Monday, September 04, 2006


What Thought Leaders aren't telling you in the space of Federated Identity...

The conversation in terms of federated identity and even identity management in general has been cordial amongst many of the thought leaders but is otherwise insufficient for many industry verticals to adopt. Figured I would share why the conversation won't work for my own vertical...

I am hopeful that folks will not just think about federated identity in context of the functionality that the industry thought leaders provide but where their products may fall down in terms of implementing your strategy for your business. Anyway, if one or two not only chime in on my comments but the conversation in the blogosphere changes to not only acknowledge but brainstorm solutions to them, I will consider this effort of discussing problems in my own vertical in the public light successful.

If you are new to this topic, please also consider checking out the following bloggers:

Let's start with the basic discussion of identity management with large enterprises. The notion of having a tool to support provisioning/de-provisioning, attestation, etc in context of complying with SoX has been talked about to death. What hasn't been discussed is how role-based engineering should occur within the enterprise before this undertaking occurs. The part of the conversation assumes that one can simply take the HR / organization chart hierarchy and use that for the model. While this works for most situations this doesn't account for protections and recertification of applications that are team-based and not based on the notion of a hierarchy.

There are products that help an enterprise discover better models for roles within an enterprise including Eurikify and Vaau but no one has provided guidance on what to do with a tool, any form of best practices nor even anti-patterns in terms of role discovery. You may note that you cannot even find a feature comparison between these two vendors from an independent source. One should ask the question of what interfaces should identity management tools from Sun, Oracle, HP, CA, etc should expose to the the role-based engineering tools so that an enterprise could do what if scenarios.

In my own travels, I have found that the name Sena Systems comes up a lot in terms of having deep consulting expertise in this space. Other than the large big four spinoffs, I got to think that there are other competent consulting firms with depth in identity management? Do the thought leaders know of any?

There is a connection between provisioning and entitlements that doesn't also seem to be discussed. What is occuring today is that identity management projects are usually ran by infrastructure-oriented folks within enterprises who do not have knowledge of the structure of applications. If an enterprise hopes to have a viable strategy they need to separate out provisioning of basic identity from the authorization model used within enterprise applications. The best thinking says that authorization models should stay within the domain of the application areas but yet be exposed via a standards based way. If it isn't done in this manner, the infrastructure folks are headed down a very painful road. Imagine attempting to get the guys in the data center to understand say 500 different application authorization models where zero point zero are consistent with each other in order to do meaningful provisioning. This really does beg a conversation between SPML and XACML or something similar here.

In terms of federated identity, the conversation has not addressed other problem spaces especially for regulated industries. Within my vertical there is the notion of collusion which says that companies can't simply start solving business-oriented problems together and deal with the outcome by writing a thoughtful CP/CPS. The problem of the conversation starts out of the gate. I think if some of the thought leaders could collaborate along with several industry analysts and write a white paper on best practices for community formation, we may show more successes.

The conversations held by many folks from places either in the digital certificates space such as the Pharma guys and their SAFE initiative or even by members of the Liberty Alliance is that it is still centered around all participants having agreement on one and only one credential. Shouldn't identity be more important than credential discussions? Why can't I have a federation where one member wants SAML dereferenced while another gets WS-Federation?

Role-based engineering isn't just limited to the internal workings of the enterprise but you may be lead to this conclusion based on the fact that most folks are only doing identity assertions in federations with very little attribute assertion happening. Even when they are doing attribute assertion are doing it on simple name-value pair type constructs. We know that XACML can fit nicely into SAML 2.0 to exchange deeper role constructs across enterprises which is vital to our vertical. For example, someone may be licensed to sell a product in one state for a particular line of business but may also be licensed to sell a different product in a different state. We have to respect and more importantly consume the external roles that folks play which don't fit into name-value pairs. A conversation on how role-based engineering using a harder vertical (stop with the simple examples) may be in order.

My final rant (at least for today) is with Dick Hardt of SXIP. It is a wonderful thing to push approaches where we put consumers in the middle instead of us large enterprises. Other than adopting your tools and the protocols they implement, how about telling us enterprise folks what other things we need to consider...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?