Skip Links

Federated provisioning could exist

If reason prevails federated provisioning could become a reality

Security Identity Management Alert By Dave Kearns, Network World
February 25, 2009 12:01 AM ET
Kearns
Sign up for this newsletter now!

The foundation for security and enterprise management

Today we'll wrap up our current discussion of federated provisioning. That's easy, because there really is no such thing today. But there might be if reason prevails. Let me tell you about it.

We’ve seen that SAML (Security Assertion Markup Language), a workhorse of federation technologies, and SPML (Service Provisioning Markup Language), the language of provisioning, don’t work together at all. Both, however, do the jobs they were designed to do so many are fain to make radical changes to either or both in order to accommodate the federated provisioning process.

Some have suggested that XACML (eXtensible Access Control Markup Language) might be the answer. But it not only suffers from the same problem as SPML (no interaction with SAML) it also suffers from an amorphousness as it tries to be all things to all services and apps. It does not in any way improve on the SPML situation.

But there is a possibility lurking in a committee at the Liberty Alliance.

The Identity Governance Framework (IGF) was launched just over 2 years ago by Oracle, and was turned over to the Liberty Alliance in 2007. The basic work has been done, all that remains is adoption – and use – by identity providers and application/service vendors.

If, like many, you’re still a bit fuzzy on IGF, here’s a reminder:

“The Identity Governance Framework (IGF) is designed to allow: (1) application developers to build applications that access identity-related data from a wide range of sources, (2) administrators and deployers to define, enforce, and audit policies concerning the use of identity-related data. IGF has four components: (a) identity attribute service, a service that supports access to many different identity sources and enforces administrative policy (b) CARML: declarative syntax using which clients may specify their attribute requirements, (c) AAPML: declarative syntax which enables providers of identity-related data to express policy on the usage of information, and (d) multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes.”

This is what is needed not only for federated provisioning, but to ensure that applications and services are not only identity-aware but also identity-driven. This offers the promise of identity-based security, identity-based preferences, data-portability, cross-silo authorization and so much more.

So what does IGF need to go forward?

It needs active support from the major players. It needs Sun, IBM, Microsoft and others to include CARML (or CARML-like) language in their programming environments (Java, C#, .NET framework, and so on). It also needs them to use this language in their applications and services and encourage it’s use by third-party developers.

The technology landscape is littered with concepts, protocols, and tools which showed much promise but were never adopted – for one reason or another, but usually for the NIH (Not Invented Here) reason. It’s time to forget parochial interests and band together behind good technology that will help everybody.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News