LAS VEGAS, NV/IDENTIVERSE - May 28, 2023 - The OpenID Foundation AuthZEN Working Group announced today that leading authorization vendors successfully achieved conformance with the AuthZEN request/response protocol, a significant step in bringing interoperability and standardization to the authorization market. The industry leaders include 3Edges, Aserto, Axiomatics, Cerbos, Permit.io, Rock Solid Knowledge, SGNL.ai, Strata Identity and Thales, demonstrating their commitment to documenting common authorization patterns, defining standard mechanisms for communication between authorization components, and recommending best practices for developing secure applications.

Established through the OpenID Foundation, the AuthZEN Working Group’s focus is to tackle the complexities of authorization, to promote decoupling and externalizing authorization logic from applications, and to simplify the implementation of a robust authorization layer that can be edited and audited with ease within diverse application environments. With members from leading authorization vendors, the group aims to unify and standardize the way authorization decisions are enforced across varying platforms, with an initial focus on a specification that ensures interoperability and integration between policy enforcement points and decision points. This initiative draws on the expertise of leading companies in the security and authorization space, fostering a collaborative approach to enhancing the scalability and security of access control systems.

The AuthZEN Working Group is currently focused on three key areas to improve interoperability:

1. Defining a standard for the communication flow between policy enforcement points and policy decision engines.
2. Creating a standard for communicating access policies to policy decision points.
3. Identifying and documenting common usage patterns and recommended best practices.

The working group recently completed successful interoperability testing, which included a defined interop scenario in the form of a Todo application. Participating companies including 3Edges, Aserto, Axiomatics, Cerbos, Permit.io, Rock Solid Knowledge, SGNL.ai, Strata Identity and Thales achieved success in this testing.

The AuthZEN Working Group is open to all organizations committed to the goal of improving interoperability and standardization in authorization. For more information, visit https://openid.net/wg/authzen/ and https://authzen-interop.net/.

Quotes:

Gail Hodges, executive director for OpenID Foundation

"As more and more players offer externalized authorization, it is critical that we ensure safe and secure patterns across implementations. The OpenID Foundation led the standardization of authentication protocols with OpenID Connect and now, 10 years later, we are proud to host the AuthZEN working group as they seek to do the same for authorization."

Derek Small, co-founder and president for 3Edges

"The OpenID AuthZEN Working Group is tackling authorization challenges faced by organizations of every nature and size. Dynamic authorization is cataloging the rich authorization patterns that support authorization decisions between organizations and varying platforms. As this Working Group continues its mission to address interoperability and standards in support of authorization policies of today and those of the future, 3Edges remains committed to supporting the critical workings of the AuthZEN Working Group and to supporting this interop at Identiverse 2024.”

Omri Gazitt, co-founder and CEO for Aserto

"Interoperable authentication is mostly a solved problem, thanks to standards such as SAML and OpenID Connect. But we haven’t yet had our “OIDC moment” in the authorization space. The OpenID AuthZEN Working Group is the definitive effort to get us there, and Aserto is proud to be among the first vendors to adopt it."

David Brossard, chief technology officer (CTO) for Axiomatics

"Put simply, the goal here is to become the OAuth of authorization. We’ve taken the lessons learned from the past 15 years working to implement authorization for our customers along with the standardization efforts within OASIS XACML to produce an even simpler, more lightweight PEP-PDP protocol. Axiomatics is proud to support the work to facilitate integration between applications and externalized authorization services, raising the quality and security of authorization."

Alex Olivier, co-founder and chief product officer (CPO) for Cerbos

"Cerbos is a proud contributor and early adopter of the OpenID AuthZEN specification enabling external authorization portability. This standardization effort provides software builders with the confidence to adopt a more secure and scalable access control layer in their applications."

Or Weis, CEO for Permit.io

“Enterprises spend months and sometimes years struggling to apply authorization to their applications. Reinventing wheels due to the lack of standards in the space. At Permit.io, we’re excited to be early backers of the AuthZEN standard and its promise to unify simplicity across the landscape.”

Andrew Clymer, co-founder for Rock Solid Knowledge

"With many years of experience building single sign-on (SSO) solutions based on open standards, we are proud to support the AuthZEN Working Group in delivering open standards for authorization. As an early adopter of the draft standard, we are excited to make our .NET authorization engine, Enforcer, accessible to heterogeneous environments."

Atul Tulshibagwale, chief technology officer (CTO) for SGNL.ai

“The AuthZEN standard will be critical to achieving externalized management of authorization. SGNL is proud to have initiated standardization activity by contributing the first draft spec and is happy to participate in the interoperability event.”

Gerry Gebel, vice president of product and standards for Strata Identity

"Interoperability is a core capability needed for enterprises to securely deploy authorization services in complex environments comprised of systems from multiple vendors. Strata is honored to support the demo with the Hexa Policy Orchestration’s integration with Open Policy Agent (OPA). Identiverse is the logical place for this first interoperability demonstration to occur since the AuthZEN working group was founded based on meetings held at this event."

Bertrand Tavernier, vice president/chief technical officer for Thales (secure communication and information systems)

“Thanks to the support of the OpenID AuthZEN Working Group and leveraging our long-standing experience with the OASIS XACML standard, we were glad to demonstrate the capability of our AuthzForce solution to combine XACML policy expressiveness and versatility with the new, ultra-lightweight AuthZEN authorization API for the great benefit of customers, especially in edge computing environments.”

About the OpenID Foundation and the AuthZEN Working Group

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate.

The AuthZEN WorkingGroup is part of the OpenID Foundation and is focused on providing standard mechanisms, protocols, and formats to communicate authorization-related information between components within one organization or across organizations. The group's mission is to improve the deployment capabilities, scalability, and interoperability of dynamic, fine-grained authorization schemes to better meet the needs of modern information security best practices.