Talking Identity

I'm back at work after some much needed R&R, and as always it seems like I missed quite a bit while I was gone. The timing of my vacation meant that I missed last months IIW conference, where one of the main events was to be an identity card interoperability test involving Microsoft, Novell and others involved in the development of identity frameworks. I also missed an announcement from Microsoft regarding four open-source projects it is starting that enables developers on other platforms to adopt its CardSpace technology (read the NetworkWorld article here). The projects provide implementations of the CardSpace identity selector technology for Java, Ruby on Rails, PHP and C.

This move, combined with Microsoft's contribution of the CardSpace technology to the open-source community via OSP (Open Specification Promise) license, underscores their commitment to making the identity metasystem a reality. Interoperability of identity systems is a key requirement to making an internet identity layer a reality, and these two pieces of news show that we are moving closer to a day when we can take our identity with us to different websites, rather than having a different identity for each website.

Anyone that has implemented any kind of provisioning solution knows that the most difficult part of deploying a solution is creating the connectors -  those components that allow the provisioning system to integrate with the managed target systems. Oracle sells a number of application-specific connectors for OIM that are designed for target systems such as MS Active Directory and Peoplesoft User Management. These connectors are built on the specific APIs that the target system exposes, supporting deep integration with support for a rich set of provisioning operations.

However, for applications that are not supported out of the box, or custom applications that customers have built themselves, building a connector can be an arduous task. It takes planning and resources (both in time and manpower). Quite often, APIs are simply not available for build a good connector. And the number of applications in an enterprise that need to be managed can prove overwhelming to a small IdM team.

Introducing the Generic Technology Connector
This is where the Generic Technology Connector steps in. Introduced in OIM 9.0.3, the name is actually a misnomer. The GTC is really a wizard that provides an alternative connector development environment to rapidly create all the necessary functional components that make up a target system connector in OIM. It's power comes from the way it leverages standardized mechanisms and tools instead of application specific APIs. The GTC framework also eschews the more powerful, but complex, process-based connector approach for a far simpler dataflow-based connector approach.


The GTC is one part of a three pronged comprehensive integration offering (see diagram above). The GTC allows customers to easily build connectors for target systems that support standard integration mechanisms like flat-file imports via FTP, or SPML-based provisioning over Web Services. Target systems that do not need complicated provisioning process flows can be quickly brought under management in OIM, dramatically reducing the deployment timelines. While a GTC-based connector does not have all the rich capabilities an API-based application-specific connector has, the fact is that for most applications the deeper integration capabilities are not needed.

Architecture of a GTC-based Connector
The following diagram shows the component level architecture of a connector (supporting both provisioning and reconciliation) built using the GTC (click on the image for a larger view).


The GTC framework provides basic building blocks that are used to rapidly assemble a custom connector. The architecture shows the dependence of the GTC framework on the data migration aspect of the connector. The building blocks are:

• Reconciliation
• Reconciliation Transport Provider: This provider is responsible to moving the reconciled data from the target system into OIM.
• Reconciliation Format Provider: This provider parses the message received from the target system (that contains the reconciled data) into a data structure that can be understood by OIM's reconciliation engine.
• Validation Provider: This provider validates any data received before passing it on to OIM's reconciliation engine.
• Provisioning
• Provisioning Format Provider: This provider converts OIM provisioning data into a format that is supported by the target system.
• Provisioning Transport Provider: This provider carries the provisioning message received from the Provisioning Format Provider to the target system.
  

I received this newswire story about a new company called safeTspace that claims to provide the kind of identity and age verification service that I blogged about a few weeks ago. Aimed at social-networking sites like MySpace, it combines an in-person registration process with biometric authentication to offer an unprecedented level of security for users. The mission statement looked promising:

The company's proprietary technology keeps
unwanted adults out of social- networking sites by verifying each
user's identity with fingerprint technology backed by in-person
registration. In addition to identity and age verification, the
safeTspace process obtains parental consent for users under 18 years
old. The technology protects the child - and not the computer -
allowing them to log on and be protected at any computer.

The only hardware required is a lowcost fingerprint ID reader. Registered
children simply login to safeTspace by entering their ID, password and
fingerprint. Once there, they can access a wide variety of child-only
content and chat, IM and explore with complete freedom.

