Finally getting around to participating in the latest stream of blog postings following up the "meta-directory is dead" and "daddy, does Active Directory grow on trees?" discussions...
Now you just have to wait until Ian boils this down to a single sentence again and Dave Kearns finds me secretly agreeing with Kim Cameron on something and the discussion will have come full circle. :-)
James McGovern - July 13
James wants to know 5 things (paraphrasing and with my replies embedded):
1. Why shouldn't we all just put our identity eggs in Microsoft's basket since everyone already has some Microsoft?
[CLAYTON] If you consider that most companies also have Oracle databases and most of the information you'll be needing for fine grain entitlements (meaning the stuff beyond username/password) is stored there, shouldn't this question be why you're not putting your eggs in an Oracle basket?
[CLAYTON] Or better, yet, most of you are using some form of Oracle application (HR? CRM?) to master things like reporting structures, department-based groups, cost centers, who's purchased what product, and so forth. If we're going to pick de-facto standards based on existing deployments, why stop at the directory niche? This information is all coming online with web services and ultimately via identity services.
[CLAYTON] I'm using these examples to demonstrate that very little reusable enterprise information outside of username, email, and some groups are mastered in Active Directory. Sure, some people do use it for more, but it can't be counted on...
2. Are current provisioning products too dependent on central sources?
[CLAYTON] Not to my knowledge. I think it's the opposite. They assume that you don't have a central source...at least ours does.
3. Should virtual directory technology be embedded in new software or stand-alone?
[CLAYTON] We're doing both. We know that nobody will rewrite the old stuff, which needs to work in new identity environments. We also know that some vendors will just never get identity. On the other hand, with Oracle products the push is definitely to at least include a base level of virtualization to improve open-ness.
4. The ideal solution is for people to just write better apps and avoid using virtual directory.
[CLAYTON] Agree. I'd like my car to stop using gas, too. :-) Until that date when every app gets there, we've got virtual directory. We'll continue to publish our own best practices and tools via Liberty Alliance's IGF project and enable our own applications to take advantage of mixed environments.
5. Why aren't more people talking about CARML?
[CLAYTON] There's not been the kind of controversy that sometimes keeps things in the headlines. Quiet progress, if you will. VERY good and impressive progress, though. I think you'll start hearing more about this, though hard to tell if some of the more system-management focused vendors you mentioned will be at the forefront here. After all, most of them don't even have (or understand) virtual directory yet...
Jackson Shaw - July 15
I'll visit some of Jackson's other comments in another post, but wanted to address this part, which goes with James' question #5 above:
What's CARML? Can someone explain it to me? Certainly, until Gartner says it's important I won't be thinking about it... ;)
I'm very glad that Jackson puts his full and total faith in Gartner, because as we all know, the latest Identity Management Magic Quadrants look something like this:
Oracle -> Leader
Everyone Else -> Not So Much
Forester is pretty much in the same boat. So I guess you can all just make those checks payable to Oracle. :-) Joking aside, while I love a nice roll up, especially when they're in my favor, the truth is that things aren't always what they seem.
As I said, I'll drill into his specific comments in my next post.
Jeff Bohren - July 21
I'm in pretty awesome agreement with Jeff that the problem is in the apps that are out there today being account-centric vs. identity centric. Not to mention his experience with Active Directory deployments:
To answer the rhetorical question, the vast majority of AD deployments are not intended as identity stores (at least from my experience). In most enterprises AD is used to manage and control user access to Windows workstations, the intranet, email, and enterprise web applications. AD is not usually intended as a central repository of identity, although it often becomes that with varying degrees of success.
Of course, the hard question is how do you solve it, eh?
A few commendable vendors such as SAP support SAML, but it’s a very small list. Support for external identity services or other identity standards such as SPML and XACML is nearly non-existent.
Wow. Those are the most glowing words I've ever heard about SAP's efforts in the identity realm -- ever. Certainly not the kind of words I'm used to hearing from analysts. :-)
SPML certainly isn't a cure-all. XACML helps and we've got a strong product and even better strategy in this area, but it comes down to application adoption. This is certainly why we're building key integration with fine grain authorization into the platform stack as much as in stand-alone products.