One and a half weeks ago I was speaking in our Webinar about the Identity Metasystem and Microsoft’s implementation of it (codename “Geneva”). The news was still very fresh - I had just been to Microsoft’s Professional Developer’s Conference and scrambled to get the presentation together. We had almost 100 participants, and many questions were being asked. I slightly overshot the one hour reserved for my Webinar, but even after 70 minutes, the majority of the participants were still online. I then started answering some more questions, but there were still too many of them. If you missed the webinar from last week: it is available here.

Tomorrow, the 13th of November we’re hosting another webinar on the topic, at 10 AM PST/1 PM EST/7 PM CET. I will do this one a bit different, and allocate at least half of the time for questions.

Some of the questions we had last time were:

This seems ok for Consumers, is it relevant for large enterprises?

Absolutely. The Identity Metasystem has several parts, some of them are more relevant for enterprises and other more relevant to consumers. The parts of the Identity Metasystem that are most relevant to enterprises are the whole concepts around claims, trust agreements, secure token services, and of course WS-*. In “Geneva”, the components would be the Framework and the Server.

What about using Claims on non-Microsoft platforms?

An excellent question, and one that definitely warrants a longer explanation than this one here. I am definitely going to talk about this topic some more tomorrow. Microsoft has now with “Geneva” released the first full implementation of the Identity Metasystem. There is no such complete implementation available for Java or for other non-Microsoft systems, but many parts of it already exist on other systems too.

Let me step back for a minute and state that the “Identity Metasystem” is a “system of systems” - it’s a methodology, and uses many building blocks, such as SAML security tokens, WS-* and public key infrastructure. Many, if not most of these building blocks already exist on other systems. Major vendors such as Oracle, Sun and others offer interoperability with the Identity Metasystem, and some aspects of a development framework (albeit proprietary at this point) in their access management products.

Would you include “Geneva” in an Identity Management architecture today?

I would most definitely plan for it in an architecture, and especially make developers aware of the framework. Keep in mind that “Geneva” is still in beta, and the final release will only be next year. But that doesn’t mean that one should hold off including it in the plans, and preparing for it. In fact, for those who really don’t want to wait, Microsoft has a “Technology Adoption Program” that will support users that want to adopt the technology now. Microsoft’s “Geneva” implementation of the Identity Metasystem is all about manageing Identity in an easier and safer way. That will be important in the long run not just for cost savings, but also as one of the key elements in the transition of IT departments from a cost centre to a strategic asset. Does the last sentence sound like just another pompous example of lofty analyst-speak? Think again. The cost of handling identity in today’s enterprise environments are significant. It reminds me of the mid eighties, when most office software (Wordstar, Lotus 1-2-3, and even Microsoft Word in its first incarnations as a MS-DOS program) were shipped with one or two floppy disks full of printer drivers. That’s right - different native printer drivers for each program! How much time was invested by every software vendor to enable the same thing (printing) all over again? How much time was saved when operating systems such as MacOS and Windows (and probably others) implemented a “printing framework” that could just be harnessed by whatever programmer wrote applications for that operating system? The identity metasystem is an important piece in the puzzle to make IT easier and more agile. So I couldn’t think of any reasons not to consider the Identity Metasystem, and “Geneva” on a Windows environment). This is all standards-based, interoperable and open!

What is the timeline for “Geneva”?

According to Microsoft, the RTM (final release) will be available in second half of 2009.

What protocols does “Geneva” use? WS-Trust and SAML 2.0? If both protocols are possible, is claim transformation between those protocols possible?

The current beta release of “Geneva” supports SAML 2.0, but apparently there are some current limitations in the beta that will soon be overcome - I need to confirm this but as far as I remember from PDC, it seemed that the current beta of “Geneva” Server will work as a SAML 2 IdP (Identity Provider), but not yet as a SP (Service Provider) - but again, this is just a temporary limitation in the beta and should be available soon. Claims transformation is one of the key points of “Geneva” server, and yes - the transformation between the protocols is definitely one of the uses foreseen.

What about compatibility of Zermatt now, and “Geneva” framework in the future?

