It was interesting to see the amount of discussion going on around the topic of Identity Services. At DIDW, there were a number of different sessions that looked at different parts of the Identity Services challenge. Kim Cameron talked about claims-based identity transactions in his keynote. All the different discussions on Liberty's Identity Assurance Framework were trying to deal with improvements needed in the authentication service. Some of the necessary standards discussions came up in the session on "Bootstrapping Identity Protocols". And of course Jamie Lewis talked about it in his keynote.

At OpenWorld I once again took on the task of trying to illuminate the masses on identity services. It isn't a topic that usually gets a lot of interest at OpenWorld, since the attendees are mostly interested in figuring out real world implementation issues. So the sessions most attended were the ones that looked at best practices and customer case studies. Also, being scheduled for the first session of the day at 9am didn't help drive up my attendance numbers.

But I did get a pretty decent crowd, all things considered, and got some good questions and very good feedback and validation on the content of my presentation. I did try to spice it up by throwing in a bit of humor centered around "The Love Guru" (since identity services is all about achieving identity nirvana); not sure if that helped or hurt. I wanted to post the presentation here for all of you, but OOW presentations are paid content controlled by Oracle, so I can't. But I will be adapting that presentation for some talks I am giving to customers on the topic of Identity Services, and I will post that presentation, along with a discussion of how my architecture has evolved, in an upcoming blog post.

October is looking to be just as busy. Of course there is all the usual stuff going on at Oracle. Tomorrow I'll be doing a quick dash across the border and back for the second all-day workshop of the ISWG. Then later this month I will be heading to Europe, where I will be meeting with some customers and attending Burton's European edition of the Catalyst Conference. I will be part of a panel that includes other ISWG members from TD Bank, BT, Credit Suisse, IBM, Sun, Novell and, of course, Burton that will be talking about Identity Services and presenting some of the work we have done in the working group. Catalyst Europe is in Prague, which is a city I absolutely love, so I am pretty excited about that too. Should be a fun month.

Oracle's big shindig is the place to come to if you want to find out about all that is going on in the world of Oracle. And this year is no different. The conference is bigger than ever (I hear upwards of 43,000 will be attending), and there will be some big announcements at the keynotes. Oracle Identity Management will be well covered at the show, both on the demogrounds and in the many sessions, where IdM got its own track.

Not surprisingly, I will be speaking on the topic of Identity Services. My 3rd session on the topic continues the discussion I started 2 years ago in a session on application-centric identity management. If you are going to be at OpenWorld, then definitely come check out my session, as I delve into the practicalities of building an Identity Services Platform for your enterprise.

Session ID: S298923
Session Title: Building an Identity Services Layer with Oracle Identity Management
Venue: Marriott
Room: Golden Gate C3
Date: Wednesday, 24th September 2008
Start Time: 09:00 am

During the session, I will present how one can go about deploying identity management in a way that enables the development of identity-enabled applications. I will also discuss some of the things I have learnt from participating in Burton Group's Identity Services Working Group, my many conversations with the identirati at Catalyst and DIDW this year, and from my continued involvement in Project Fusion, which lays down the architecture for the next generation enterprise application. Unfortunately I drew the short straw and got the 9am shift, so there are sure to be people who won't make it as they recover from their shenanigans the previous night. Hopefully I will still be on East Coast time, and sufficiently caffeinated :-)

And as always, I will be twittering my observations from OpenWorld in real-time, so be sure to follow me for the latest. I hear there will be a number of interesting announcements.

See you in San Francisco.

I felt a little bit like the blind men examining the elephant, except that I could see a little bit. So while everything being talked about looked and felt like different things addressing unique problems, I could also see a little of how they interconnect and relate as part of a larger, more cohesive whole. This was especially true of the sessions on the Identity Assurance Framework, Identity Protocols, Identity Services and VRM, and my conversations with Kim Cameron, Doc Searls and Bob Blakely, among others.

The remainder of my week is being spent at Oracle HQ, so I will be pretty busy in meetings. I will therefore post more detailed thoughts on specific topics that came up in the sessions at a later time. In the meantime, you can check out the real-time stream of consciousness thoughts I had at DIDW by clicking this link to read my Twitter posts from the conference.

Also, I will be connecting with a number of folks who are coming out to DIDW, both one-on-one and in some interesting group settings. Matt Flynn has organized a blogger meet, which I look forward to, since my attempt at a Tweetup sort of fell flat. Should be interesting. Again, grab me if you see me at the opening reception or at the demogrounds, or while I am rushing from one session to another, if you want to chat.

