Archive

Posts Tagged ‘adfs’

ghosts of the interscaler directory at #cat10; let’s do it!

There were a lot of points at Catalyst 2010 where Kim Cameron’s Interscaler, Federated Directory and Identity Schema came up in my mind, though went unmentioned by the speakers. I know I wasn’t alone, either. It was there like a ghost in every discussion. When Anil John spoke about Background Attribute Exchange (BAE), one of the first questions was about how to ensure schemas would be in sync. When Nishant Kaushik spoke about federated provisioning, again questions had everyone talking about how directories would be able to rely on attributes being “exchangeable” across domains. And when the folks from GM gave their talk the second or third question was about how they decided what attributes would be included in their avatar identities and which would not.

How does this move forward? I get dizzy when I look at all the standards bodies around identity. I’ve got a lot of energy to offer around this and don’t know where to push it. It’s not about a product or a vendor. I’d like to see this be an industry thing that everyone can benefit from.

Advertisements

#TEC2010 thoughts

Last week was #TEC2010. It was my second year at the event, and I was again stunned by the unique vibe it has. Since TEC is focused on education for the folks in the trenches of managing directories, the crowd is markedly different from many other events I attend. There were some senior management types around, mostly owing to the Microsoft centered nature of the event and their shops being very heavily Microsoft focused. The vast majority were people who architect, deploy and maintain directories, though. And it was far from just Microsoft directories. I heard every type of directory mentioned by the folks in the crowds, from RACF to Novell.

One of the main highlights for me was Conrad Bayer‘s keynote about Active Directory and the future of identity services at Microsoft. It was very refreshing to hear someone from the top of the technology food chain at Microsoft saying a lot of things that have been true for a while. Conrad directly acknowledged the breakdown in the concept of using structured hierarchy to represent the relationships between identities and organizations in today’s world. He also gave a nod to the difficulties there are with peer-to-peer federation approaches, though he said ease of use should mitigate that, which I do not agree with. He also pointed out the competitive advantage Microsoft sees in RMS when compared to other identity vendors. I found that odd, but very interesting. Lastly he called out that most clients he speaks with thinks that identity is one of the last things they would move to the cloud, which is something I hear a lot as well.

The other session I enjoyed very much was Brian Puhl‘s. Brian is from Microsoft’s own MSIT division and is in charge of identity services. As he put it, his job is “dog fooding” – using what Microsoft makes for Microsoft’s benefit. Likely the most notable thing about the entire presentation and discussion that followed to me was that the word authorization was in the title and never once did the term XACML make its way into the chatter. At points I got the feeling there was some very complicated mental gymnastics going on to avoid the idea that policy expression needs a platform and protocol. At one point Brian said point-blank “my hosting provider needs to give me a mechanism to express the complexity and facets of my required policies”. I almost coughed out “XACML”, but held it back. Two observation Brian made that struck me as totally true were that trust (and policy) often boils down to contracts and that key management is every bit as important and encryption itself. These are two lessons that only someone who has had to wrestle with lawyers or exotic devices’ key renewal protocols would be able to offer.

By far, the best part of the conference was speaking to the hundreds of fellow attendees – and this year I was thankfully just an attendee so I had no booth duty to distract from the fun. I had conversations with the world’s largest banks, small law firms, government affiliated agencies who remained nameless and everything in between. Every one of them had backlogs of issues they were looking to get ideas on, and the peer level advice flying around was worth it’s weight in platinum. If only there was a good way to bottle that – that would be something we could all use.

SAML vs LDAP to the death?

April 8, 2010 3 comments

…with tag team partners STS for SAML and the VDS (Virtual Directory Server) for LDAP?

So I’ve taken Jackson‘s advice and have been reading Microsoft’s “Guide to Claims-Based Identity and Access Control”. While most of it has been things I’ve heard before, the formulation of the ideas the way Microsoft wants to present them to their favorite audience, developers, is very interesting.

The thing that caught my eye and inspired a whole lot of conversation, lightbulbs for me and this post was a quote very early on:

“ADFS has a rule engine that makes it easy to extract LDAP attributes from the user’s record in Active Directory and its cousin, Lightweight Directory Services. ADFS also allows you to add rules that include arbitrary SQL statements so that you can extract user data out of your own custom SQL database. You can extend ADFS to add other stores. This is useful because, in many companies, a user’s identity is often fragmented. ADFS hides this fragmentation. Your claims-based applications won’t break if you decide to move data around between stores.” (from page 6)

Described like this, the STS sounds a heck of a lot like a VDS. So I asked many of the Quest big brains what they thought of the quote and what the quote made me think. I was quickly told that this was silly since the models for an STS and VDS are so different. Some of their points were:

  • STS is a push model where users show up at the applications with claims ready and VDS is a pull model where the application needs to go get the information
  • The VDS approach is about applications using data from multiple sources without modifying the application while the ADFS + WIF approach is about teaching the application to consume claims natively by modifying it
  • The STS and SAML approaches wraps the claims, the identity data, into the authentication operation while the VDS approach simply exposes a service for the application to use through the applications operations.

Somewhere in the midst of this discussion, a big gear clicked into place. I saw something I bet many, many have seen before – but it was new to me. Microsoft and Oracle were really going head to head in identity for applications. Yes, I know it’s hard to believe that Microsoft and Oracle would compete. But that does seem to be what’s happening. You see, the VDS had always been in this spot on my mental whiteboard between the applications and the multiple sources of identity data as an abstraction layer. The STS was somewhere on that mental whiteboard, but it wasn’t there. Now I’d been clearly shown that it could be moved in front of the VDS, or even be moved to replace the VDS. Of course, much depends on the use cases. The STS can’t really do everything the VDS does and vice versa. But I think it’s fair to say that Oracle is betting on people like me who see with an application architect’s eye and try to make the current generation of revenue generating applications do their work better and faster. Microsoft is betting on it’s excellent developer community and credibility to propel the next generation of all applications into a claims based, STS dependent world.

That battle would seem to pit SAML and LDAP against each other, each with one of the largest tech giants in it’s corner. In reality, I doubt it will be anything so dramatic. But before this conversation, I didn’t even see the potential for that battle. It’s amazing how many latent hostilities to some approaches seem clear to me now. I don’t even think some of the people who were hostile realized why. But there are deep mechanisms at work in the respective communities involved that are forming opinions that will likely solidify into “Linux vs Windows Server” style opinion wars soon enough. Here I thought all this good will about interoperability in identity could last forever. Silly me.

Federated identity graphic (SAML, OpenID, WS-*, more…)

January 26, 2010 Leave a comment

I’ve got an idea in my head I can’t shake. I’d like to make a picture that will display as simply as possibly the whole landscape of “federation”. Right away, it runs into problems because that world does not adequately capture the space anymore. The term federated identity seems better. Every major identity project I’ve come upon in the last 6 months has had a “federation” component. Some are looking to ease bringing in new users via M&A. Some are thinking about people visiting their public websites. The only thing they all seem to have in common is they are all very confused about their options. The confusion is not surprising. There are so many options. Many of the Microsoft centered clients that Quest sees on a regular basis are thinking about ADFS and Geneva (most still call the whole Microsoft next generation federated identity Geneva even thought they are aware it has it’s new official set of names). Everyone is talking about SAML and many about OpenID. So my thought was to make a picture to use as a discussion tool. Love to get thoughts here or at @jonathansander. My first, rough attempt is here:

%d bloggers like this: