From SAML to CAEP: Charting the Evolution of Identity Frameworks

Why authorization is moving beyond static rules to dynamic, centralized access security

March 29, 2024
Follow us on

Our own CTO Atul Tulshibagwale recently joined the Identity Heroes podcast to discuss the evolution of identity frameworks and how to protect identities and data without slowing down business.

From pioneering the early days of SAML to inventing and publishing CAEP, Atul has a unique perspective on minimizing breach impact and data exfiltration through novel approaches to authorization. In this blog post, you’ll learn how identity frameworks and architecture have changed over the last 25 years — and the best approach for today’s authorization security needs.

In the beginning… there were Federated Identities and SAML

The federation servers and federated identities we take for granted weren’t always a given. In the early 2000s, Atul and fellow identity architects spent years promoting the idea of certificate-based user authentication. Using certificates on servers instead of on every user’s computer seemed far more practical. This realization gave birth to federated identity and the development of Security Assertion Markup Language (SAML), meeting the industry’s need for single sign-on using a cohesive, standards-based approach to identities.

SAML allowed for seamless, secure interoperability for identity information across various organizational domains, but it wasn’t embraced overnight. The notion of identities in one system accessing data in another was greeted with skepticism by many security leaders. But they couldn’t deny SAML’s potential to enable SSO capabilities across multiple systems for better integrated digital experiences. The concept first took off in the benefits space, where SAML enabled employees to access their 401(k) and insurance info without having to re-authenticate multiple times.

Static access reveals security limitations

While SAML streamlined the authentication process, its constraints for authorization use cases became apparent. Attributes, for example, added more context about the issuing party but lacked fine-grained authorization capabilities.

The traditional role-based access controls (RBAC) and access control lists (ACLs) cannot flexibly or dynamically represent the complex relationships that define real-world authorization policies. With RBAC, a misinterpretation between the role’s use in a particular application versus how it was actually defined creates policy violations. Creating multiple roles to compensate for this disconnect leads to permissions sprawl that’s impossible to manage. These common scenarios translate to static authorization struggling to scale alongside growing enterprise systems and user bases.

Over time, privileges assigned through roles often become misaligned with employees’ job functions. Manual reviews of access entitlements cannot detect these discrepancies promptly or reliably, leaving openings for unauthorized access.

The shift from static access to dynamic, centralized authorization

In the last few years, ID practitioners across industries have started openly acknowledging these shortcomings. With cyber attacks becoming more sophisticated, identity architects searched for authorization solutions as responsive and adaptive as the digital threats themselves.

The desire to externalize authorization decisions from individual applications and services drove the development of communication standards between identity providers and relying parties like OAuth 2.0 as well as OpenID Connect (OIDC). These frameworks enabled slightly more fine-grained access control, enhancing user experience without sacrificing security. Still, OIDC and OAuth 2.0 didn’t consider the context of why, when, and for how long users could access data. If a highly privileged identity was compromised, the blast radius of a breach could be significant.

In the beginning of 2019, Atul defined a mechanism called Continuous Access Evaluation Protocol (CAEP) to illustrate how limited authorization could be achieved by conveying updated attributes and contextual data between disconnected systems in real-time. CAEP (now called Continuous Access Evaluation Profile) addressed a critical authorization gap, and it started gaining traction at Google (Atul’s employer at the time) and Microsoft. Apple and Okta now support CAEP. At a recent Gartner IAM Summit in London, eight implementing organizations demonstrated their CAEP interoperability to showcase their enhanced security in front of potential customers and users.

While CAEP is still in its early stages, it’s clearly gaining steam. Luckily, organizations wanting to adopt CAEP will only need to augment — not completely replace — their identity tech stacks.

How to adopt a hybrid authorization model that reduces risk

Access security is never a one-size-fits-all approach, and CAEP is designed to co-exist with numerous identity frameworks. Atul recommends a hybrid approach to combine the strengths of tools like ACLs and RBAC along with CAEP.

Critical systems like your cloud infrastructure, for instance, will likely always have a small number of users on an ACL. RBAC will continue to provide birthright access to systems like Workday, where nothing more sophisticated is needed. Combining these traditional access controls with dynamic, centralized access can protect sensitive resources from data breaches while supporting dynamic business processes.

To start integrating CAEP into your authorization framework, make these small but crucial adjustments to your authorization criteria:

  • Evaluate vendors and prioritize those supporting open standards like CAEP for real-time authorization synchronization, or consider tools like CAEP Hub that adapt your existing tech stack to conform to CAEP
  • Consider centralized, graph-based access solutions that can ingest existing business systems data for flexible policy representation
  • Prioritize authorization maturity in roadmaps and see it as equally important to authentication capabilities
  • Show your technology organization and company leadership that authorization approaches must evolve to manage growing cyber threats proactively - along with the risks of maintaining status quo

At SGNL, we’ve built a dynamic, automated authorization platform that fully supports CAEP. Since frameworks alone can’t meet every use case, SGNL takes a hybrid approach by ingesting existing business data into a high-performance graph. This approach eliminates static rules and expresses authorization policies in language and terminologies that technical employees and business leaders alike can understand.

Check out the full episode for more on Atul’s insights into identity security.

Best practices and the latest security trends delivered to your inbox