A difficult question to answer. Officially, “Geneva” framework is still in beta. “Zermatt” was release several months ago, so it has even matured a bit before “Geneva” was released. This is the first Geneva beta, not yet architecturally or functionally complete, and Microsoft is seeking directional feedback. Microsoft invites developers, architects and other interested parties to learn about the software, experiment in labs, and send feedback. Having said this, from a protocol standpoint there will be compatibility since the protocols are mature. There may of course be some evolution in the “Geneva” framework that may be backward incompatible. My personal guess is that if at all, they’d be minor. However I think it is likely that the framework will incorporate new functionality. Then again I have no crystal ball, and even if I had, I wouldn’t know how to use it

This has been an intense week at PDC 2008 - the first one ever for me. I’m sure it won’t be my last!

If you’ve followed our Kuppinger Cole news, you may have seen my article about Microsoft’s Geneva announcement. I was very excited about this announcement, because of the importance of the identity metasystem for the future. Microsoft clearly putting its money where its mouth is and fully jumping onto the bandwagon of a fully interoperable, open claims-based identity metasystem. This is not just interesting if you run Microsoft software. This has a profound and positive impact on our industry as a whole.

I am holding a Webinar today (Friday morning in the Americas=afternoon in Europe, Middle East, Africa) to put all of this into what I think is the proper perspective and outlining why I think this is such a big deal, why this is relevent for you and how you can profit from this. You are all cordially invited!

http://www.kuppingercole.com/events/n40030

As the US presidential election is in full swing, I thought it would be a great time to dust off Bill Clinton’s catchy statement from way back when and seize it for my own agenda. As the industry is increasingly focused on the identity metasystem that will delivering identity to applications, and much attention is given to strong authentication, I believe that authorisation is a very much neglected topic. Very unfortunately so.

It appears as if many of us have just about accepted the fact that authorisation is the domain of applications. Large enterprise software suites typically implement their own security infrastructure. Some others outsource this to the underlying operating system, most notably Microsoft Windows. We seem to be content to deliver identity data into applications, and letting them take care of deciding who gets access to what. This I find dangerous, and going down a very wrong path in the long run. Let me explain why.

Doing it over and over again. Is your organisation building custom apps? Every application developer of a custom-built application has to implement access control and authorisation yet again. Most developers are really not that savvy or even passionate about security. After all, software development is mostly about finding new ways to do things, not so much about restricting one to do things (unless you’re writing security software, of course). I find it very scary that in many organisations, access control has been implemented differently many times, by many different teams. How can you be sure that everybody got it right? What’s the sum of all bugs in all of the authorisation code? How much time and money has been spent reinventing and rewriting the same wheel over and over again?

What access management? Controlling access is done in very segregated approaches. It’s not uncommon to find multiple identity “universes” next to each other in isolation. We have managed to apply band-aid to the “identity wound” of having disconnected pieces of identities in different stores through provisioning systems and virtual directories. But the “authorisation wound” is untreated and oozing. Yes, there are a variety of “access managers” and “SOA security” solutions out there. Do they really solve the problem? No, because usually they are too coarsely grained, and therefore only relieve some of the symptoms of weak application security without really curing the underlying problem.

Sleepless nights at audit time? Regulations are getting tougher, and audits are taking much more time and money. Once central security services were in place, their mechanisms would need to be scrutinised just once, and after that it’s just about auditing their use inside the applications. At this time role management software is touted to be the magic bullet, albeit in the form of another band-aid to the “authorisation wound” (as described in the next paragraph).

Incompatible entitlement systems. We are seeing a growth in GRC (Governance, Risk-Management and Compliance) tools that build data warehouses of entitlement information, and then try to make sense of the whole mess. Those entitlements are usually completely different in structure and interpretation, and trying to distill this hodgepodge into higher level business roles is a daunting task that needs continuous readjustments. True, the tools offered by the vendors in this space are getting better and better. But effectively the aim is to bring some order into chaos - to fight the never-ending battle against entropy. On the other hand - just think about it - even if only 50% of the authorisation could be derived from business processes, business roles and other high-level information, that’s already 50% less entitlements that would need to be managed.

