Category Archives: Provisioning

FIM there, done that

Posted on March 3, 2010 | Leave a comment

Microsoft has finally released FIM (formerly ILM and MIIS).  While it’s good to see this finally out the door, Microsoft has made a decision that I believe will severely hinder adoption. The system requirements include:

  • Windows Server 2008 64-bit or Windows Server 2008 R2 Standard, Enterprise or Datacenter Editions
  • SQL Server 2008 64-bit Standard or Enterprise Editions SP 1 or later

Unfortunately far too many enterprises are still unwilling to move to Windows 2008, much less 64 bit Windows 2008. So many of the enterprises will have to budget moving to 64 bit Windows and SQL Server 2008 as part of their evaluation of whether to start an IdM project.

And for the life of me I can’t see any technical reason for this limitation.

→ Leave a comment

Posted in Identity, Identity Management, Provisioning

Tagged , , , , ,

Pulling LDAP

Posted on February 24, 2010 | 6 Comments

Mark Diodati sums up the recent SPML threads here. But one questions that needs to be answered, if not SPML then what? One alternative that has been put forward by Mark Diodati, Mark Wilcox, and others is the LDAP (or DSML) pull model of provisioning.

This model is to expose your user accounts via LDAP using a Virtual Directory (VD) instance exposed to your service provider. The service provider would periodically make calls to the VD to look for account CRUD operations.

There are several compelling advantages to this model;

  • LDAP is already a standard protocol
  • There are defacto standard schemas (the most common of which is the standard AD account)
  • This is really just an extension of a model that has already been embraced in the enterprise (look at how many apps can be AD enabled)

Could that be it? Is the solution to service provider provisioning really this simple? No, at least not without SAML. While this model shows promise there is a problem; passwords. If your enterprise is not ready to use SAML to authenticate to your service provider, then you are left with two choices; both unpleasant.

First you could just punt on passwords and force your users to manage their passwords on their own. This is no worse than the situation without any provisioning, but certainly not where you could be if you used a provisioning solution to push the passwords out to the service provider as needed.

The second is to expose your password hashes via your VD. If your service provider supports the same salting and hashing algorithms, then the passwords could be synchronized by copying the hash across. In fact the recent version of the Google apps dir sync utility claims to be able to do just that.

But think about this for a moment. If you do that then the service provider knows the clear text password to log into your network for every one of your users that actually uses the service. After all, the user has to provide the clear text password to the service provider’s login page to generate the hash value to compare to the hash you sent them. If that’s the same as the hash value in AD, then the service provider knows your AD password by definition.

Do you trust Google with the clear text AD passwords? I’m not picking on Google; there simply aren’t any service providers I would trust with that information.

Another alternative I have heard is that the service provider’s login page would make an LDAP bind call back to the VD with the supplied password to do the authentication. Again, that gives the service provider a clear text version of your AD password.

Are you sure you really want to do that?

But if your enterprise and your service provider can implement SAML, then the LDAP pull model looks a lot more compelling. I would be curious to hear from anyone that has implemented this or is thinking of implementing it. And if anyone is using the password hash sync approach, I would be interested in hearing about as well.

→ 6 Comments

Posted in AD, Authentication, Google, Identity, Password Management, Provisioning, SAML, SPML, Standards, Virtual Directory

Tagged , , , , ,

Whither SPML or wither SPML?

Posted on February 12, 2010 | 5 Comments

Whither SPML or wither SPML? This is the question Mark Diodati asks in his post SPML on Life Support. Ingrid Melve and Nishant Kaushik have follow ups here and here.

The problem with SPML still the same more than 10 years after the effort was started. Right now the choice is between home grown provisioning or bringing in a provisioning vendor. In the latter case the provisioning vendors are forced to absorb the pain of integrating to all the disparate provisioning targets (a pain I know all too well). Since the provisioning vendors make it all work, the customers don’t force the enterprise system vendors to add SPML interfaces.

Note that Nishant has this to say about Oracle:

Is SPML on life support? Not quite, judging from all the RFP requests that still ask for it to be supported. But it desperately needs some energy to be put behind it. And it needs to adapt to these new architectures, new use cases and the ecology of standards that is far out-pacing it. I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.

Great, I would love to see that happen. But Oracle has been involved in SPML from the beginning, but do you know what they haven’t done? Added an SPML service to to support the provisioning of Oracle DB accounts. Neither has IBM, Sun, or Microsoft with respect to their own DB products, even though they have all had involvement in the SPML standard over the years. It’s the same when you look at directories, email systems, etc.

We can talk about the standards or “pull models” all we want, but it takes two to Tango. Until the enterprise systems support a common interface of some kind, provisioning will still be as problematic as it was 10 years ago.

→ 5 Comments

Posted in Identity, Identity Management, Provisioning, SPML, Standards

Tagged , , ,

SPML, SAML, OAUTH, and Impedance Mismatch

Posted on December 3, 2009 | Leave a comment

Nishant Kaushik posits an interesting question; can OAUTH fill the provisioning role in Just-in-time federated provisioning. Mark Wilcox follows up here and here.

