- Microsoft Windows chief decries standards grandstanding
- The 5 best, and 5 worst, features of Google Chrome OS
- Federal government using PS3 to crack pedophile passwords
- 10G Ethernet cheat sheet
- Top 10 free Windows tools for IT pros, at a glance
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
Today we'll wrap up our current discussion of federated provisioning. That's easy, because there really is no such thing today. But there might be if reason prevails. Let me tell you about it.
We’ve seen that SAML (Security Assertion Markup Language), a workhorse of federation technologies, and SPML (Service Provisioning Markup Language), the language of provisioning, don’t work together at all. Both, however, do the jobs they were designed to do so many are fain to make radical changes to either or both in order to accommodate the federated provisioning process.
Some have suggested that XACML (eXtensible Access Control Markup Language) might be the answer. But it not only suffers from the same problem as SPML (no interaction with SAML) it also suffers from an amorphousness as it tries to be all things to all services and apps. It does not in any way improve on the SPML situation.
But there is a possibility lurking in a committee at the Liberty Alliance.
The Identity Governance Framework (IGF) was launched just over 2 years ago by Oracle, and was turned over to the Liberty Alliance in 2007. The basic work has been done, all that remains is adoption – and use – by identity providers and application/service vendors.
If, like many, you’re still a bit fuzzy on IGF, here’s a reminder:
“The Identity Governance Framework (IGF) is designed to allow: (1) application developers to build applications that access identity-related data from a wide range of sources, (2) administrators and deployers to define, enforce, and audit policies concerning the use of identity-related data. IGF has four components: (a) identity attribute service, a service that supports access to many different identity sources and enforces administrative policy (b) CARML: declarative syntax using which clients may specify their attribute requirements, (c) AAPML: declarative syntax which enables providers of identity-related data to express policy on the usage of information, and (d) multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes.”
This is what is needed not only for federated provisioning, but to ensure that applications and services are not only identity-aware but also identity-driven. This offers the promise of identity-based security, identity-based preferences, data-portability, cross-silo authorization and so much more.
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (5)
You're way off on XACML/SAML, Dave!By metadaddy on February 27, 2009, 7:57 pmThe interaction between XACML and SAML has been defined for years! See my blog post: XACML and SAML - a Match Made in... 2005.
Reply | Read entire comment
Federation = Authentication as a ServiceBy Anonymous on March 13, 2009, 2:03 amThe Oracle Identity Governance Framework (IGF) seems almost right, but the processes may not be. IGF 1 should be read as "externalise the authentication", or to...
Reply | Read entire comment
Great Article By Pakistan travel on April 21, 2009, 2:46 amYour article is very nice and informative.
Reply | Read entire comment
Informative article.By Los angeles on May 12, 2009, 5:11 amInformative article.
Reply | Read entire comment
Nice articleBy Disneyland on July 3, 2009, 1:58 amNice article
Reply | Read entire comment
View all comments