Category Archives: Identity Management

SPML SIG at Catalyst

Posted on May 12, 2010 | 1 Comment

Bob Blakley announces here that the Burton Group identity blog has transitioned to individual Gartner blogs. He also announces an SPML SIG at the next two Catalysts.

It’s good to see attention being given to SPML again. But will this translate into real movement to adopt SPML (either 2.0 or a to be developed 3.0)? Perhaps, but we may have to take a step backwards in order to move forwards. If work starts on SPML 3.0 then that will effectively kill adoption of 2.0. But if 2.0 isn’t being adopted anyway, why not go ahead and do a 3.0?

Interesting times.

→ 1 Comment

Posted in Identity, Identity Management, OASIS, Provisioning, SPML, Standards

Tagged , , , ,

SPML 3.0 in 3D!!!

Posted on May 4, 2010 | 6 Comments

OK I kid about the 3D, but I am starting to hear from various identity folks that it’s time to start thinking about SPML 3.0. The latest is John Fontana’s post on that here.

While I don’t think that there are any technical reasons SPML 2.0 can’t be used for interoperable provisioning, the market has clearly not embraced it yet. There are some SPML enabled products out there, but not nearly enough to reach the critical mass that is needed.

So would an SPML 3.0 effort succeed where SPML 2.0 has so far not succeeded? I honestly can’t say, but I feel it’s worth giving it a go. The industry really needs this. My employers products need it.

→ 6 Comments

Posted in Identity, Identity Management, OASIS, Provisioning, SPML, Standards

Tagged , , ,

Open source C# SPMl v2 implementation

Posted on April 28, 2010 | Leave a comment

Softerra has released an open source C# implementation of SPML V2 (DSML profile). I haven’t had time to play around with it yet, but it looks interesting.

Now what would be really great would be some developers to take this and create some implementations that do useful stuff. For instance write a service provider for provisioning and reconciling AD accounts. Or perhaps integrate it with Microsoft FIM.

→ Leave a comment

Posted in AD, Identity Management, Open Source, Provisioning, SPML

Tagged , , , , , ,

FIM there, done that

Posted on March 3, 2010 | Leave a comment

Microsoft has finally released FIM (formerly ILM and MIIS).  While it’s good to see this finally out the door, Microsoft has made a decision that I believe will severely hinder adoption. The system requirements include:

  • Windows Server 2008 64-bit or Windows Server 2008 R2 Standard, Enterprise or Datacenter Editions
  • SQL Server 2008 64-bit Standard or Enterprise Editions SP 1 or later

Unfortunately far too many enterprises are still unwilling to move to Windows 2008, much less 64 bit Windows 2008. So many of the enterprises will have to budget moving to 64 bit Windows and SQL Server 2008 as part of their evaluation of whether to start an IdM project.

And for the life of me I can’t see any technical reason for this limitation.

→ Leave a comment

Posted in Identity, Identity Management, Provisioning

Tagged , , , , ,

Identity Apocalypse Now

Posted on February 23, 2010 | Leave a comment

Jonathan Sander of Quest has this to say about the coming identity apocalypse. Interesting stuff.

This got me thinking to a fascinating aspect of identity management in the ASP (and SaaS) space, and that it the delegated nature of identity. For example my current employer CareMedic (now part of Ingenix) offers hosted services where authorization decisions are made based on the identity of the user. Since these are medical revenue cycle applications, the authorization decisions are covered by various regulations such as HIPPA.

But here is the interesting part. We don’t really need verify that the identity we know is actually a specific person. We trust our customers (the health care service providers) to validate that the identities they provide us are properly vetted and they determine the roles that those identities fulfill.

And this is the fundamental trust issue pertaining to the identity providers that Jonathan Sander discusses. The entity with the financial stake must validate the real person behind the identity.

→ Leave a comment

Posted in Authentication, Identity, Identity Management, Security, Uncategorized

Tagged , ,

Whither SPML or wither SPML?

Posted on February 12, 2010 | 5 Comments

Whither SPML or wither SPML? This is the question Mark Diodati asks in his post SPML on Life Support. Ingrid Melve and Nishant Kaushik have follow ups here and here.

The problem with SPML still the same more than 10 years after the effort was started. Right now the choice is between home grown provisioning or bringing in a provisioning vendor. In the latter case the provisioning vendors are forced to absorb the pain of integrating to all the disparate provisioning targets (a pain I know all too well). Since the provisioning vendors make it all work, the customers don’t force the enterprise system vendors to add SPML interfaces.

Note that Nishant has this to say about Oracle:

Is SPML on life support? Not quite, judging from all the RFP requests that still ask for it to be supported. But it desperately needs some energy to be put behind it. And it needs to adapt to these new architectures, new use cases and the ecology of standards that is far out-pacing it. I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.

