…with tag team partners STS for SAML and the VDS (Virtual Directory Server) for LDAP?
So I’ve taken Jackson‘s advice and have been reading Microsoft’s “Guide to Claims-Based Identity and Access Control”. While most of it has been things I’ve heard before, the formulation of the ideas the way Microsoft wants to present them to their favorite audience, developers, is very interesting.
The thing that caught my eye and inspired a whole lot of conversation, lightbulbs for me and this post was a quote very early on:
“ADFS has a rule engine that makes it easy to extract LDAP attributes from the user’s record in Active Directory and its cousin, Lightweight Directory Services. ADFS also allows you to add rules that include arbitrary SQL statements so that you can extract user data out of your own custom SQL database. You can extend ADFS to add other stores. This is useful because, in many companies, a user’s identity is often fragmented. ADFS hides this fragmentation. Your claims-based applications won’t break if you decide to move data around between stores.” (from page 6)
Described like this, the STS sounds a heck of a lot like a VDS. So I asked many of the Quest big brains what they thought of the quote and what the quote made me think. I was quickly told that this was silly since the models for an STS and VDS are so different. Some of their points were:
- STS is a push model where users show up at the applications with claims ready and VDS is a pull model where the application needs to go get the information
- The VDS approach is about applications using data from multiple sources without modifying the application while the ADFS + WIF approach is about teaching the application to consume claims natively by modifying it
- The STS and SAML approaches wraps the claims, the identity data, into the authentication operation while the VDS approach simply exposes a service for the application to use through the applications operations.
Somewhere in the midst of this discussion, a big gear clicked into place. I saw something I bet many, many have seen before – but it was new to me. Microsoft and Oracle were really going head to head in identity for applications. Yes, I know it’s hard to believe that Microsoft and Oracle would compete. But that does seem to be what’s happening. You see, the VDS had always been in this spot on my mental whiteboard between the applications and the multiple sources of identity data as an abstraction layer. The STS was somewhere on that mental whiteboard, but it wasn’t there. Now I’d been clearly shown that it could be moved in front of the VDS, or even be moved to replace the VDS. Of course, much depends on the use cases. The STS can’t really do everything the VDS does and vice versa. But I think it’s fair to say that Oracle is betting on people like me who see with an application architect’s eye and try to make the current generation of revenue generating applications do their work better and faster. Microsoft is betting on it’s excellent developer community and credibility to propel the next generation of all applications into a claims based, STS dependent world.
That battle would seem to pit SAML and LDAP against each other, each with one of the largest tech giants in it’s corner. In reality, I doubt it will be anything so dramatic. But before this conversation, I didn’t even see the potential for that battle. It’s amazing how many latent hostilities to some approaches seem clear to me now. I don’t even think some of the people who were hostile realized why. But there are deep mechanisms at work in the respective communities involved that are forming opinions that will likely solidify into “Linux vs Windows Server” style opinion wars soon enough. Here I thought all this good will about interoperability in identity could last forever. Silly me.
Since there is so much to say about Gartner IAM Summit 2009, I wanted to break it up a bit. The first thing I wanted to do was get the vendor stuff out of the way. When I get to the topical stuff I’m sure some vendors will be involved, but there is much to say about what happened in exhibition hall.
Possibly the most talked about thing on the floor was the size comparison of the Oracle and Sun booths. Oracle had the biggest possible booth and, predictably, Sun had the very smallest. Sun was literally on the far wall alongside niche players and new entrants. Of course this just makes sense, but everyone was talking about it. I should have taken pictures. To add to this drama, the announcement about the EU’s objections to the merger was made while we were at the show and that just set people off talking about it all again after the booth comparison finally died down. The most sensible thoughts were all centered around the wisdom that it would be years before anything really happened to Sun’s IAM offerings. In fact, Gartner even said as much during the session about the magic quadrant. Yet many people were convinced, all wisdom aside, that this merger was going to be about Oracle raking Sun customers over the coals.
Aside from the Oracle and Sun drama, the show floor was not too exciting. Gartner always has a way of making sure their clients know the show is all about them – this time was no exception. All the booths were in the basement. That said, they only served lunch and drinks by the booths; so there was a captive audience at times. It seemed to me, watching the other attendees, that most folks didn’t really spend a lot of time talking to vendors. From my place in the center of the floor at the Quest booth, I could see pretty much everything. There was only 6 hours of booth time, and I’d say only half of that was really about vendor time (the other half was eating time). The people who came to our booth were either interested in something very specific, or on a mission to talk to everyone a bit and get the lay of the land.
The busiest booth seemed to be Aveksa’s. Sailpoint and Cyber-Ark got some good traffic, too. No surprises there. They are all in the sweet spots of their fields. The only booths I couldn’t see were Oracle and Novell. Of course, those were the biggest booths and they were right at the entrance of the floor. I’m assuming they got some good traffic just because of that.
It seemed to me the best user/vendor interactions were side meetings, which there were tons of, and the use cases that the vendors sponsored. That’s one of the very cool things about Gartner’s shows. The user is in the focus and everything is designed to make sure that it stays that way.
Next post in a few days (or sooner) and it will concentrate on what I took away from the sessions.