Monday, January 05, 2009
Microsoft, Open Source and SPML
Awhile back, Jackson Shaw blogged on wiring up SPML to Active Directory. I am curious why Microsoft identity bloggers such as Mike Jones, Curt Devlin and others haven't noodled why SPML isn't a core component of Active Directory...
Matt Flynn believes that SaaS vendors should support SPML and calls out SAP while ignoring vendors such as salesforce.com. Anyway, there are some special considerations when using SPML with a multi-tenancy application that should be discussed.
So, if I decide to put ActiveRoles, Oracle or Sun IDM in front of salesforce.com, I could support adding and removing users via a standards-based web services interface, but how do I define rules within these products that define who is authorized to provision/deprovision and in what context?
For example, if I want to provision a user to salesforce.com, how do I "scope" the message such that the definition and fidelity of roles as I define them within my enterprise aligns with the outside world's definition? Does Gerry Gebel, Bob Blakely or others from Burton Group ever talk about how roles should work across enterprises?
Putting on my OWASP hat for a minute, I would also need to think that there is an entitlements problem in multi-tenant applications. It would be bad form if I could deprovision James Governor of Redmonk simply by sending a message to a SPML gateway. Ever note that the documentation for any of these solutions don't necessarily account for entitlements?
If salesforce.com allows an outside party to provision and de-provision identity, doesn't this raise many of the same issues as the discussion around federated identity? Should the Liberty Alliance have special guidance around SPML?
| | View blog reactionsMatt Flynn believes that SaaS vendors should support SPML and calls out SAP while ignoring vendors such as salesforce.com. Anyway, there are some special considerations when using SPML with a multi-tenancy application that should be discussed.
So, if I decide to put ActiveRoles, Oracle or Sun IDM in front of salesforce.com, I could support adding and removing users via a standards-based web services interface, but how do I define rules within these products that define who is authorized to provision/deprovision and in what context?
For example, if I want to provision a user to salesforce.com, how do I "scope" the message such that the definition and fidelity of roles as I define them within my enterprise aligns with the outside world's definition? Does Gerry Gebel, Bob Blakely or others from Burton Group ever talk about how roles should work across enterprises?
Putting on my OWASP hat for a minute, I would also need to think that there is an entitlements problem in multi-tenant applications. It would be bad form if I could deprovision James Governor of Redmonk simply by sending a message to a SPML gateway. Ever note that the documentation for any of these solutions don't necessarily account for entitlements?
If salesforce.com allows an outside party to provision and de-provision identity, doesn't this raise many of the same issues as the discussion around federated identity? Should the Liberty Alliance have special guidance around SPML?
