Virtual, Meta, and Identity Buses -- Oh My!
By Clayton on Apr 15, 2008
Wow. Lots of good discussion lately on both the identity services topic as well as general directory services (meta, virtual, and the like).
I'll start with Jeff Bohren's AD as the elephant in the room post.
I agree with Jeff that Active Directory is almost always a source for internal user information. I also agree that LDAP is everywhere (having written a book on LDAP and one of the early Perl interfaces to it along-side Netscape, I MAY be biased on this point).
What I think his post misses is the fact that most LDAP access in most applications is poorly written, even when using ADSI or ADO to talk natively to Active Directory. I can't count the number of virtual directory deployments that we've sold to help customers in environments that were nearly 100% Microsoft (ADO/ADSI-enabled apps talking to Microsoft AD). Many of these deployments were to get around bad schema assumptions, others were to get around topology issues or forest boundary issues.
While we sell virtual directory technology, we hate making our customers pay money to solve such tactical issues. We want to be layering on higher-order value.
So when Phil Hunt or others talk about the Liberty IGF project, what they're really saying is that we want a better way to give application developers a way to code something in a way they understand and can do well rather than a native access protocol that requires specialization. So while LDAP isn't going away and everything from virtual directories to identity buses will need to support native access over LDAP to be successful, not looking at what developers are learning and using every day would be a mistake.
Keep in mind that developers must integrate with a LOT of technologies to build an enterprise application or portal. For example, a portal may be integrating with HR, CRM, and ERP systems. That integration is increasingly happening via web services. Giving these developers a mandate to use a completely different type of technology to integrate identity will only make identity more specialized and less standardized and understood over time. That is a recipe for disaster.
And as for Active Directory itself being the center of the universe? Hardly. While it may be the center for usernames, emails, and passwords of internal users for most enterprises, it is not as popular for extranets and Internet facing users.
As for Kim Cameron's post on second generation meta-directory and the identity bus, he knows better than me what the original ZoomIt product was capable of (and oddly enough, I've heard enough rants in the past from Phil Hunt about how much he loved that product that I'm inclined to agree that it could in fact, do these things).
Here are Kim's three key requirements for an identity bus:
By "next generation application" I mean applications based on web service protocols. Our directories need to integrate completely into the web services fabric, and application developers must to be able to interact with them without knowing LDAP.
Developers and users need places they can go to query for "core attributes". They must be able to use those attributes to "locate" object metadata. Having done so, applications need to be able to understand what the known information content of the object is, and how they can reach it.
Applications need to be able to register the information fields they can serve up.
His first point is exactly the same as my point above. LDAP is great. LDAP is ubiquitous. LDAP is not, however, the future of identity access.
On the second point, that place today can be a directory, database, web service, or just about anything else -- and usually more than one of these. The big issue for developers and IT organizations is that it's hard to predict where this data will live by the time an app goes into production, so some abstraction service must exist. I'll disagree with Kim here and say that real virtual directories do an EXCELLENT job at navigating these complexities by giving application developers a sort-of identity dial-tone. Make one call and get your full identity. We even have people who do this over web services rather than web services for some applications, but there needs to be more standardization here.
On the final point, I'll go further. It's a two-way street. Applications need to register their identity needs and repositories need a way to have their available attributes (and policies on those attributes) discoverable. Only then will supply and demand be accurately mapped, allowing services (whether based on IGF or an identity bus model) to thrive.