Provisioning across organizational boundaries using either traditional technologies or those associated with federation has been our subject the past few issues. In the last newsletter, the subject of a universal directory was mentioned. Today let's see how that might work.

Traditional provisioning techniques rely on a centralized data store of identity information, either a core directory service used as a metadirectory or a virtualized directory system. There's no reason why a worldwide, distributed, replicated virtualized directory system shouldn't be useful for provisioning across boundaries.

We noted a few weeks ago the adoption of the Identity Governance Framework (IGF) as a way for applications and identity stores to talk to each other. It’s a good starting point for identifying a schema for the worldwide directory service (WWDS). The folks who originally developed the IGF at Oracle could tweak it with the help of their friends in the virtual directory department (formerly OctetString) so that it was easier to work with.

As much as I’d like to, though, I can’t recommend Oracle provide the base directory service - that’s too much control in one company’s hands and would make it more difficult for others (IBM, Sun, Microsoft, et al) to adopt the scheme.

Instead, I’d suggest that Radiant Logic’s RadiantOne server & Context server make the ideal candidate to provide the WWDS. The added bonus of the Context server allows every organization to see the WWDS as a part of it’s tree which should mean that most current LDAP tools would continue to work as described, a major plus when seeking adoption of new technology.

This would take some work, but it would also solve a number of problems, federated/external provisioning being only one of them. I’d sure like to see someone step up and take the lead.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.