Lack of vision and/or willingness of the industry to cooperate. Barring some notable exceptions, the large vendors don’t have a vision for solving authorisation systematically, or are keeping their cards very close to the chest. Oracle is one of the exceptions here, with a mission statement that this is important and needs to be solved. Other vendors have ad-hoc solutions for offering fine-grained authorisation for custom applications, mostly in the form of embeddable entitlement “managers” or agents. Some are having a field day bashing the XACML standard, and whilst they are right in that it does not solve all problems, it certainly addresses quite a few of them. Hey, SAML does not by itself fully secure your web services, but it certainly does its part in the effort. My word processor does not write my reports by itself, but it certainly helps me getting them done.

Service oriented What? In a brave new SOA world, applications are no longer monolithic, but comprised of many services interacting with each other. Identity and access control is an important part of this. Whilst this year has brought us much further in the Identity field with WS-* on the path of becoming mainstream, authorisation is not just a large and ugly pothole on that road, it’s a crater. Unless the industry comes together to adopt an interoperable, standards-based approach to access control,

What now? I may be painting a bleak picture, but it’s not all bad. Several small companies are taking the lead right now to create enterprise-wide access management technology, driven by compliance requirements. Larger vendors are certainly mulling their options. But it’s the time for us in the industry to get cracking, and come up with the methodologies, standards, services, protocols and APIs to solve this once and for all. Until this is done, IT won’t really be dynamic, and many SOA benefits will remain elusive to most of us.

Two weeks ago I was at Digital ID World in Anaheim, CA, followed by a briefing in Redmond. My mind is still returning to this action-packed event every once in a while, and I am still trying to make sense of it all. For me the most interesting aspect of DIDW has certainly been to meet face to face with lots of the usual suspects, some people I “know” virtually, but have never met face to face, and some new acquaintances. Over the next few week, as my busy research agenda allows, I will write up on some of the cool stuff, new technologies and new evolutions of products that I’ve learned about during those three days.

Just thought I’d just pay tribute to some of my experiences during those three days. For me as well as for many others, DIDW started off with a visit to the new “IDTBD” (ID To Be Determined) initiative that the Liberty Alliance sponsored. Bob Blakeley from the Burton group stood in the middle of a fully crowded room (including people standing outside). After a somewhat tedious roll call where everybody present stated why they actually went to this meeting, the discussion came into full swing. The idea behind the “IDTBD” was to provide an infrastructure framework for projects around identity. Instead of every project getting tied down with bureaucracies, legal agreements and organisational matters, IDTBD would provide support and let participants focus on what they can do best. I thought the idea was pretty good, but not everybody thought the same. As organisational matters like these were not my forte, I disappeared after the break, and when I walked past the open door an hour later, I could see that a very small crowd was still in very animated discussion.

I had my fun with Sun that afternoon, evening and night, and honestly, I had a blast. Sun brought me in twice for their Identity Buzz TV show. Daniel Raskin was my host, and we talked about open source within identity management - the specific nuances and what customers can expect from it. We also talked about one of my favourite topics, the identity bus (I did a round-table at our European Identity conference back in May), and in that one I managed to turn it around and have Daniel add his thoughts to the discussion (later on that week, I had the pleasure of meeting again with Stuart Kwan who explained me his vision, but more to that later). It was great to meet Daniel, I only had the virtual pleasure up to that point, and can attest that he is at least as cool and knowledgeable in real life as well. I also had some quality time with Pat Patterson, who I’ve met before, but only shortly between doors, and it was good to catch up. Saachin was there as well and turned on several light bulbs in my head when he talked to me about Sun’s 3 month roadmap for deploying Role Manager within an enterprise. My head was spinning a bit after so much information, and I was really grateful when Saachin’s colleague Neil Gandhi patiently spent a good two hours briefing me and walking me through the product in great detail a day later. As my colleague Sebastian Rohr and other noted, Sun certainly made a killing snapping up Vaau earlier this year, and now I can fully appreciate Sebastian’s enthusiasm.

