No one knows how to make a big proclamation in the identity world like Kim Cameron. His keynote at #eic10, the Kuppinger Cole European Identity Conference for 2010, was no disappointment. Kim reviewed his ideas for the “Federated Interscaler Directory”, which was often misquoted as saying “Interstellar”. The basic idea was to “extend” the current ubiquitous Active Directory platform to hold a more flexible framework for relationship expression, policy enforcement and other elements that directories of today are missing. While adding all that, this new directory platform should also scale, in the sense that it could administer millions of identities, as well as support advanced features like federation, token translation and other things that are clearly becoming part of next gen identity.
On it’s surface, that all sounds nice. But it also sounds dangerous to me. One other theme at #eic10 throughout many talks, and something Kim even said during his, was that we shouldn’t want identity systems to be monolithic (he said so in reference to the ability to federate with other IdP’s outside the directory itself). But the system Kim described and the picture he used to illustrate it looked pretty monolithic to me. A lot of what he described is possible today already with a loose federation of platforms from many vendors and open source projects. You can enforce all the policy you need with a XACML authorization engine and properly tooled interfaces and proxies for applications and providers. You can manipulate schemas and the objects they serve up as needed with virtual directories. If Microsoft were to make AD into one big solution for all that, then the biggest differentiator would be having its monolithic status versus the loose coupling of many other components. I tend to be a fan of loose couplings, but I’ll keep the jury out until I see more from Kim.
One thing that I really liked was Kim’s call for everyone to work together on a common identity schema. It’s not the first time he’s done so. At PDC he made a great presentation that described the same idea in much greater detail [link to the PPTX Powerpoint file from PDC]. A project of this kind, if well done, could solve many, many interoperability and operational challenges in the identity world. So much time is spent now negotiating, either in research or in calls at run time, to figure out what attributes and properties of an identity are available. If there were a completely standard schema and a means to publish it easily, then that goes away.
I’ll have more thoughts from the conference later. For now I’m going to put on my space suit and leave the Microsoft ship and hope Kim hasn’t locked the bay doors when I get back.
…with tag team partners STS for SAML and the VDS (Virtual Directory Server) for LDAP?
So I’ve taken Jackson‘s advice and have been reading Microsoft’s “Guide to Claims-Based Identity and Access Control”. While most of it has been things I’ve heard before, the formulation of the ideas the way Microsoft wants to present them to their favorite audience, developers, is very interesting.
The thing that caught my eye and inspired a whole lot of conversation, lightbulbs for me and this post was a quote very early on:
“ADFS has a rule engine that makes it easy to extract LDAP attributes from the user’s record in Active Directory and its cousin, Lightweight Directory Services. ADFS also allows you to add rules that include arbitrary SQL statements so that you can extract user data out of your own custom SQL database. You can extend ADFS to add other stores. This is useful because, in many companies, a user’s identity is often fragmented. ADFS hides this fragmentation. Your claims-based applications won’t break if you decide to move data around between stores.” (from page 6)
Described like this, the STS sounds a heck of a lot like a VDS. So I asked many of the Quest big brains what they thought of the quote and what the quote made me think. I was quickly told that this was silly since the models for an STS and VDS are so different. Some of their points were:
- STS is a push model where users show up at the applications with claims ready and VDS is a pull model where the application needs to go get the information
- The VDS approach is about applications using data from multiple sources without modifying the application while the ADFS + WIF approach is about teaching the application to consume claims natively by modifying it
- The STS and SAML approaches wraps the claims, the identity data, into the authentication operation while the VDS approach simply exposes a service for the application to use through the applications operations.
Somewhere in the midst of this discussion, a big gear clicked into place. I saw something I bet many, many have seen before – but it was new to me. Microsoft and Oracle were really going head to head in identity for applications. Yes, I know it’s hard to believe that Microsoft and Oracle would compete. But that does seem to be what’s happening. You see, the VDS had always been in this spot on my mental whiteboard between the applications and the multiple sources of identity data as an abstraction layer. The STS was somewhere on that mental whiteboard, but it wasn’t there. Now I’d been clearly shown that it could be moved in front of the VDS, or even be moved to replace the VDS. Of course, much depends on the use cases. The STS can’t really do everything the VDS does and vice versa. But I think it’s fair to say that Oracle is betting on people like me who see with an application architect’s eye and try to make the current generation of revenue generating applications do their work better and faster. Microsoft is betting on it’s excellent developer community and credibility to propel the next generation of all applications into a claims based, STS dependent world.
That battle would seem to pit SAML and LDAP against each other, each with one of the largest tech giants in it’s corner. In reality, I doubt it will be anything so dramatic. But before this conversation, I didn’t even see the potential for that battle. It’s amazing how many latent hostilities to some approaches seem clear to me now. I don’t even think some of the people who were hostile realized why. But there are deep mechanisms at work in the respective communities involved that are forming opinions that will likely solidify into “Linux vs Windows Server” style opinion wars soon enough. Here I thought all this good will about interoperability in identity could last forever. Silly me.
Many are talking about a surprising move by Microsoft, buying Sentillion. The press release doesn’t say it all, that’s for sure. My esteemed colleague, Mr. Shaw, asks some very interesting questions. I think some of the answers are right there in the discussions. More of the tweets I’ve seen so far (as of 2:30pm EST on 12/10/2009) use terms like Microsoft buys a “Healthcare Software” company. And, as @jacksonshaw points out, the acquisition was driven from the haelthcare division at Microsoft. It is entirely possible that the FIM team found out exactly when we did. I doubt this because I’ve always seen Microsoft as being a bit better at internal communications than most vendors their size, but things like that are very common in very large companies.
Also very common in larger firms are duplicate offerings across different business units. And so maybe having more than one provisioning offering is not going to be as painful as it may seem at first blush. After all, how many forms of HR application does Oracle sell right now? And that’s a core piece of corporate plumbing, not just an IT infrastructure component.
I’ve never seen Sentillion outside the healthcare niche, though I’m sure they are to some degree. They always posed the biggest threat when context management (in the CCOW sense) was a big part of the requirements. Most of these healthcare RFPs I’ve seen have been more about context than SSO. So it seems to make sense to me that the healthcare folks at Microsoft would want this in their bag as a way to capture more of their clients’ attention and budget.
My bet is that this is going to stay very healthcare focused – simply due to resources required for transition. Focus is a struggle during any transition. Adding another business unit (IDA) into the mix would be asking for trouble.
And, to finally arrive at the point in the title, the WIF focus has all been on federation. There is a definite tension between ESSO and federation. If you have the problems handled with ESSO, why spend the money and time on getting applications federation ready? So there is likely some tension there that will need some thinking through before making any attempt to glue these offerings together. Though I’d like to be a fly on the wall when someone asks Microsoft if they would support a WIF federation approach or an ESSO approach for a mid sized company if both reps with Sentillion and WIF in their bags are in the same room. That would be a fun few moments of silence…