a lot of others) have suffered through the failure of SPML, mainly due to lack of adoption by the application vendors. In a past talk at CIS, I pointed out that one reason I was optimistic about SCIM was that major players from the SaaS community (namely Salesforce and Google) were among those leading the effort on standardizing SCIM. This year at CIS in my ‘Hitchhiker Guide to Identity’ talk (the original and definitive Douglas Adams inspired work!), I did make the remark that 2 years later, the number of implementations in the wild is woefully lacking. So, what will be the driver? Well, ultimately it will be the money.


As was pointed out in the ensuing twitter chain, SAML did succeed in getting broadly adopted by SaaS vendors due to customer demand. This customer demand emanated from the fact that SaaS vendors realized that in order to move beyond niche plays and make serious inroads into the enterprise market, they would have to play nice with the control mechanisms that enterprises rely on. And as I pointed out in my Hitchhikers talk, this is the exact same reason why SaaS vendors added in AD Synch support. And anyone that has dealt with that, whether on the product side or on the customer side, knows what a pain that is. So these same SaaS vendors would be more than amenable to adding in SCIM support when it picks up some momentum.

But the real push will come from the changing nature of IT and how it is being procured. The way I (and others) see it, enterprises are looking for a practical solution to the scourge of Shadow IT. Trying to fight the Bring Your Own Application/Service trend is a losing battle. And as the old saying goes, “If you can’t beat ’em, join ’em”. The solution to this lies in how the enterprise IAM platforms will support the rapid and on-demand adoption of SaaS. IDaaS platforms like our own SCUID Lifecycle are building into their administration consoles “App Stores”, a catalog of pre-integrated SaaS solutions that a customer can quickly choose from and make available to their end-users with a few clicks, thereby avoiding the run-around business owners give IT. So if a SaaS vendor doesn’t want to lose business in this new model of IT, they are going to have to ensure that they are able to fit into this architecture, which will rely on supporting the modern identity stack (in addition to SAML, zombification notwithstanding). Contrary to what some suggested, I think this will therefore start with the small to mid-size SaaS solutions, not the big ones who can afford to dictate use of their proprietary APIs for a while, till such time as nasty incidents result in the customer support nightmares that often catch the eye of senior management.

And here’s where a critical component comes in. In order for small to mid-size SaaS solutions to do this nicely, it is imperative on the platforms they are being built on to provide SCIM and other identity protocol supports natively out-of-the-box as part of the identity services being offered to the application developers. And this brings up back to the notion of Identity APIs offered by IDaaS platforms that need to be part of the emerging Identiverse. So it’s not just up to the SaaS vendors, it’s up to all of us – IAM solutions, IAM customers, application developers and SaaS solutions.

Call it the Circle of (Identity) Life.


[Cross posted to the Identropy blog]