John Barco very cunningly demonstrated a concept that is likely to pop up in the same basket as identity theft: identity exchange. By wearing Nicholas Crown’s badge around his neck the next day, he had me confused, because I just met both of them in person for the first time the day before. I had some great discussions with both of them later, especially with Nick, whom I talked after the Ping Identity party until the not-so-wee-anymore hours. Oh yes, the Ping party. Aren’t they legendary! As this event was held at the “Blues house”, the “house drink” was a blue liqueur. It did not glow in the dark, but turned out to be somewhat of an acquired taste. Andre Durand’s team were busy making sure that everyone held at least one cup in their hands at all times. I decided to be careful with it. At the party I made some great acquaintances, and ran into Doug Anter from Covisint. In a very forward-looking spirit that is common after successive libations in the later evening, we decided to set up a “breakfast briefing” for 9 AM the next morning. This turned out not to be painful at all (perhaps I can attribute this to my special care with the house drink), but to the contrary highly interesting, as I have an article in preparation on Covisint’s offerings on “Identity as a Service (IaaS)”.

In the same area, I was equally impressed with a briefing that I received earlier from Eric Olden who is the founder and CEO of Symplified. Having founded Securant in 1995 (which he later sold to RSA), he well understands the need, but also the entry barrier for small and medium enterprises when it comes to identity and access management. Symplified provides identity and access management as a service in both directions - incoming and outgoing. On the outgoing side, Symplified can connect an enterprise’s users to internal and external SaaS services (such as Salesforce, Workday, ADP, etc.) with single sign-on. On the incoming side, access to resources is controlled through a proxy layer that is either hosted by Symplified itself, or runs inside an organisation in several form factors: appliance or virtual machine. I think there is a photograph of myself wearing a Symplified T-Shirt towards the end of the Ping party.

Another very interesting briefing I received was from AEP Networks’ J. Alan Bird who is extending identity throughout the network with identity based access control. Their IDpoint solution tags every network packet (actually, the payload within IP packets) from an authenticated client PC with a special token. Specialised identity routers then act like firewalls by checking access against tokens and making access control decisions. A sophisticated auditing and reporting engine is included that can act as a feed to current GRC (Governance, Risk-Management and Compliance) solutions. As identity management has traditionally focused mainly on application security, I think that this pioneering approach offers a significant manageabilility gain and a previously not well-addressed need for extending GRC towards the network layer. I am convinced that this will become an important topic, especially with investments in strategic GRC projects increasing.

Oracle was a main sponsor at Digital ID World, and many of its brightest minds were roaming around. I was particularly happy to finally meet face to face with Nishant Kaushik whose blog I read regularly and recommend (it’s on my blogroll). Same with Clayton Donley, who I’ve seen already seen previously from far away, but have never had the opportunity to shake hands with. I had a great follow-up discussion with Eric Leach on Oracle’s new access management suite (he had briefed me on it a month before). And of course Phil Hunt, whose efforts around the Identity Governance Framework I wrote about previously. When I finally got to meet Dennis MacNeil in person, he gave me some good advise and helped me understand better how the individual pieces fit into Oracle’s strategy.

Understanding that it is impossible to mention everyone and everything that I met and discovered, it is perhaps worth mentioning what I wish I could have done. The time was limited, and unfortunately the exhibition floor closed very promptly, and I just plainly ran out of time. Matt Flynn was there and I shook his hand but had to run off and couldn’t catch up with him anymore. He will not escape me next time (or rather, I will not escape him) I also ran out of time and couldn’t properly catch up with the folks from Optimal IDM anymore, who briefly told me about the new features added to their virtual directory product. Equally with my old colleagues from Symlabs who would have loved to show me the upcoming full virtual tree feature in the next version of their virtual directory. Charles Andres who is now the head of the Information Card Foundation was all over the place but unfortunately so was I (and at the Information Card Foundation’s booth I ran into Axel Nennker, which was really cool). I did not have time for Sailpoint and Novell unfortunately - although I did have a brief chat with Dale Olds and some of the other “Bandits”, but would have loved to spend more time with his colleagues as well. Next time it will be!

I’ve written a short analysis on Microsoft’s new “Zermatt” framework that can went up on our website yesterday. For those who have missed the announcement, Zermatt is a new developer framework from Microsoft that makes it easy for developers to work with claims, and is also a foundation for building secure token services (STS). In the analysis, I also included some of my thoughts on the “claims-based model” in general, and specifically about the lack of an authorisation model. I think this is perhaps the largest gap currently for applications using WS-Trust, WS-Federation and the claims-based model, exacerbated by the fact that Microsoft currently provides no vision how this will be eventually be addressed.