Continuing something I started as an experiment at Burton Catalyst, I will be twittering extensively during the conference, sharing what I am hearing, my thoughts and the experiences of DIDW (provided I can snag a power outlet and/or AT&T 3G can avoid going down again). Be sure to follow me at http://www.twitter.com/NishantK if you are interested in my perspective on the proceedings.

Dave postulates that the solution is based in the idea of Digital Personas. If I am reading his thesis correctly, he basically says that a person (an entity) can keep his online transactions un-linkable by using different personas (as represented by different information cards) that are kept separate and distinct at the source (namely the user and his IdP). In this way, common identifiers are avoided (not sure about that, since the most common identifier - an email address - is likely the same across most, if not all, of your personas), and so correlation reports cannot be built that harvest and mine data.

While Dave is clearly working with the constraint of what is possible today (both on a technological and legal footing), I think this solution puts too much of a burden on the end-user, since this requires the user to maintain multiple personas across the various applications he interacts with. In other words, even if the persona I want to present (PII attributes, credit cards, etc) to two different applications is exactly the same, I would need to create two different personas (in effect duplicates) if I want to make sure that there is no linkability. One can see the potential for persona explosion.

This is like saying that a user (who is extremely paranoid and wants no one building a consumer profile by looking at his purchase history) should maintain a different credit card (in effect tens or a few hundred) for every merchant he interacts with. That is comletely impractical. But just like there is no recourse today for consumers in this arena (the SSN, home address information, etc that every credit card record has enables complete linking, and results in the massive databases that telemarketers thrive and live on), it seems that there are no legal and technological solutions enabling the consumer to use the same persona while guaranteeing non-linkability. It's an interesting problem that I think needs to be addressed by the identity community, because if it isn't, linking of our online identities will happen (whether we want it or not), because the burden of maintaining multiple personas is just too much work, and user habits will prevail (just like it does in the matter of username-passwords).

While DIDW (like any conference) tends to have its share of vendor sales pitches, it is always good for a few sessions to inspire me and give my gray cells something to work on. My biggest problem tends to be figuring out how to divide my time, because unlike Burton Catalyst, where I know which track to just plant myself in, every session on the agenda here is related to identity. Looking at this years agenda, I see some interesting sessions planned.

Oracle will obviously have a big presence there. Besides being a Platinum sponsor, there will be a few folks from Oracle speaking:

• Eric Leach will be talking on "Next Generation Access Management Solutions" [Sept 9 from 12:20 - 1:10pm]
• Phil Hunt will be talking about the Identity Governance Framework [Sept 10 from 3 - 3:50pm]

And some of our customers will be on panels discussing lessons learnt in tackling some thorny identity issues:

• Brenda Hughes from Cisco on "Successful Compliance Deployments" [Sept 10 from 11:25am - 12:15pm]
• Vikas Mahajan from AARP and Divya Sundaram from Motorola on "Successful Virtual Directory Deployments" [Sept 10 from 11:25am - 12:15pm]

(Hmm, too bad both the panels are at the same time)

I know a lot of folks that will be making it out to DIDW, so I look forward to some interesting conversations over food and libations (drinks are always a good way to get the tongues wagging). An attempt I made on Twitter at organizing a tweetup at DIDW didn't really take off, probably because it was too early for people's plans to be made. But if you are going to be there, let me know and I would love to meet up. And I will be spending some time at the demogrounds earning my keep, so stop by if you just want to have a chat.

1. What are the strategic advantages of becoming an IdP?
2. As a consumer or RP, how do I know if an IdP is reliable?

I don't think I can authoritatively answer these, but I do have some thoughts. And keep in mind that these points apply to any IdP-RP based technology, not just OpenID (think of Facebook Connect opening itself up to be an IdP to other applications).

What are the strategic advantages of becoming an IdP?

Well, for one, you get all the marketing buzz associated with doing something with an emerging, potentially game-changing standard. And marketing buzz is always good, especially when you can get it relatively easily (as Johannes points out).

Secondly, being an IdP allows you to hold onto the all-important identity data that is the fuel of any IdP. This is tied to the continuing value associated with "owning the identity silo". And it gives you a way to even expand that identity database, since you (presumably) have other websites (RPs) redirecting new users wishing to use their services to your sign-up page.

Also, it would appear that becoming an IdP gets you a pass on having to become an RP. The large identity stores to join the foundation board, can all say they did something with OpenID, without having to tackle the difficult and (probably from their point of view) less desirable task of opening their systems up to rely on other parties as RPs.

As a consumer or RP, how do I know if an IdP is reliable?