• First off, I don't see schools in developing countries (some of which have the most active children communities) being able to get online with this program soon.
• Those same children may not be able to afford the fingerprint reader this scheme needs. The site FAQ states: the cost will depend on the content provider providing the technology, but the general price is around $30 per year -
  less than the cost of one cup of premium coffee a month. Yeah, here in the US maybe, but in China, India or Thailand?
• Also, how this is supposed to work when kids are increasingly using cellphones to blog, photoblog, chat, IM and twitter on social-networking sites leaves a gaping hole in the story.
   The FAQ does state that the technology works with mobile devices, but offers no specifics.

Jason Sears posted a comment regarding the lack of information about the Generic Technology Connector I discussed in a previous post. Since this is a fairly new feature of the product, the public information available is somewhat limited. Below are the links I have found that can provide you some information.

• Oracle Identity Manager 10gR3 Datasheet (PDF)
• Generic Technology Connector Administration Guide (HTML)

That catchy slogan can only mean one thing - it's time for the annual Catalyst Conference (US edition), hosted by the Burton Group. Running from June 25-29 in San Francisco, the event will once again aim to stir things up by bringing together people in a forum where debates will rage and ideas will fly. One of the main conferences for all things identity, this years sessions seem to bring into focus 3 main topics that are heating up the identity discussion - interoperability of identity systems, the identity services needed to enable this, and the shift to fine-grained authorization.

As always, I look forward to seeing how the discussion has evolved. Role management, for instance, was a hot topic last year when everyone seemed to be embarking on a role management project. This year we are seeing the area of entitlement management starting to merge with role management as one of the original A's of identity management - Authorization - is redefined. And as enterprises are getting more comfortable with the idea of SOA, the need for a well-defined identity services infrastructure is emerging rapidly. As I have mentioned in this blog a number of times before, Oracle's own Fusion initiative views this as a key element in the definition of the next generation applications architecture. Oracle's own Thomas Kurian will be giving a talk on the integration of IdM with Business Applications on Thursday (June 28). And Phil Hunt, one of the architects of Oracle's proposed Identity Governance Framework, will be participating in a panel discussion on identity services.

And the burning question as always: what will Mike Neuenschwander do next?

So head out to San Francisco to catch up on whats going on in the world of identity. It's a little like attending a crash course - a lot to absorb, but a great way to catch up on everything. If you will be there, drop me a line. The hospitality suites are always fun and a good place to chat (Oracle will be hosting theirs on Wednesday). See you there.

On Lost, one of my favorite shows on TV, the lead character is fond of saying "Live Together, Die Alone". So much so that on one of the more recent episodes, one of the other characters told him "If you say that one more time, I'm gonna kill you" (I may be paraphrasing a bit).

That is probably how a lot of us in the identity community feel about the topic of interoperability. We have been talking about interoperability for so long, and have seen so many efforts come and go, that we may be feeling a bit jaded despite knowing how crucial it is to the survival of all that we have worked for. However, this year has seen some promising developments that again give us hope. Microsoft announcing the interoperability of CardSpace with OpenID at the RSA Conference was one such development. And more recently, I have come to learn of the Concordia Project, launched by members of the Liberty Alliance.

From their website you get a sense of what they are trying to accomplish:

"The Concordia project is a global initiative designed to drive interoperability across identity protocols in use today. It does this by soliciting and defining real-world use cases and requirements for the usage of multiple identity protocols together in various deployment scenarios, and encouraging and facilitating the creation of protocol solutions in the appropriate "homes" for those technologies."

It's amazing how often we (and by "we" I mean those of us who deal with the high flying world of identity management) get brought back to earth by the reality of everyday life. Usually, this happens when someone asks such a simple and obvious question that we wonder how we overlooked it in the first place.

A while back, I was pulled out of the world of identity services, Open ID, protocols and exotic role structures by a simple request posed by a prospective customer. In evaluating our product, they were wondering (quite innocently) if there was any way to improve the rate of identity on-boarding and ongoing reconciliation by a factor of 10.

"A factor of 10", we mused? Why? Obviously everyone wants fast performance, but this is taking things to a whole new level. As an engineering organization, we have already put in a fair amount of time optimizing the behavior of the product to make it work as efficiently as possible, bringing performance to a level that matches the benchmark requirements of our (fairly large and sophisticated) customer base. On top of that, we have tools and best practices to help customers create solutions that fit their needs. Despite all of these, we were not going to meet their requirements.