As I write this, Red Hat is announcing the acquisition of Identyx, a software company that specialises in open source identity management software. Identyx’s sells fully supported versions of Penrose, a virtual directory and Velo, an open provisioning solution. Both products are based on open source projects hosted at safehaus.org, which was started up by Jim Yang and Alex Karasulu, best known as being a major driver behind the Apache Directory Server project. Identyx business model is typical for open source software providers: a stable, official release from Identyx, priced on basis of a yearly maintenance contract where price depended on the overall response time and level of service.

Why Red Hat? After all, Red Hat has rarely been mentioned in the identity management area. This is not so much because Red Hat has been inactive - not at all, in fact - but identity management at Red Hat has not been marketed much. But that’s about to change. Red Hat has restructured recently and opened up a new business unit called “Management and Security Products” in February. This business unit will be responsible for the directory and certificate server, IPA and the Identyx products.

Red Hat has been acquiring and building several interesting components in the identity area for a while. Red Hat has also acquired what used to be the Netscape Directory Server and Certificate Server from AOL, who inherited them through the acquisition of Netscape by AOL in 1998. For AOL, these software packages were not any core business and just daddled on like neglected stepchildren before finally being sold on to RedHat. RedHat has invested in the development of these products and made them available in a supported and free version under the RedHat and Fedora brands respectively. Although both products are available on multiple UNIX platforms, they have never really been perceived as serious contenders in the identity management space, and have had their success mostly with customers who already had a significant investment in Red Hat’s platform.

Last but not least, Red Hat has funded the FreeIPA (IPA = Identity, Policy and Audit) solution, an integrated security framework currently supporting identity management with plans to add policy management and auditing. This has matured over time, and RedHat will announce the general availability of FreeIPA 1.0 atthe RedHat summit that is currently in full swing. Red Hat has plans to tie Identyx into IPA, as there are many cross-over cases, especially in the integration of Active Directory. Red Hat customers see many cases where Active Directory users and Linux policies need to be managed together and will harness the Penrose virtual directory to provide easy integration through virtualisation. Penrose will also continue to be available separately.

So what is Red Hat’s vision, and why the jump into identity management now? The overall vision is similar to that of BMC and Microsoft who see Identity Management as an important cornerstone of IT infrastructure management. Red Hat especially sees demand in cloud computing models, where customers need agility in their environment to create a flexible IT fabric by consuming IT infrastructure as dynamic workload resources. The security models change when resources are constantly moved around. Control mechanisms need to be in place to ensure security. Audit trails need to be created in order to ensure compliance. Red Hat sees identity management and configuration of machines converging through specialised workflows.

Due to the special nature of most identity management projects, an open source approach can be particularly advantageous. This is because often extensive customisation and integration is part of a deployment, and many parts of these customisations are shareable - something that does not typically happen as easily with shrink wrapped commercial software. However, using open source identity management software has so far been elusive for many enterprises due to a lack of a strong partner. Red Hat’s acquisition of Identyx now allows RedHat to enter the lucrative identity management market with a strong position and a credible offering of products, allowing customers to reap the full benefits of open source identity management by leveraging RedHat’s unique experience and standing in the open source area. Other than Novell and Sun who also offer their own branded Linux open source platforms, Red Hat builds completely on open source. The strategy might pay off, but there is a long steep road still ahead for Red Hat. The acquisition of Identyx has just made that road shorter, and is good news for Identyx’s and Red Hat’s existing customers. We at Kuppinger Cole will be analysing Red Hat in much more detail from now on.

I was at the BMC User World conference in Lisbon last Tuesday, trying to figure ot where BMC is going, specifically in the field of identity management. After all, BMC’s presence in that segment has been surprisingly low-key since several months. Last year, BMC was to be found at every major identity-related conference. Jeff Bohren, BMC’s identity guru was very active in the standardisation efforts around provisioning services and in the identity blogger’s community, and BMC was marked as one of the larger players in the identity space.

Ever since, Jeff Bohren has left BMC to join Sunview Software. From what we at Kuppinger Cole noticed here in Europe was that BMC’s complete identity management pre-sales team in the UK and Germany left around that time frame as well. It didn’t take a conspiracy theorist to figure out that something was up. Had BMC decided to follow HP and quietly discontinue its products, or integrate them in a broader environment? That’s what my colleague Martin asked me to find out, and besides this was in “my turf” - right in Lisbon!

