Nishant Kaushik wrote a post entitled Is AD really the dominant Identity Store out there?
. Of course, I will attempt to provide additional perspective...
Let's analyze Nishant's post:
Obviously our opinions are shaped by our experiences. My experiences, coming from the provisioning world, would be different from James or Jackson's. In a lot of the projects we were involved in, AD was a downstream repository, a target of the provisioning system and not the source of identity data. That was usually an HR system or, more often, a Sun directory. Most of the time, the provisioning system would push the bare minimum attributes to AD to enable the Windows environment to work.
Nishant, let's consider for a moment that we both agree that every Fortune 500 enterprise has Active Directory (Sun is the oddball) in production. Can we also acknowledge that those not in the Fortune 500 like the medical practice down the street from my house filled with twenty doctors also has Active Directory but probably doesn't have a provisioning system? The ecosystem is made up of more than just large enterprisey customers who purchase Sun directories and store on Sun servers. If we look at the numbers holistically, we can probably conclude that Active Directory outside of the Fortune 500 is even more pervasive that what you have outlined.
Again, when James asks about practical futures, my hope is that the future eliminates all such arguments about directories and metadirectories by having applications code against Identity Services APIs, like the IGF APIs or the Higgins IdAS APIs. James asked what we at Oracle are doing to help application developers. Clayton mentioned our work on the IGF, and the APIs that are being defined as part of it that eliminate the need for application developers to have to worry about LDAP, instead providing simple APIs that use a provider model to get the data from where it needs to.
Education isn't just making APIs available but requires actually interfacing with developers. If I were to compare/contrast Microsoft to Oracle, I would say that Oracle's model of interaction tends to be with Architects in large enterprises and the CIO while Microsoft does the CIO, the architects and holds lots of developer forums where they teach developers how to write code. On our side of town, we have a Microsoft Developer Evangelist who rocks. His name is Allan De Costa Pinto
whose sole job it is to interact with developers and teach them how to write better code. He travels from enterprise to enterprise at no charge and with no goal of selling (at least directly). Will Oracle create an equivalent?
And I have joined the Burton Groups Identity Services Working Group (now that it is open to vendors), where I hope to work with the community to help advance the concepts and reality of Identity Services. Hopefully, soon, this will be a question that nobody will need to ask any more.
Burton Group is one of my most favored analyst firms yet when I read about this notion in this context, I am unimpressed. The ability of an identity product manager to join a group with other identity product managers isn't that interesting. Consider that if I want to know about security products, I can call up Bob Blakely, Gerry Gebel, etc. But what happens if I want to understand which ECM products whether it be Documentum, Alfresco or Nuxeo implement modern identity, would those analysts have a clue? I don't want to hear just about identity products and APIs, I do want to hear how they are going to be baked into BPM, ECM, ESB, CRM, ERP above and beyond what Oracle shares.
By the way, why is it that architectural purists don't ask when Microsoft will make it possible for Windows environments to work against any directory and not just AD, but Oracle Applications must support directories other than OID?
I think the answer to this question is simple in that the answer is not driven by purity but the odds are very likely that they are driven by economics. Nishant, if I had a scenario where I wanted to put five million users into Active Directory (let's assume that only 10 people will be concurrent) what would the costs be? If I had decided to put this into a Postgres database and put Oracle Virtual Directory on top, what would the costs be? If I decided to use Sun One Directory, what would the costs be? Nishant, it would be interesting if you used list prices
for each and shared your perspective as to total cost of ownership...
In the end, both Microsoft and Oracle are wrong to push proprietary stores into deployments, contributing to the mess we have.
It is good to see transparency of response and at some level Kim Cameron
has admitted the same, but what I don't understand is whether Oracle believes that putting support for Information Cards within enterprise applications repeats the same form of coupling that occured with LDAP?