You don't. That is probably the chief reason why RP adoption is not taking off. As even Scott Kveton over at the OpenID foundation has said:

OpenID has two challenges it faces to increase adoption and use; security and usability

This isn't much of an issue now since the RPs that openly support OpenID (pardon the pun) don't have major security requirements. And the ones that need a little more reliability are going the restricted OpenID Provider route ("log in with your Yahoo ID").

Without the security thing figured out, its going to be hard to figure out whether an IdP is reliable or not (whether you're an RP looking for an IdP to rely on, or a consumer looking to sign up for an OpenID somewhere). Hopefully something like the Identity Assurance Framework will emerge as a way to properly advertise the level of security and reliability a particular IdP provides.

In the same post, Scott says:

security and usability will be key drivers to OpenID adoption moving forward

They'll be more than just drivers. Solving those issues will break the dam that is currently holding widespread adoption back.

Gartner has released their latest Magic Quadrant on User Provisioning. It's good to see that we have built on our previous success to emerge as one of the best (if not the best) in the Provisioning industry. I can remember the days at Thor when we would have given up our firstborns to achieve something even close to this kind of recognition.

Good to see that all the hard work at making Oracle Identity Manager easier to use, configure and manage is starting to show dividends. Gartner specifically recognized some of the key improvements we made to the product in the last release: our new Graphical Workflow Designer, the new Connector Installation Wizard, and improvements to our Generic Technology Connector and Reconciliation Manager.

The report also gives props to our strategy of Service-Oriented Security, which is laying the foundation for an identity services based deployment of identity management. The report does seems to assume that our Application-Centric concept is different from SOS, and that we have moved away from it. The truth is that SOS is simply an expansion of our earlier Application-Centric vision, which looks to make it easier for identity-enabled applications to be built by using identity constructs made available in the development environment.

Gartner makes note of the strong competition we will continue to face from Sun, IBM, Novell and a slew of other products. And there is no dearth of recent articles noting the continuing troubles enterprises face in provisioning deployments. So while it feels good to be at the top of the pile, there is still a lot of work to do as we try to keep the momentum going.

You can check out a copy of the report, compliments of Oracle, here.

Coincidentally, the version we are developing internally is code-named IDx (According to Kim, Microsoft's internal name for Zermatt used to be IDFX). The first version is being built as the underlying platform for Fusion Applications. But my main job on this project is to make sure that it does not end up as an Oracle proprietary framework, and can become a true development platform on which anyone can build identity-enabled applications, running on top of any identity management provider (MS, Oracle, Sun, etc.).

That is a challenging task, and requires a strong standard API as an abstraction between the application and the identity management providers supporting it. One of my hopes for the Burton Groups Identity Services Working Group is that they will help us ratify what this standard interaction needs to be (of course, we are planning on contributing in a major way to the definition of these APIs, and have been working hard on some aspects of these as part of the IGF initiative). Hopefully, we can do the right thing, and justify Pamela's optimism for the future.

Zermatt allows applications to incorporate a claims-based identity model for authentication and authorization. The claims-based model is one that I brought up in my talk at DIDW almost one year ago. Microsoft has published a whitepaper in conjunction with the Beta release, and I'll be taking a look at it to learn and to contrast it with our approach. I'll talk about my thoughts on Zermatt in the upcoming weeks.

The new feed URL is: http://feeds.feedburner.com/TalkingIdentity

Seems like some feed readers don't provide a way to simply update a feed url. You have to unsubscribe from the old and re-subscribe to the new url, unless you want to keep getting duplicate feeds :-)

Thanks again for reading. I'll try to keep it interesting.

The latest to suffer an identity theft breach - the innovative CLEAR system that speeds frequent travelers through airport security by collecting personal data, doing an extensive background check and issuing smart cards. Stolen from a "locked" room in San Francisco  airport was a laptop with the data for 33,000 travelers.

This line from the slashdot report was priceless:

The company has now decided that it might be a good idea to encrypt the data in their systems.

Thanks to oracletechnet for bringing this to my attention.

The post is grossly inaccurate on several counts. For one, Oracle IdM wouldn't be experiencing the phenomenal growth it is if we were giving away the software for free (a dirty word in many quarters). Paul also says "Every day of every week we go head-to-head with Oracle and we never  loose technically". Really, never? That's a bit of an overstatement, isn't it? I have personally been involved in quite a few deals where we (as Thor and later Oracle) won the technical evaluation. And Sun was always part of the competition. Paul thinks that "when it comes to Identity Management they (Oracle) certainly have an advantage in that they own the back-end". If owning the back-end were such an advantage, Microsoft would rule the roost because of AD (uh oh, I'm not starting that whole fracas again), and we would have won no deals as Thor.