I scheduled a session with BMC’s CTO Tom Bishop and we discussed BMC’s vision and what the outlook for identity management is at BMC.

First of all: BMC is refocusing towards a new strategy around Business Service Management (BSM) and Business Service Automation. Identity plays an important part in a BSM-enabled ecosystem. BSM wasn’t something I was very aware of, but it made a fascinating topic. Therfore, I wanted to share some interesting background information that we received during the keynotes, and especially later in the break-out sessions from Tom himself.

In order to make the case for Business Service Management, an interesting statistic from IDG was presented. With higher complexity of IT systems, the cost of managing these systems also goes up. That should come as no surprise. As virtualisation and SOA becomes more adopted, the amount of systems rise even further and complexity increases even more. What does that mean for enterprises? Well, increased server management and administration costs for one, plus additional power and cooling costs (virtualisation obviously help mitigate the latter two, but again, more system management overhead). So are IT budgets due to increase? That is the last thing enterprises want to hear! So something’s gotta give, or things need to work more efficiently. Can IT run more efficiently? You bet, says BMC’s Tom Bishop. After all, after making every aspect of a business more efficient by automation, the IT departments are usually the largest places of manual labour to be found in any enterprise. Ironic, isn’t it?

BMC believes that there is a huge potential to automate the way that IT departments are being run, and is implementing its vision of Business Service Automation to offer its customers a complete solution to do just that. Business Service Automation, according to BMC’s vision, provides an integration layer to unify the “patchwork” of existing solutions that revolve around the provisioning of systems and software as well as the compliance with internal IT controls. (BTW here the words “provisioning” and “compliance” are used outside of the identity management context). WIth BMC Atrium technology as a central component, and driven by a change management database (CMDB), service support, assurance and automation are integrated, unified and simplified. This drives down maintenance and systems management costs significantly (once you discount the price to pay for the BMC solution, presumably), and allows an enterprise’s IT landscape to grow whilst keeping the management costs at par.

My head was spinning and I was impressed at the same time. I did manage to regain my composure however and had the opportunity to quiz Tom Bishop directly on the future of identity management in BMC’s overall strategy. What is happening with the product line, and why does it seem that BMC has retreated from that space? Tom mentioned that last year, BMC had several business units, out of which Identity Management was one - complete with a presales team. Now that has been reshuffled however, and BMC sees identity as a piece of the overall Business Service Management strategy, and will therefore continue to integrate its identity management products seamlessly within this structure. However, BMC will cease to push “stand-alone” identity management products as it has done before. Customers can still buy the existing products as stand-alone solution, but BMC will focus on the automation and overall integrated approach to service automation.

I tried to prod a bit to see whether there was any indication that BMC might try to fill some of the previous gaps in its “suite”, such as the missing federation piece. Here both Tom and I were caught in the ambiguity trap that opens when the words “federation”, or even “provisioning” are used by people of different technology domains. We identity management folks think about something completely different when we mention “federation”. Tom was thinking on how the change database approach could be used in a federated approach to integrate different services. I later tried to find out whether it was necessary to buy BMC’s identity management components to integrate with the Atrium software and the Business Services Management stack that BMC offers. I did not get a clear answer. Apparently the integrated BSM solution is able to detect when new users join and leave the organisation and an automatic provisioning of software and other services can be configured. Nobody could explain to me however whether or how this could be integrated within a non-BMC identity management - although I am sure that this will be possible, given that it may not be palatable for future customers to install yet another identity provisioning system aside an already running solution that has already been deployed - especially considering the pain and hard work that goes with deploying such systems!

So at least now it’s official! BMC is no longer a player in the traditional identity management market but is instead transforming its offerings to provide an all-integrated approach to automate IT through business service automation and management. Existing customers are still supported, and the products are maintained, but customers will have to look elsewhere for comprehensive identity management solutions, or at least buy the “missing pieces” from other vendors more active in the “pure” identity management sector.

Hewlett-Packard, who recently announced that it would all but retreat from the identity management sector as an independent vendor, has just announced a partnership with Novell. That will settle the many speculations in the industry. As HP had made a significant investment into identity management products, someone would surely be picking up the pieces. And the winner is: Novell!

