Today we'll wrap up our current discussion of federated provisioning. That's easy, because there really is no such thing today. But there might be if reason prevails. Let me tell you about it.
We’ve seen that SAML (Security Assertion Markup Language), a workhorse of federation technologies, and SPML (Service Provisioning Markup Language), the language of provisioning, don’t work together at all. Both, however, do the jobs they were designed to do so many are fain to make radical changes to either or both in order to accommodate the federated provisioning process.
Some have suggested that XACML (eXtensible Access Control Markup Language) might be the answer. But it not only suffers from the same problem as SPML (no interaction with SAML) it also suffers from an amorphousness as it tries to be all things to all services and apps. It does not in any way improve on the SPML situation.
But there is a possibility lurking in a committee at the Liberty Alliance.
The Identity Governance Framework (IGF) was launched just over 2 years ago by Oracle, and was turned over to the Liberty Alliance in 2007. The basic work has been done, all that remains is adoption – and use – by identity providers and application/service vendors.
If, like many, you’re still a bit fuzzy on IGF, here’s a reminder:
“The Identity Governance Framework (IGF) is designed to allow: (1) application developers to build applications that access identity-related data from a wide range of sources, (2) administrators and deployers to define, enforce, and audit policies concerning the use of identity-related data. IGF has four components: (a) identity attribute service, a service that supports access to many different identity sources and enforces administrative policy (b) CARML: declarative syntax using which clients may specify their attribute requirements, (c) AAPML: declarative syntax which enables providers of identity-related data to express policy on the usage of information, and (d) multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes.”
This is what is needed not only for federated provisioning, but to ensure that applications and services are not only identity-aware but also identity-driven. This offers the promise of identity-based security, identity-based preferences, data-portability, cross-silo authorization and so much more.
So what does IGF need to go forward?
It needs active support from the major players. It needs Sun, IBM, Microsoft and others to include CARML (or CARML-like) language in their programming environments (Java, C#, .NET framework, and so on). It also needs them to use this language in their applications and services and encourage it’s use by third-party developers.
The technology landscape is littered with concepts, protocols, and tools which showed much promise but were never adopted – for one reason or another, but usually for the NIH (Not Invented Here) reason. It’s time to forget parochial interests and band together behind good technology that will help everybody.
Upcoming event: Tuesday, March 17, 1-2pm EST.
“Roles-Based Access Governance: Methodology and Implementation Guidelines” with Aveksa CTO Deepak Taneja.