Great, I would love to see that happen. But Oracle has been involved in SPML from the beginning, but do you know what they haven’t done? Added an SPML service to to support the provisioning of Oracle DB accounts. Neither has IBM, Sun, or Microsoft with respect to their own DB products, even though they have all had involvement in the SPML standard over the years. It’s the same when you look at directories, email systems, etc.

We can talk about the standards or “pull models” all we want, but it takes two to Tango. Until the enterprise systems support a common interface of some kind, provisioning will still be as problematic as it was 10 years ago.

→ 5 Comments

Posted in Identity, Identity Management, Provisioning, SPML, Standards

Tagged , , ,

Good summary of Sun’s open IdM projects

Posted on November 24, 2009 | Leave a comment

Luca Mayer has this summary of Sun’s open source IdM projects. I have some experience with OpenSPML (obviously), and I have fiddled with OpenDS. There is some great stuff there.

I hope this all survives the acquisition.

→ Leave a comment

Posted in Identity, Identity Management, Open Source, Software, SPML, Standards

Tagged , , , , , ,

Virtual Directories, O through S

Posted on July 22, 2009 | Leave a comment

Felix Gaehtgens of Kuppinger Cole has this to say about today’s virtual directory vendors:

As someone actively covering directory services and virtual directories, several innovations have caught my attention. The players within the virtual directory space are (in alphabetical order) Optimal IDM, Oracle, SAP, Radiant Logic, Red Hat, and Symlabs. When it comes to product development and innovation within the last year, you can split those vendors right down the middle. – Optimal IDM, Radiant Logic and Symlabs have been actively developing their product and churning out new features in new versions. The others have not been adding any features, but instead spent time changing logos, product names, default file locations and otherwise integrating the virtual directory products into the respective Oracle/RedHat/SAP identity management ecosystems. In fact, in some of the latter cases I ask myself whether it is likely to expect any virtual directory product innovations anymore.

I couldn’t help but notice that the entire virtual directory space as described by Mr. Gaehtgens spans only five letters of the alphabet (o through s). It doesn’t mean anything, but it’s still odd.

→ Leave a comment

Posted in Identity, Identity Management, LDAP, Virtual Directory

Tagged , , , ,

SaaS provisioning

Posted on June 30, 2009 | 1 Comment

Jackson Shaw makes the point that the last thing that most enterprises need is to take on is provisioning their SaaS identities when they are still struggling with their internal identities:

We have a standard called “Services Provisioning Markup Language” (SPML) which was specified to help provision identities via a web service. Does your SaaS vendor support that standard? I’ll bet they do not! What do you do then? I’ve met with hundreds of customers over the years and many are still struggling with provisioning inside the enterprise! Throw in SaaS provisioning – via some hairbrained interface because the vendor doesn’t support SPML – and it only adds to the organization’s identity management complexity.

Of course having an SPML capability in a SaaS is not going to be much help if the enterprise doesn’t have a provisioning system in place with SPML support. SPML support is not widely available in provisioning systems (although there are a few that have it out of the box).

Ashraf Motiwala echoes the point and also points out that enterprise are going to want to leverage not only their internal provisioning systems, but also their workflow and role management systems as well:

Recreating a workflow engine, role management, delegation, etc. in the cloud seems to just create redundancy for these capabilities, especially for organizations that have already dropped a few dollars to deploy an IdM solution on premise. Why would I drop my existing investment here? (Perhaps there is a compelling case, but I just don’t see it.) I would much rather find a solution that proxies the SPML requests from my existing provisioning solution that handles all the complexities (or “hairbrained interfaces”) for the SaaS apps on the backend!

The upshot is that SaaS vendors should be rolling out SPML interfaces to their services. But just like with the traditional enterprise software vendors, they most likely won’t do it until the customers demand it. Until it becomes a selection criteria it probably won’t happen.

→ 1 Comment

Posted in Identity, Identity Management, Provisioning, SaaS, SPML

Tagged , , , ,

Glass half full, and covered with prints

Posted on June 23, 2009 | 2 Comments

Dave Kearns notes the city of Bozeman is walking back its requirement that applicants supply user ID and passwords to all social networking sites. But then he closes with:

Just one more reason to drop the use of passwords in favor of a biometric authentication. Even Bozeman, I’d hope, wouldn’t ask you to leave your finger on file!

Is the glass half empty or half full? Either way it’s covered with prints, which you should think about before jumping into biometrics. Then watch the Myth-Busters fool several fingerprint readers with covertly obtained fingerprint samples. After watching that you probably are going to start feeling uneasy about fingerprint readers.

And it seems facial recognition systems can be fooled with pictures of the face blown up to full size.

I wouldn’t bet the farm on voice authentication either.

→ 2 Comments

Posted in Authentication, Hacking, Identity, Identity Management, Password Management, Security, Skeptic

Tagged , , ,