With salesforce.com announcing its entrance into the identity market, we thought it would be valuable to review this step from all three perspectives it entangles - security as tied to identity - Steve Wilson’s realm; CRM as salesforce.com is a CRM provider - Bruce Daley’s area; and lastly PaaS as covered by Holger Mueller.
What’s News?
After announcing the Salesforce Identity Connect at Dreamforce 2012, a significant beta phase followed and now the services were made available on the 15th of October. With that, Salesforce.com enters the IAM market and is the first enterprise application vendor to do so - though you may equally see this as a natural extension to its force.com PaaS platform too.
The offering supports all the usual standards with SAML, OAuth, OpenID Connect and SCIM. Moreover it’s one of the first offerings to bridge a single sign on solution over traditional enterprise applications (e.g. Salesforce.com’s own applications) to productivity applications (e.g. Dropbox) and to social sites (e.g. Facebook). And equally it offers sign in services both for cloud, mobile and even on premise web applications. Not surprisingly Salesforce.com has bundled the identity offering with its social platform chatter to add further value to the offering.
Capabilities like freezing the account of a terminated employee will certainly be very welcome by customers, and with multi factor authentication, the service is up to speed security standards wise.
The Identity & Privacy Angle - Steve Wilson
Chuck Mortimore, Salesforce Identity’s VP for Product Management states their ambition to “[extend] user identities beyond the traditional firewall and into the cloud, providing a clear path for CIOs to embrace the cloud as the identity platform of the future”.
The problem they’re solving has been called “herding apps”. The enterprise application environment is getting more and more heterogeneous, in terms of both functionality and platforms. CIOs and CTOs are supporting diverse workforces undertaking ever more complex tasks on phones, tablets, laptops and desktops (still!), with software in the cloud and on-prem. Not to mention BYO Devices! Enterprise software is all over the place: metaphorically and literally!
Logon and access management have become nightmares for users and administrators alike. And IT executives dread that they are compounding the problems every time they introduce a new app or a platform. But how can they not?
Salesforce’s ambition is to tame this wilderness with a uniform interoperable identity layer Salesforce Identity sees the company become the hub to join all on-prem, mobile and cloud apps, through Single Sign On (SSO), Identity and Access Management (IDAM), directory integration and unified privileges administration. They are not alone and they’re not the first with this kind of vision, but they have the platform to make it happen seamlessly. Too often, Identity Management overdoes identity. It’s really just a means to an end: it’s just the way we index users and match their rights to an enterprise’s resources. Identity management technology must not inadvertently get in the way of how we know and show who people are.
The strengths and attractions of Salesforce Identity are clear. It’s a thoroughly standards-based approach, with deep integration to Salesforce’s apps and platform, and great developer support for third party software enablement. There are comprehensive dash boards and administrator consoles for managing accounts across the enterprise. And Salesforce Identity leverages the familiarity, robustness and above all the regular pricing models of their Platform-as-a-Service.
I myself remain sceptical about “Identity-as-a-Service”. Can we have “Logon aaS”? Sure.
“Privileges Admin aaS”? Absolutely, but these are not such sexy ideas. Everyone uses “identity” in their marketing but we need to remember identity is really about business relationships, and it’s fiendishly difficult to serve up from a third party or an infrastructure (see “The Consumerization of Identity” here)
While Salesforce too talks about “Identity-as-a-Service”, I’m happy that their approach puts identity in its proper place: ultimately, it is special to the enterprise.
The Salesforce Identity platform means that whatever the enterprise treats as representative of its users’ identities, those relationships remain sovereign, and become manageable uniformly and extensibly. And because the Salesforce platform is already in the plumbing of so many enterprises, it is a formidable offering.
The CRM Angle - Bruce Daley
The message is simple, the meaning is clear. Adding identify management to Salesforce’s Force.com platform helps system administrators today, but will have its greatest implications for CRM in the distant
The messsage from Salesforce is simple, identify management is associated with single sign on. Many internal help desks receive a majority of their calls from users who have forgotten their passwords and need help signing in. Have a single sign on reduces this burden (although it will never eliminate it) and identify management stands behind it.
Eventually though identity management drives the adoption of a multi-tenancy “universal customer master”: the most authoritative record of a person’s name, address, phone number, birthdate, and other basic identifying information. Right now, Salesforce has most of our contact information stored hundreds of times by different sales people. Since the company has a multi-tenancy data model, in theory everyone could use the same record. What has held this back has been determining who owns the master record. With a single sign on, an individual can own his or her own customer master and be responsible for authenticating and validating the personal information it represents. Of course it will take many years to achieve this, but once it does much of the labor of maintaining a CRM system will be eliminated and the meaning of that is clear.
The PaaS Angle - Holger Mueller
User onboarding remains one of the often overseen, last minute to be added before go live tasks when building custom applications. Sitting on a PaaS platorm like force.com that will take care of this right from the start is of significant value.
And there are two dimension of that value proposition - one for using force.com as the directory platform, the second one for using a force.com application as a client to an outside directory service. The latter makes it easy for a custom application on force.com not to have to worry about the creation, maintenance and synchronization of users. The former scenario creates direct value to a new force.com application - as it now can be the source of truth and the directory for further platforms. We expect many force.com ISVs to be excited of this new capability.
Under the hood salesforce.com uses it’s own services for its own services and platforms, but has also signed a OEM agreement with ForgeRock for added capabilities. One of the key ones is, that Salesforce Identity Connect can also be used on premise - both for syncing with active directory or being a SSO solution for the web based, but locally running applications.
Salesforce.com’s move will be noted in the venerable IAM market - both by the traditional vendors CA, IBM and Oracle, as well as the newer vendors like e.g. Okta, OneLogin and Ping. It will be interesting to see if other enterprise vendors like e.g. SAP or Workday may make a foray into identity too.
Our POV
A good move by Salesforce.com adding more value to its platform and creating a certain level of stickiness as user administration does - no matter if in the cloud or on premise. Special kudos for doing this move supporting standards and thus allowing good co-existence with other products - moving the focus to value for the end user and not lock in by the vendor, which is something we otherwise still see too often.
Now it will be back to customer and vendor adoption to determine success.
