Virtual Identity Dialogue

James McGovern asked more questions including this.

"- Virtual Directories: What role should a virtual directory play in an
Identity metasystem? Should virtual directory be a standalone product
in the new world and simply be a feature of an STS? If an enterprise
were savage in consolidating all directory information into Active
Directory, why would I still need virtualization?"

[MEW] I think my answers from our last exchange answer this question.

Now are the rest of the questions:

"protocols:Nowadays, the folks over at the Burton Group such as Bob
Blakely, Dan Blum and Gerry Gebel have put together the most wonderful
XACML interoperability events. The question that isn't addressed is if
I am building an enterprise application from scratch, should I
XACML-enabled, think about integrating with STS, stick to traditional
LDAP invocation or something else?"

[MEW] Most enterprise architects are familiar with how abstract security using features that range from official standards like JAAS to de-facto standards like Apache modules to various application frameworks (including .NET and ACEGI) that facilitat this. And then encourage implementers of such entities to support XACML. Oracle (and BEA) have demonstrated XACML support and we're building support for it into our future products.

"Entitlements: One missing component of the discussion is
authorization and their is somewhat too much focus on identity.
Consider the scenario where if you were to ask my boss if I am still an
employee, he would say yes as he hasn't fired me yet. Likewise, if you
ask him what are all of the wonderful things I can access within the
enterprise, he would say that he has no freakin clue, but as soon as
you figure it out, please let him know. Honestly, even in my role,
there are probably things that I can do but shouldn't otherwise have
access to. So, the question becomes how come the identity conversation
hasn't talked about any constructs around attestation and authorization?"
[MEW] Oracle Role Manager is explicitly designed to help solve the problem of determining what enterprise roles there are, translating those into IT roles which then result in system privileges. It then integrates with a provisioning system (like Oracle Identity Manager) so that access is maintained based on hire/termination/change-of-enterprise-role status. Additionally Oracle Adaptive Access Manager (OAAM) provides for a risk-based access control solution that can authorize actions based on your context and environment (e.g. you normally only try to pay move money between 7-9pm EST from IP address 192.168.1.55 but if suddenly you get a request to do this at 5am from an IP in outer Elbonia, it can do wide range of activities such as requiring you to call a phone number and answer security questions to help verify it's you).

"Workflow: Have you ever attempted to leave a comment on Kim Cameron
blog? You will be annoyed with the registration/workflow aspects. The
question this raises in my mind is what identity standards should exist
for workflow? There are merits in this scenario for integrating with
the OASIS SPML standard, but I can equally see value in considering
BPEL as well."
[MEW] I don't think this is a standards problem as much as a usability problem. For example compare mobile web life before iPhone to after the iPhone. Prior to iPhone - mobile web was usuable but painful because of multiple-clicks. One of the really great things of iPhone/iPod Touch is not that it has Safari (though it helps) but being able to put commonly used Web apps in reach of a single-click (which happens to be a touch). Both systems use the same core standards (HTML and Hyperlinks) just one is more usable than the other. Personally, I think SPML or BPEL is fine, but they are really focused on what happens after you hit the Submit button. The UI component of the workflow is going to be driven by other standards (such as in 11g SOA TP4 preview we can use convert BPEL Human Workflow tasks  to ADF Task Flows which can help make it easier to have a usability guru work their magic).

"Education: Right now the conversation regarding identity is in
the land of geeks and those who are motivated to read specifications.
There is a crowd of folks who need things distilled, the readers digest
version if you will. Traditionally, this role is served by industry
analysts such as Gartner and Forrester. What would it take for this
guys to get off their butts and start publishing more thoughtful
information in this space?"
[MEW] Nobody wants to read specs. I've probably read more identity specs than almost anyone on the planet and I hate reading them. This is why we at Oracle are focused on application-centric security and security as a service. Developers and applications should just be able to depend on calling an API or service & have it "Do the Right Thing".