Sun has always been our strongest competition in the provisioning space (back since they were just Waveset), and it was always a healthy competition, which is why such a post surprises me. They have a very good product, just like a few other vendors, and each product brings something different to the table, which means that the customers that bought them usually did so because they were a better fit for their needs.

Being big bad Oracle can be an asset in some deals, but it can also be a disadvantage. On a few occasions I have tasted the bitter pill of not getting the deal despite the evaluation win for business/political reasons, a reality that every company has to deal with no matter how big or small they are. But by and large. most enterprises work very hard to try and make the right choice of vendor based on who solves their problems, not backroom politics or a difference in dollar amount. IdM is just too complex to cripple yourself further with bad decisions made for petty reasons. Oracle, Sun and every other IdM vendor is competing in a congested market where the winning formula is value proposition and customer satisfaction. Boutique vendors wouldn't survive, even thrive, in this market if that were not the case. HP would not have exited the market if this wasn't true.

But the post did remind me of something that I do want to touch on, and would definitely play to Oracle's position in the space - the many customers that are looking for deeper integration between ERP and IdM. I'll touch on this in a later post.

Now, in his post, Johannes points out the reality of OpenID adoption - that it is a classic chicken-and-egg problem. As he points out, becoming an OpenID Provider is quite easy and relatively harmless (though reliability concerns do enter the picture), and mainly strategic in nature. On the other hand, becoming an OpenID RP has many more considerations and is far more operational, and therefore risky, in nature. By the very necessity of its invention, OpenID has to achieve critical mass in certain classes of IdP before it can be poked and tested to make sure that it is safe and reliable enough to support RPs. The adoption curve for any technology usually follows this kind of path, and so it is with OpenID. Today the RPs are mostly blog commenting systems and simpler, less sensitive services. Tomorrow, you could be using OpenID to authenticate to your online banking account. But there is a lot to be solved and proven along the path from point A to point B.

So if this path is exactly as it should be, what is there to be concerned about? Well, I guess I should have been more explicit in my last post. The thing that worries me is that the thinking seems to be that there is a lot more value in "owning the silo" -  in other words, being an IdP than an RP. So even if the OpenID industry does all the right things, will we ever get to the point where the number of OpenIDs a person has is a manageable number (the true intent of OpenID)? The way that the heavy hitters are rolling out their OpenID Providers leads me to wonder if the "exclusive" arrangements that are starting to pop up in RPs are going to become the norm, forcing users to maintain OpenIDs with a large number of Providers.

Obviously John Q. Public knows little, if anything, about OpenID. So expecting them to understand the message "Log in with your OpenID" on a website is irrational. The solution right now seems to have become websites displaying the message "Log in with your Yahoo ID" (which behind the scenes converts it into the requisite OpenID). This is a neat trick, but creates exclusive IdP-RP relationships that (in some sense) violate the spirit of OpenID. And given that these same heavy hitters now own many of the web properties that I would expect to be RPs (why is FlickR an IdP and not an RP?) makes me wonder if true OpenID adoption is getting pushed out by a few years, effectively postponing the work that needs to be done to make the OpenID system more robust in nature.

Maybe I'm being too pessimistic about all this. But as of today, I have accounts in about 60 different places that I actively use, and only 3 of them are an OpenID RP. I want to move on to the next level, and am wondering what needs to happen to precipitate that.

Pam's definition about why Enterprises should invest in identity is not new, nor has it never been said before. But it seems like periodically, people need to reiterate the message to remind people that they should keep their eye on the ball. Too many times, the people going into identity projects do so because of a corporate mandate, with little understanding of why exactly they need to do it, or what the needs are that they are trying to address.

But I don't quite share Pam's pessimism expressed in the second half of her post. When she asks

The really interesting question will be whether or not the big vendors will ever start enabling truly integrated provisioning and SSO support for the full range of their products. 

I think she asks a question that many have been asking, and some of us are starting to work on. The key word here is "work", because the vision for standardized identity services is still just that - a vision. Reality is that there are a number of enterprises out there that are implementing identity services strategies on their own, but there is no concrete way for COTS and SaaS applications to rely on identity services for these critical functions. Even Oracle's work in this area (which I have been blogging about for a while) is proprietary at this point, and very much driven by the vision for Fusion Applications that is articulated in Pamela's hope for stack offerings with an "integral adherence to an identity vision, instead of bolted-on adherence". This is one of the main reasons why I have joined the Identity Services Working Group that the Burton Group is running, to work with the community on defining the missing pieces that can make identity services a cohesive solution that all applications can be built on.