Saturday, December 31, 2005


Why Enterprise Architects should pay attention to Identity Management

Was busy googling today in hopes of figuring out how to close out many of the thoughts I have had in 2005 regarding identity management when I ran across an interesting report from Gartner entitled: Should You Leverage Your Existing MOM Infrastructure for Identity Management? written by Roberta J. Witty but sadly didn't get the opportunity to actually read it. The main problem is that every single analyst firm that covers the identity management space doesn't practice what they recommend to clients. Hopefully one of their New Years resolutions will be to solve for the obvious in your face rants that folks like me have...

Every single analyst firm is in the content management business yet no one has been able to answer any of my inquiries in any depth surrounding strategies of integrating federated identity into content management systems. Pretty much every analyst firm makes us dumb customers remember yet another ID and password. How come analysts can simply allow content to be accessed by not handing me an ID but allowing me to trade SAML assertions or exposing a service interface via SPML?

Dan Blum at the Burton Group has been busy researching all of my other questions so he has an excuse but not so sure about other firms I interact with on a daily basis. Maybe before Burton Group's CEO Jamie Lewis creates another blog entry on federated identity, he will not only make his firm eat his own dogfood but also create a first-person case study on it that will be highly credible.

Anyway, let me get back to the Gartner document. She essentially gives away the story ending in the summary and states: Considerable domain-specific knowledge goes into designing an identity management system that makes the "whole" worth a lot more than the "sum of the parts." Buy your identity management product rather than build it yourself.

Not sure that I necessarily agree with this hypothesis in all situations but figured there is merit in me posting my opinion as well as ask questions of others. Let's start listing them out. The question on Message-Oriented Middleware is good but avoided one thing that is rarely discussed in terms of identity and that is workflow. Pretty much every Fortune 1000 enterprise already has some form of workflow engine in their shop which is a major component to identity management on the provisioning side. Why would an enterprise want to bring in yet another workflow engine that is relabeled in another context?

As far as message-oriented middleware, this implies that there may be services somewhere that I may want to talk to in a provisioning context? I assume that vendors are moving towards supporting SPML but have no idea as to which enterprise application vendors will be adding to their suite. Could someone provide this information?

Another component would be connectors to directory services. Could someone tell me how many I need? One could logically assume one for each type of application / technology but if I go down this path, ain't I really just making a bad situation worse? How about telling me that it may be better for me to not spread provisioning type services all over my enterprise and instead recommend to me that I should consolidate identity stores?

If I wanted to consolidate identity stores, wouldn't Active Directory be a great place to do such a thing? What if I could get RACF to trust Active Directory? What if I could make all of my other enterprise applications not understand SPML but instead have them consume XACML from a centralized policy server that binds against Active Directory? Maybe I shouldn't care about SAML at all even though folks like Pat Patterson believe I should.

Maybe it really does make sense to buy one instead of attempting to piece together all the parts you already own. After all, no one has provided any form of identity management reference architecture so I can figure out best practices for putting all the pieces together. Maybe the only thing I object to is the word "buy". Why not use the word "acquire" instead so that it would include open source product offerings.

Hopefully all of the analyst firms covering the identity management space have included open source products right next to commercial proprietary closed-source products. In my brief search in this space I have came across one product that feels like it could be of high quality. Does anyone have thoughts on Diamelle? If someone has a matrix that compares features side-by-side and can send it to me, it would be greatly appreciated.

Maybe I will install it on one of my lab servers in my basement so that I can familiarize myself with the product and then provide a briefing to Roberta? I have always been curious as to how vendor briefings actually work with analyst firms. Sitting on both sides of the table seems like an opportunity that shouldn't be passed up.

So as to not inject bias into the research community and adopt the practices that I so despise in others, the only fair thing I can conclude is that early next week I will work on establishing a quarterly briefing with any analyst firm that wants to engage in a two-way conversation. Treating all analysts as equals brings integrity into the research provided and sold to vendors.

Maybe clarity around identity will occur when Pat Patterson returns from vacation? He owes me a response to a previous blog entry entitled: Enterprise Perspectives on federated Identity. I hope he or another person from Project Liberty can respond shortly.

Another thing has been bothering me that I would really love for Kim Cameron to provide answers to. He may be able to provide insight into changing not only my thinking on buying an identity management solution but even in thinking about open source equivalents.

In looking at Microsoft documentation, they talk alot about adding Workflow into the next release of Windows. Likewise, they are expanding the capabilities of the Microsoft Management Console. One could read into these two things and conclude that something very big is going to happen that could become troubling to other vendors in this space.

The Microsoft Management Console is how users are provisioned to Active Directory. If they connect the console to the workflow engine then requests for user credentials may be routed via workflow. The workflow itself and policies surrounding the approval process may be stored in group policy objects. If you combine this thought with my thinking on getting RACF to bind to Active Directory then it gets really interesting. I hate to speculate or even start rumors, but will defer to Kim to find someone within Microsoft that can point us all straight.

I do have a question for both Kim and Pat though. I really would like to understand how they both believe the notion of workflow should work in context of provisioning within a federation?

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?