Virtual Directories + Provisioning = No more Metadirectory
By Nishant Kaushik on Mar 21, 2008
There has been an interesting discussion going on regarding the fate of metadirectory technology. Dave Kearns talked about it in his newsletter recently (see: Is the metadirectory dead). In it, he quoted Jackson Shaw, who brought it up as context to HP's recent retrenchment:
"Let's be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead."Kim Cameron questioned this in his response. The flaw in his argument (imo) is in lumping directory and metadirectory technology together. Nobody is saying that the directory is dead. It still is (and will continue to be for the foreseeable future) the best storage mechanism available for identity data. What is being said is that the metadirectory approach of taking directory based storage and adding centralization processes and technology (the synchronization, arbitration and flattening of data inherent to the metadirectory story) doesn't make sense in the brave new world of identity services we are moving towards.
Centralization of data still exists, and will continue to for some time to come. But for a while now, the solution there has been provisioning technology, not metadirectory (see my previous blog post on this topic). Provisioning adds a crucial overlay of policy, controls and process onto the rationalization of identity data (centralization being a byproduct of this).
Where workflow and process are not needed there is no longer a need to centralize, as virtual directory technology provides a scalable, manageable solution far superior to what metadirectory used to provide. Oracle (for one) recognized this a while ago when it bought the technology that became Oracle Virtual Directory.
Virtual directory technology is fast becoming the underpinning of the "identity bus" (as Kim calls it) in an Identity Services based architecture. It provides a services interface that pulls the identity data from where it sits, and transforms it into the claims that the consuming application is interested in. It acts as an abstraction/indirection layer between the identity producer (HR, CRM, Corporate Directory, you name it) and the identity consumer. It also acts as a gatekeeper, ensuring that data use is authorized and policy-compliant. Oracle's efforts at defining the IGF standard is an attempt to add much needed controls into that interaction of producer and consumer, and OVD is on the very frontlines of this effort.
As always, the mantra should always be to choose the right tool that solves you problems. An Enterprise's best bet is to put in place an infrastructure that is a nice blend of provisioning and virtual directory. This infrastructure will continue to evolve as the vision for Application-Centric identity evolves.