Publication represents over 6 years of work from tens of companies
Today, the OpenID Foundation announced the approval and publication of the final specifications for the Shared Signals Framework (SSF), Continuous Access Evaluation Profile (CAEP), and the Risk Information Sharing and Coordination (RISC) specifications. This represents an important industry milestone in achieving continuous identity security.
SSF: The Shared Signals Framework provides a robust mechanism for asynchronous delivery of security event tokens (SETs). It also provides mechanisms for SET transmitters and receivers to negotiate event types, delivery mechanisms, and subjects, as well as to manage and verify the streams.
CAEP: The Continuous Access Evaluation Profile specification defines specific event types (i.e. types of SETs) that are useful in communicating changes to live sessions that logged in users have with services they use. These events are sent and received using SSF.
RISC: The Risk Information Sharing and Coordination specification defines specific event types that are useful in communicating account security changes between services that share users. These events are sent and received using SSF.
Before CAEP was envisioned in a blog published by Google in February 2019, services that logged in users using a federated identity token had no means of getting updated about changes at the identity provider. To remedy this situation, they used one of three mechanisms:
CAEP (along with SSF) creates an asynchronous mechanism for such session changes to be communicated, not just between an identity provider and a service provider, but also between various other services that can impact the session state:
With CAEP, all parties that share the same user can communicate these changes asynchronously. This now makes continuous identity security possible because any change that impacts a user’s session anywhere can be instantaneously communicated to every system that needs to know about it.
SGNL CTO, Atul Tulshibagwale, invented CAEP when he worked at Google. He has been a co-chair of the Shared Signals Working Group (SSWG) in the OpenID Foundation since the informal CAEP working group merged with the OpenID RISC working group to form the SSWG. Under his leadership and evangelism, SSF and CAEP have been adopted by leading companies including Apple, IBM, Jamf, Okta, Omnissa, SGNL and others. SGNL also operates the caep.dev website that offers resources for developers to test their CAEP implementations and to learn about these protocols.
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.