I agree with Mark’s commenter who suggests that a SAML attribute service fills the role just as well. Mark suggests that a SAML attribute query is too difficult to implement in some development environments. But I am not sure that I buy the argument that there are environments where doing the SAML SSO is doable but doing the attribute query isn’t.

Regardless all this got me thinking about impedance matching. When we wear our standards hat, all things are possible. But we need to step back at times and put on our developer hat and think about how are designs are going to be implements. While we could mix SAML and OAUTH to support JIT federated provisioning, implementation now requires tools, libraries, and implementers that can implement both SAML and OAUTH as well as handle the rough edges where the don’t mesh well. That’s an impedance mismatch in my opinion.

→ Leave a comment

Posted in Authentication, Identity, Open Source, OpenID, Provisioning, SAML, SPML, Standards

Tagged , , , , , , ,

SaaS provisioning

Posted on June 30, 2009 | 1 Comment

Jackson Shaw makes the point that the last thing that most enterprises need is to take on is provisioning their SaaS identities when they are still struggling with their internal identities:

We have a standard called “Services Provisioning Markup Language” (SPML) which was specified to help provision identities via a web service. Does your SaaS vendor support that standard? I’ll bet they do not! What do you do then? I’ve met with hundreds of customers over the years and many are still struggling with provisioning inside the enterprise! Throw in SaaS provisioning – via some hairbrained interface because the vendor doesn’t support SPML – and it only adds to the organization’s identity management complexity.

Of course having an SPML capability in a SaaS is not going to be much help if the enterprise doesn’t have a provisioning system in place with SPML support. SPML support is not widely available in provisioning systems (although there are a few that have it out of the box).

Ashraf Motiwala echoes the point and also points out that enterprise are going to want to leverage not only their internal provisioning systems, but also their workflow and role management systems as well:

Recreating a workflow engine, role management, delegation, etc. in the cloud seems to just create redundancy for these capabilities, especially for organizations that have already dropped a few dollars to deploy an IdM solution on premise. Why would I drop my existing investment here? (Perhaps there is a compelling case, but I just don’t see it.) I would much rather find a solution that proxies the SPML requests from my existing provisioning solution that handles all the complexities (or “hairbrained interfaces”) for the SaaS apps on the backend!

The upshot is that SaaS vendors should be rolling out SPML interfaces to their services. But just like with the traditional enterprise software vendors, they most likely won’t do it until the customers demand it. Until it becomes a selection criteria it probably won’t happen.

→ 1 Comment

Posted in Identity, Identity Management, Provisioning, SaaS, SPML

Tagged , , , ,

Open source IdM connector project

Posted on April 21, 2009 | Leave a comment

Sun (or should I say Oracle now) now has an open source effort for Sun Identity Manager connectors (hat tip to Daniel Raskin). There is even an SPML 2.0 connector listed which is great to see.

This is another shot at the Holy Grail of enterprise management software, getting out of the connector business. It doesn’t matter if you are doing identity management, network management, configuration management, or security management, or systems management, satisfying a never ending customer demand of connectivity to a myriad of systems is a back breaking pain (and expense).

It will be interesting to see how this plays out. There are a lot of Sun IdM enthusiast out there, and many of them are capable of writing connectors. The success of this effort will depend on how many of them are willing to participate in OS projects and more importantly can get their companies buy-in to contribute source code.

→ Leave a comment

Posted in Identity, Identity Management, Open Source, Provisioning

Tagged , , , , ,

It’s not always about you

Posted on February 15, 2009 | Leave a comment

Pat Patterson points out that the Liberty ID-WSF protocol is a nice fit for Federated Provisioning:

Now, in my Liberty-tinged version, when sending a new user to Omega, Acme includes a reference to their Employee Profile (EP) service – essentially the service’s endpoint URL – in the SAML assertion. This endpoint reference serves as both a description of where to find the service and permission for Omega (when sent as part of the signed SAML assertion) to invoke that service.

On receiving the assertion, Omega send a signed request to the EP service, the request containing the SAML assertion it just received. Now, the EP service knows that Omega is entitled to access that employee’s data, since it has a signed SAML assertion, issued by Acme itself, that says exactly that (via the presence of the EP endpoint reference). The EP can return exactly the data required (this will have been configured according to the underlying contract between Acme and Omega).

Now there is absolutely nothing wrong with this scenario. SAML in conjunction with ID-WSF is a very reasonable way for information about You (the person needing to be provisioned) to be conveyed to the service provider. For You, all the bases are covered.

But there is one big problem here. It’s not always about You.

Think about any enterprise application that You use. How much data concerns You and how much data concerns Somebody Else? I am talking about data such as contact lists, workflow approvers, roles, responsibilities, etc. How does all this data about Somebody Else get synchronized in a timely enough fashion to useful to You?

