When SAAS apps exchange customer data should they use OAUTH, Open ID, or other (SAML) protocols to access the data

Session Topic: When SaaS apps exchange data, what protocol should they use? OpenID, OAuth, SAML? What are the best practices? (T4H)

Convener: Jeff Collins

Notes-taker(s): Jeff Collins

Tags for the session - technology discussed/ideas considered:

OAuth Backplane OpenID IdP RP

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Saas apps providers are exchanging data on behalf of customers at an increasing rate.

Vendors like sf.com, google, intuit, ms, freshbooks are creating ecosystems of apps

For small businesses who buy a set of apps, how do they make sense of the identity problems among apps – where each app may have a different subset of employees registered

What is the role of oauth? It’s the best way to use identity so that data is transferred safely with standard protocol.

What is the identity of the unattended oauth access token between the offerings? Could be a “user” in the source app, a “user” in the destination app, or a “robot account”? What is most appropriate – from a security perspective, and from an auditing example?

When a 3rd party data integrator tool (Pervasive, Boomi, etc.) is used to transfer data between applications, what standards govern how the data integrator stores credentials? What’s a standard policy for how those tokens are granted and managed? Seems like oAuth can support most of the use cases.

What about when SaaS apps have dataintegration technology between them with data flowing in both directions? There’s a mutual sharing of oAuth tokens in the integration. Should we have a different standard for this kind of mutual authentication? Especially since from the user perspective, it may be important for them to turn off the open connection once and not from multiple points. For example – is there such a thing as an oauth access token that represents authentication to more than one service at a time? Yes – maybe there is a need for something there.

What kind of standard could work for this? Open question.