"Conferences: When do folks think that the conversation about
identity will occur at other than identity/security conferences? For
example, wouldn't it have been wonderful if Billy Cripe, Craig Randall and Laurence Hart where all talking about the identity metasystem in context of ECM?"
[MEW] Why would they want to talk about identity at their conference? After all I bet they don't talk about any other core service component at their conferences either - meaning when was the last time they talked about DNS? It's just not something they want to care about and frankly, they shouldn't care about. This is the core of Oracle Security As A Service concept - developers learn to leverage identity as a service and use proper API calls (e.g. the biz dude says "only managers can access this document" so the developer makes a standard API call that leverages a policy service that in effect says " if (userIsInRole("manager")) { fetchDoc(x)}") then applications won't be maintaining their own identity information and there won't be a need for wondering why ECM conferences don't talk about identity.

One of our tasks for the past fiscal year (Oracle FY is from June until May) was to work on getting my internal FAQ into Metalink.

That project is now complete. Many thanks to Irina in support who took care of the conversion.

Note.566569.1 -- FAQ - OVD Performance, Load-Balancing and Scalability

Note.565523.1 -- FAQ - Join Adapters

Note.577982.1 -- FAQ - OVD with Enterprise User Security

Note.577977.1 -- FAQ - Plug-In Documentation

Note.567775.1 -- FAQ - Monitoring OVD

Note.566566.1 -- FAQ - Database Adapters

Note.580444.1 -- FAQ - Oracle Access Manager

Note.580442.1 -- FAQ - Data Transformation

Note.580440.1 -- FAQ - OVD Training

Note 602230.1 -- FAQ - Miscellaneous
(Lots of stuff here) -- (FYI, still waiting on Metalink to make it available).
Note 554126.1 -- FAQ - Application Integrations


By publishing this to Metalink - it makes it more accessible to a wider audience. We did debate putting elsewhere like Oracle Wiki or OTN but decided on Metalink because that is the one spot still accessed most frequently by customers, partners, support and sales when looking for information on Oracle software.

It also makes it easier for development, myself and support to update these documents (and the other near 100 OVD related notes).

Oracle blogs will be migrating to a new platform.  And this is going to take a couple of weeks.

But all of the content (except for the comments) should make the migration.

Looking forward to a new and improved system.

A few weeks ago - Dave Kearns wrote a piece revisiting an earlier discussion between him, Kim Cameron of Microsoft and our own Clayton Donley.

The initial question from Kim Cameron was:
--
"Sometimes an application needs to do complex searches involving information 'mastered' in multiple locations. I'll make up a very simple 'two location' example to demonstrate the issue:

'What purchases of computers were made by employees who have been at the company for less than two years?'

Here we have to query 'all the purchases of computers' from the purchasing system, and 'all employees hired within the last two years' from the HR system, and find the intersection."

--

Clayton final summary was:

--

" The real solution here is a combination of virtualization with more standardized publish/subscribe for delivery of changes. This gets us away from this ad-hoc change discovery that makes meta-directories miserable, while ensuring that the data gets where it needs to go for transactions within an application."

--

Dave was a bit shocked at Clayton's reply since to him it sounded like a cache and that is not something we normally advocate with the virtual directory.

Except that what Clayton is talking about is a bit different.

What we are working on enabling is to allow client applications to register their queries with the virtual directory in way so that they could get the responses in a manner different than simple client/server. For example they could issue a command to OVD that allowed OVD to put the responses onto an Enterprise Service Bus. So for example - it could be possible that applications that were interested in the result of this query - could attach themselves to the bus and see the results. Furthermore, OVD could even be monitoring HR system so that when new employees met this criteria - it could add new results to the bus.

The benefit of this is that for applications that truly needed to know this, could listen for these updates. This makes it easier than say for example some type of central service that must know who to write to each type of application in the organizational environment.

It would be the further blending of identity services with SOA which is where the modern enterprise is going.

And to be candid - you could do most of (if not all of ) this today - it just would require more manual work than we would like.