Open Standards Itself Does not Save You from Vendor Lock-in

When it comes to the Identity and Access management domain, open standards have become foundational. If you look at any of the existing IAM vendors they preach about open standards and their compatibility a lot. Since open standards are a commodity no one can get a competitive advantage just by implementing open standards. So all the vendors are in a continuous race to contribute new standards or implementing those standards.

On the other hand customers, have to plan for the divorce even before the marriage, due to an inner fear called “vendor lock-in”. In the evaluation phase, we evaluate the ability to replace the product, along with other criteria such as capability of implementing use cases, price, performance etc. Here, without any debate, open standards help. For example, If you want to implement SSO using OpenID connect, you can simply check the OIDC compliant IAM vendors in [1] OIDC certification page and pick a few of them. For example, Auth0, ForgeRock, Ping Identity, WSO2 Identity server any of these will fit with the use case. Then the same client application can work with all these products just changing configurations. Even if you want to implement an identity provisioning use case, you can pick one from SCIM spec compatible implementations [2].

This is not only limited to IAM, just think about your mobile phone. Now you may not worry about the mobile phone charger, because simply you can use any USB-C charging cable even which is in a MacBook Pro (Please forget about the Iphone :( ). This is the beauty of open standards. It makes integration easy and avoids vendor lock-in. Further to see the benefits of open standards, check [3] benefits of open standards.

Are you going to say that open standards makes you free from vendor lock-in?

Hmmm.. where is your mobile phone you bought a few years back? And how do you charge it? You may use a micro USB charging cable, because that’s what was popular at that time. Open Standards continue to evolve over time, hence it is challenging during migration, or changing vendors after a few years.

Further, if we think about the OIDC login use case done in the vendor evaluation phase, we may be using the standard request and response format as it is. In the OIDC response also you will get user basic claims set JWT token. If this is the case we can claim that open standards help you not to lock-in to selected vendors.

In reality, it’s not the case. Most of the time even if you use the standard OIDC flow you may use a different claim set based on the business need. To get these claims you may change not only configurations but you might have to extend the core product capabilities and you may have stored this information with different schemas. This is a simple example of how IAM use cases go beyond basic open standards-based integration.

The CEO of Microsoft, Satya Nadella, “Every company is a software company. You have to start thinking and operating like a digital company. It’s no longer just about procuring one solution and deploying one. It’s not about one simple software solution. It’s really you yourself thinking of your own future as a digital company.”

Open standards are the foundation but open standards alone do not make you free from vendor lock-in.Therefore these are the few other things you need to consider.

Ownership and knowledge of the extensions

More often you will extend the core capabilities of the product to cater to unique business needs. Hence if you clearly know and own these extensions, you can move away at any point and implement the same in a new system. Most of the vendors keep this knowledge within their team and that locks you into that platform even if you rely on open standards.

Know In and out of the product implementation

Beyond IAM integration point, there is a lot you have to do in the product to complete the use case. Different authentication mechanisms are configured, authorization policies may be engaged, approval process, provisioning mechanisms will be used. Deployment has to be done in a specific way to achieve a specific use case. So as a customer if the system is alien to you, it’s very hard for you to move away or migrate. Hence make sure your internal development team are experts of the product you are using. It may not be a complete 3rd party product but best to be familiar with the flows you are using.

Open Standards + Open Source

As I discussed open standards only may not make you free from vendor lock-in but Open Standards + Open Source can do it. Open standards will lay the foundation and open source will bring all the insights you want to know about the vendor you have selected, which eventually makes you free from vendor lock-in. Want to learn more about open source IAM? Check out my blog on debunking popular myths on open source IAM here

[1] https://openid.net/certification/

[2] http://www.simplecloud.info/#Implementations2

[3] https://open-stand.org/5-reasons-open-standards-are-essential-to-application-development/