SaaS Framework

Named the Interoperability Profile for Secure Identity in the Enterprise (IPSIE), the concept is of an open standard which provides a framework for SaaS companies to enhance the end-to-end security of their products across every touchpoint of their technology stack.

Announcing it in October 2024, Okta CEO and co-founder Todd McKinnon said there is a “need [for] massive standardisation” and “move to a world where every app, every device, every workload all speak a common language”.

McKinnon said that by adopting IPSIE, users will get complete visibility into their identity environment and the threat surface, and they can provide access to the right applications at the right time and take real-time actions in response to threats.

Okta’s announcement stated that the point of IPSIE is to “foster a more open, consistent, flexible SaaS ecosystem by empowering organisations to adhere to a higher level of security, more seamlessly and efficiently integrating among tech stacks”.

This open standard will provide the framework for any enterprise application to be discoverable and governable. By adopting IPSIE, users will be able to gain complete visibility across the identity threat surface, enable consistent security outcomes across SaaS applications, and build secure-by-default SaaS applications more seamlessly and efficiently.

On that final point, Okta states that any app built to the IPSIE standard adheres to a higher level of security by ensuring that it can be governed, have entitlements managed, can support multi-factor authentication and posture management, as well as feature real-time Universal Logout.

Joining the cause

So far, 50 enterprise SaaS applications have joined the cause and integrated with IPSIE – including Google, Microsoft Office 365, Slack and Salesforce – to support modern identity best practices aimed at enhancing security and reducing operational burden.

Harish Peri, senior vice-president of product marketing at Okta, tells Computer Weekly that IPSIE is a way to ensure that every app and API conforms to a standard whereby its identity can be secure: “We are leading the way with the OpenID foundation, and we’re part of the working group for the creation of IPSIE interoperably profiled for secure identity of the enterprise.”

Far from working alone, Okta has enlisted members of the OpenID Foundation to create the IPSIE Working Group, which will develop profiles of existing specifications with a primary goal of achieving interoperability between independent implementations.

Gail Hodges, executive director of the OpenID Foundation, says that while the development of the IPSIE was initially getting off the ground in this first year, she felt the concept was “great”, adding: “I’m really encouraged as the foundation is moving more and more towards lining up specifications; like a lot of our work internally, they’re intended to kind of sync up with each other so that you could layer specifications on top of each other.

“I see the work of IPSIE and a group of subject matter experts looking to do exactly that – line up the specifications together. So there’s even more consistency in how those specifications are configured, so there will be even greater benefits of interoperability and security associated with deploying a more complex stack. I think it’s fantastic.”

Shiv Ramji, president of customer identity cloud at Okta, says the ultimate ambition with IPSIE is to “make it easy for customers to choose the right default path, which is to be secure, and I think they’ll do that if the value is clear to them, and, over time, it will be”.

The concept of IPSIE from Okta is to gain industry-wide adoption, but Ramji was keen to make the point that Okta is “one participant”, and if every participant adopts the standards, “we will deliver better security outcomes for the entire software as a service ecosystem”.

Universal Logout

One factor Ramji stressed is the support for Universal Logout. Okta describes this as a concept where you can terminate users’ sessions, and their tokens, for supported apps when your identity threat protection identifies a risk change.

Specifically, a user session is the time during which a user is authenticated and authorised to access apps secured by Okta, while an app session refers to sessions that an app generates to allow users to access the app’s resources. Universal Logout can be configured to terminate a users’ sessions in generic Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) apps.

Stephen McDermid, EMEA chief security officer at Okta, says the concept of Universal Logout will help to mitigate and minimise risks, “so that you’re not waiting for your SOC or your SIEM solution to respond in real time”.

He adds: “I think the fact that there’s talk about the risks that IPSIE is trying to address reassures me that we’re going in the right direction for us – and for other vendors as well. The more vendors we can get to agree to it, the better the solution becomes.”

This is why SaaS companies are integrating Okta’s software development kit, Ramji says, with companies now adopting this, “we’re changing the type of integrations that we do with these SaaS applications because we can do signal sharing”.

Integrations and other users

In terms of integrations, Ramji says there were more than 150 in April 2025, and users “are asking us what are the ways they can support the adoption of these standards”. Out of those 150 integrations, is this something that the customer can implement on their own, rather than waiting for Salesforce, for example, to do it, for them?

Ramji says if a user is using Auth0 today, they can switch IPSIE and Universal Login on and go into their Okta dashboard to enable the Universal Logout cable. “They have to enable it to opt in, as it’s an opt-in mechanism,” he says.

“It’s easy to turn it on. As we roll this out initially, a lot of this will be opt-in, and then over time we can look at ways to make that easier, or maybe look at other options, but for now, it’ll be opt-in.We don’t want behaviours in companies where their applications where users are being logged out without working it out, so this is a deliberate thing that they need to roll out.”

Peri says Okta’s largest existing customers asked, “How soon can you get all of our apps IPSIE-fied?”, and levels of IPSIE are being defined, but he adds that this is not an Okta-driven initiative or about asserting dominance, but “about doing the right thing for the industry, as the more people that are in it, the better is for everybody”.

Industry adoption?

So, how well will IPSIE be adopted? Computer Weekly contacted a number of other authentication suppliers to find out.

Chris Anderson, duo product CTO at Cisco, confirms that the firm had joined the IPSIE Working Group, which aims to develop profiles of existing specifications and achieve interoperability between independent implementations, stating: “While it’s still early days, we believe that interoperability across standards is key to greater success in identity security.”

Andras Cser, vice-president and principal analyst at Forrester, says that standards that anyone can implement, proposed by one supplier, generally “do not fare very well”, but with the backing of the working group and OpenID Foundation, could work out well.

He points at the example set by the FIDO Alliance, which “started out as a bunch of vendors coming together”. However, Cser believes that if IPSIE could follow FIDO’s lead, then it has a chance to work.

“The use case behind FIDO was a lot smaller than IPSIE, it was just authentication and second factor and biometrics, that was the design and try not to boil the ocean,” he says. “Single sign on, logout and token verification are largely resolved by SAML and OpenID, and there’s a scanner for those things.

“There’s also a very concrete and distinct use case behind sharing risk signals – there’s a new login from a new IP address, from a new device and that makes a lot of sense.”

He claims that single sign on, token revocation and logout have been resolved, while user lifecycle management, and while other areas are being addressed further down the line. He adds that IPSIE is trying to resolve things, “30% of which are not solvable in the security domain only, 60% are addressed by other standards, and 10% is the key part of what IPSIE is trying to do”.

Less than a year since its announcement, the conversations around IPSIE suggest it will take a long time to gain full traction and industry adoption, but there is persistent positivity on the side of Okta, its main supplier driver: the criticism comes from it being too broad and “putting everything in the kitchen sink”. Time will tell, but all revolutions need to start somewhere.