A little work helped us identify the solution to their problem (it was based on a divide-and-conquer approach of data segmentation and parallel scheduled jobs). So we were able to achieve the required throughput. But it required some fancy footwork and fancier system configuration.

And just this week, I heard the same requirement again. Except that this time, the required factor was a 100. It made me think "The more things change, the more they stay the same". For all the fancy capabilities we are trying to add on to our product lines, we just can't afford to ignore the fundamentals.

Yesterday I read a post by Mark Dixon talking about China Mobile. The statistics are incredible:

• 327 million subscribers
• 5.28 million subscribers added in May alone.
  

I attended the Project Concordia workshop yesterday, ahead of the Catalyst conference. I mentioned the project in a blog post last week; it has the worthy goal of trying to initiate efforts that make sense of the competing standards and methodologies that exist in the identity world. I found myself enjoying the kind of lively discussion that makes you glad to be part of such a dynamic community. Built around 5 use case presentations done by organizations deploying identity solutions today, the goal of the workshop was to identify the protocol interoperability challenges that these implementations are facing and what needs to be done to solve it.

The use cases presented by AOL, Boeing, Govt. of British Columbia, GM and US-GSA were quite detailed and very articulate with regards to the challenges being faced in their deployments. Since the discussion was one of standards and protocols, the discussions focused primarily on the authentication and federation pieces in the identity management puzzle (as those standards are the most evolved in the identity space).

Some common themes emerged in the discussions:

• Usability of the authentication process was identified as an area that is greatly lacking, and potentially needs some work by the standards bodies. The whole idea is to make the life of the end-user easier. Users shouldn't have to worry about which credential they need to use, but should still have a choice of which credential they want to use.
• Seemingly at opposite ends of the spectrum, incorporation of the device into the authentication process (reliance on OS authentication) and independence from the device (for portability of identity across laptops, cellphones and kiosks) were identified as being key requirements
• Setting up federations still requires too much investment and time, preventing it from being a scalable solution to the single identity problem
• In the context of single sign-on across web applications, the topics of session timeouts and global logout generated much discussion
• Standards are being unevenly implemented by vendors. All cover the basic aspects of the spec, but none implement the whole spec, usually on edge features, which causes confusion, surprises and incompatibility.
• Everyone agreed that the non-technology aspects of federation are more complex than the technical aspects

After a day and a half, I can safely say that Catalyst is living up to its reputation of being on the cutting edge of identity trends and issues. After a typically boisterous start to the conference on Wednesday, where Mike Neuenschwander set the tone by introducing a superhero called "Captain Controls", the conference settled into its usual mix of tactical evaluation and prognostication on possible futures and architectures. Meetings forced me to miss a few more sessions than I would have liked, but I still managed to get enough of a taste for the discussions taking place.

Application-Centric IdM Goes Mainstream
One of the cool things for Oracle is that Burton has actually identified "Application-Centric Identity Management" as a legitimate methodology in the identity management space (in contrast to System Management methodologies). I have been blogging about this for a while now, as this is the main philosophy at Oracle. Of course, the reason for the elevation from buzzword to legitimate methodology is the wave of application vendors like Oracle, Microsoft and SAP that are entrenched in IAM now, and are working towards the creation of identity as a well-defined aspect of application development in their own applications and in the development environments they provide. This was reflected today when they took the stage in succession to explain their vision and strategy in the IAM space.

Federation Evolving
One of the interesting themes of the first day sessions was an exploration of the relationship between federation and user-centric technologies (like OpenID), and their impact on both consumer and enterprise environments. After starting with a hard look at how traditionally understood federation is doing, the discussion transitioned to the state of progress in user-centric identity technologies (through a characteristically entertaining presentation by Dick Hardt). Burton made the point that loosely coupled identity provider and relying party networks, connected via user-centric technologies like CardSpace and OpenID could change the way enterprises handle the problems that today rely on legally and procedurally heavy federation mechanisms.

The Theme For This Year: Identity Controls
Mike Neuenschwander did not disappoint the crowds yesterday with a hugely entertaining sketch involving Captain Controls, a superhero that I hope will become a recurring character (Go here to see a video of the sketch posted by IdentityWoman Kaliya Hamlin).

Captain Controls challenges Mike

Oracle SVP Thomas Kurian 
explains Oracle's Application-Centric IdM