Saturday, December 09, 2006
More Thoughts on Federated Authorization
The integrity and openness of Sun employees such as Pat Patterson is something that other software vendors should aspire to. In a recent blog entry on Federated Authorization he provides a scenario as to how it may conceptually work but also how Sun uses it for their own benefit. He also mentions the SAML standard and how SAML 2.0 profile supports XACML 2.0 and the simple fact that he is not aware of any commercial products that actually implement it. Maybe this is an opportunity for Sun to show some industry leadership by helping to converge authentication and authorization in a standards based way. Hopefully, industry analysts that cover this space are listening.
I wonder what the folks from Sun thing of Rajiv Gupta's (CEO of Securent) and his comments on the conversation around identity management. I was be happy if Pat also responded to him and hopefully engaged in a meaningful dialog in the blogosphere we could all observe. Anyway, I am of the belief that there are other scenarios in terms of federated authorization that should be discussed and therefore lets jump into some additional examples...
Let's say that I am an employee of the insurance giant AIG and Hank Greenberg just hired me to be King of IT and wants me to address some of the security problems that are frequently mentioned by our customers. There are two customers in particular whom we really want to focus our efforts on: Marsh and Aon where I want to expose my systems to them via both portals and service-oriented ways. Of course I would love to declare not only support for identity via SAML and WS-Federation but would also like to make the authorization models consistent between them. I would like to say that regardless of whether you use a portal or a web service, if you are from Marsh and you have been authorized by Marsh to perform quotes (more on this later) then both my Portal and ESB will behave exactly the same from a security perspective.
The notion of performing quotes in this scenario goes beyond simple name-value pair constructs and needs to take into consideration business information only known by Marsh. Since the law requires that the individual performing the quote have a license, I minimally need to understand this. I also understand that each and every state has their own licensing procedure and that every individual may not be licensed by every state. I also understand that even if I am licensed on a state by state basis, it may still restrict me from selling certain products. So, I may be licensed to sell personal insurance (e.g. Auto and Homeowners) in the State of Kentucky while I may not be allowed to sell this in the state of Kansas but can sell Life insurance.
So now that we got the business scenario out of the way, let ask ourselves some questions:
- From the enforcement point perspective, should the ESB also understand SAML/XACML? If so, should vendors such as Sun, Sonic, CapeClear, ServiceMix, Iona and others start incorporating the notion of policy enforcement points into their products?
- From an identity management perspective, I use one of the premier identity management platforms which is great for provisioning and workflow. If I want to use WS-Federation and desire to keep attributes in ADAM, should all identity management platforms support it?
- Identity management as discussed to date has been about centralized provisioning and workflow but not about necessarily understanding the authorization model of hundreds of enterprise applications. Should I stick with SAML for authentication at this point while requiring my partners to expose SPML interfaces in a federated way? If so, do products come with built-in support for SPML? How would workflow work in a federated scenario?
- Identity management platforms have been sold to help enterprises comply with SoX and have built in attestation features. What if I exposed SPML and Marsh's system had the ability to call it from their own identity management system and I stored it in ADAM so that both my portal and ESB can access a centralized directory service yet I still needed to know for compliance reasons that only licensed folks are issuing quotes to my system? How can I reuse the notion of attestation in a federated way?
Anyway, are these scenarios by any means a complete listing of what would truly add value to a enterprise and move identity management out of the compliance space into the business enablement space and provide real business value. In a future blog entry, I will expand upon the enterprise perspective by also incorporating consumer-oriented requirements not yet discussed in hopes that I could get folks at Microsoft to incorporate some of the thinking into Cardspace 2.0. It would be great to get the thoughts of Shekhar Jha, Johannes Ernst, Ash Motiwala, Bob Blakley, Chad Brown, Chris Ceppi, Dick Hardt, Jeff Katz, John Madelin, Justin Peavey and Josh Bregman to jump in on this important topic.
Anyway, I am glad that we are not only talking about successes but are able to openly reflect on where we need to go in the future and are game to tune accordingly. Hopefully, this posting will not result in a one-off response but that a larger dialog can occur.