For instance if John is an approver in a workflow in a hosted application, and John is laid off, how does John get removed as a approver? How does Mary get added in his place? Do all the requests that John need to approve sit in limbo until an administrator manually makes the change? Sadly that’s how it usually handled now.

The SAML/ID-WSF solution is fine for many applications. It just isn’t sufficient for moving many of today’s enterprise applications to a SaaS model.

→ Leave a comment

Posted in Identity, Identity Management, Provisioning, SAML

Tagged , , , ,

Janus versus Vulcan in Federated Provisioning

Posted on February 7, 2009 | 2 Comments

I always thought the Roman God Janus should be the patron deity of security professionals. From the Wiki page on Janus:

In Roman mythology, Janus (or Ianus) was the god of gates, doors, doorways, beginnings and endings. His most prominent remnants in modern culture are his namesakes: the month of January, which begins the new year, and the janitor, who is a caretaker of doors and halls.

Likewise I see Vulcan as the symbol of those toiling in the system integration and provisioning fields. Crafting unsexy and necessary technologies that make disparate IT systems work together. From the Wiki page on Vulcan:

The Romans identified Vulcan with the Greek smith-god Hephaestus, and he became associated like his Greek counterpart with the constructive use of fire in metalworking.

This comparison came to me as I was reading the recent flurry of posts about Federated Provisioning. You can go here to read the latest from Dave Kearns, Pamela Dingle, Ian Glazer, and Nishant Kaushik. These are some really smart people who make some good points, but they are mostly talking past each other. This is a Mars versus Venus kind of debate, only it’s really Janus versus Vulcan.

The federation (Janus) side of the federated provisioning discussion tends to favor the just-in-time-provisioning, minimal disclosure, and privacy aspects of federation. The provisioning (Vulcan) side of the federated provisioning focuses on the total life-cycle of the identities known to both the service provider and consumer.

That’s not to say either is right or wrong. Both have good points. But there are serious holes in the just-in-time provision approach and Pamela’s just-on-usage deprovisioning suggestion. Let me give you an example to illustrate.

Suppose ACME is outsourcing one of its sales application. Now support the SaaS application has a feature that lets you (as a sales manager) assign a sales lead to one of your salesmen. Right off the bat you should see the first problem. How do you get the salesman’s information into the system if he has never performed the federated authentication step (I am intentionally being protocol agnostic here). Clearly ACME must have bulk provisioned all the salesmen to the application when setting up the service.

But what happens when a new salesman is hired? A provisioning process should be in place to provisioning the new salesman to all the SaaS services that need to know about him. But what happens if the new salesman doesn’t work out and is let go? Cleary ACME doesn’t want to him to still show up in the list of people that sales leads could get assigned to. Just-in-time-provisioning and deprovisioning just won’t be sufficient for many applications because the identity information needs to be synchronized before the user performs his first authentication. This can be true of any application where the users interact with each other.

In addition to the data synchronization problems in Federated Provisioning, there is also the auditing issue. How does ACME audit what its salesmen did in the application? Right now there isn’t a standard that covers “Federated Auditing”, but I predict that it is something customers are going to start asking for if the truly embrace SaaS.

I guess you could say I am more Vulcan than Janus.

→ 2 Comments

Posted in Identity, Provisioning, SaaS, SAML, SPML, Standards

Tagged , , , , ,

One more for the deprovisioning files

Posted on January 30, 2009 | Leave a comment

I have heard several analysts recently say that the current business climate makes IdM (or at least provisioning and access control) more important than ever. It would be easy to dismiss this as wishful think until you read something like this:

A former Fannie Mae IT contractor has been indicted for planting a virus that would have nuked the mortgage agency’s computers, caused millions of dollars in damages and even shut down operations. How’d this happen? The contractor was terminated, but his server privileges were not.

That not to say there aren’t disgruntled employees during a normal business cycle. But the more people that are being laid off, the greater the risk.

How many organizations really have a handle on properly turning off the access for all the people they are laying off (especially those in IT)? Of  course if the IdM systems are not out in place during an up business climate it’s going to be much harder to put it in place in a down one.

→ Leave a comment

Posted in Identity Management, Provisioning, Security

Tagged , ,

SPML gateways move forwards

Posted on January 30, 2009 | 4 Comments

Mark Diodati points out this interesting open source SPML gateway. There is an accompanying blog by Jerry Waldorf of Sun that has a lot of background on the project and presents some interesting concepts of things that you could do with an SPML gateway.

This is exactly the kinds of stuff I had hoped to see happen when I started working on SPML. Working at Access360 it was frustrating to see so much time and effort spent writing connectors to all the disparate systems that needed to be provisioned. If only project keychain had existed back then.

Great stuff if you are interested in provisioning.

→ 4 Comments

Posted in Identity, Identity Management, Open Source, Provisioning, SPML, Standards

Tagged , ,