From the announcement that was made to the analyst community and the subsequent press release, it is pretty clear that HP is looking for an elegant way to divest itself from its product line. Of course, HP cannot and will not leave existing customers hanging, so the previous announcement from HP was to “not actively pursue new customers” for its identity management software anymore. Another way of putting it - but the message is clear: those products are no longer actively pursued, the key employees have long moved on, such as Greg Whitehead who came to HP from Trustgenix, after it was acquired by HP.

If there is any doubt about the future of HP’s product line: Novell is offering a license credit for current HP Identity Center customers and the press release makes frequent use the word “migration”.

HP and Novell will now jointly develop tools to help their respective teams migrate customers away from Identity Center and towards the Novell product offering.

The win for Novell is obvious: a strong influx of new accounts, plus a strong partnership with a key systems player that has just a few days ago announced its intentions to strike it big with services as well - acquiring EDS. On the other side, what is the win for HP, apart from a honourable exit from its products? Surely, after the acquisition of EDS a likely theory would be that there may be some good deals in the pipeline for HP’s new upscaled services division, working closer with Novell. But even though this may be the case, it is very unlikely that the EDS deal and the Novell partnership have had any effect on each other, and although Identity Management is a hot and growing space, it is just a fraction of what EDS did for its customers.

What will be intereting to see however is if and how Novell will take over some of HP’s IdM estate, and how this would be integrated within Novell’s solutions. For example, the Trustgenix federation software, just to note one example, were superior technology at the time of acquisition and still present a formidable stack for the implementation of federation solutions.

A very interesting detail is however not mentioned in the press release: this special partnership is not exclusive at all. This should perhaps be obvious, because HP partners with other companies who also have a significant identity management offering. Curiously also, the press release was not even published in Germany. Although that may seem as an insignificant detail, it has subtle implications: SAP is very strong in the German Identity Management field through its Netweaver offering, and HP makes a lot of money through its partnership with SAP, and will want to keep its options open.

It will be interesting to see the reaction of HP’s Identity Center customers after this announcement. Some have already moved away from Identity Center, or are in the process of doing so. Novell has a well-rounded offering, but it might not always be the right match for existing HP Identity Center customers. Then again, it is likely that some technology gets transfered or licensed to Novell. For most existing Identity Center customers however this is good news, as it lays out a clear path for transitioning over to a solid product line that is established and actively maintained.

Ping Identity recently announced the availability of Version 5.1 of Ping Federate in their blog. What caught my attention was that Ping has now also finally added a feature I (and others) call “auto-provisioning” or “federated provisioning”. In federated environments, when users from other entities visit your site and gain access to services, it is often necessary to store some local data about these users on your system. In very simple cases, this could be user profile data, such as the colour of the background, but there could be much more information that would need to be stored.

So does this mean that by deploying federated environments, you are getting back to the “silo problem” where you have fragments of identity data floating around? Does this mean that as a service provider you must now store identity information, and accounts, and deal with everything that comes with it - including compliance with complex intermingled laws and directives? Ugh!

Don’t panic. In most cases you don’t have to - this can usually be avoided through proper design of the federation scenario. So should you avoid storing any data about external users coming into your system from federated identity providers? Well, this would be nice, but is not always practical. So you often end up having to store something about a user that “arrives” at your site from elsewhere through a federation (or your support of user centric identities).

So here are my recommendations, in no particular order:

• Create those “user entries” on the fly - when someone “flies into” your site for the first time through a trusted federated link or an OpenID sign-on, create the user entry then automatically - if it’s not already there. Why? Because the alternative would be setting up a synchronisation service, and you really want to avoid that unless you really, really, REALLY have to…
• Avoid storing “personal” data. This will make you resilient against privacy regulations. OK, or at least not expose you any further to them as you already are
• In most cases, you already receive some data about the user together with the sign-on token. Try not to store a copy of that data, but instead just keep the data around for the lifetime of the current session. This might not always be practical or even possible. In that case, if you do store it, make sure you update the information when you receive changed data next time in the token.
• Don’t turn the stored data into a “live account” by giving a user the option to store a local password, unless you really have a good reason to do so! (I am actually wondering what would be a good reason to do this and can’t think of any!)

If you follow these recommendations, then you can rest assured that you are not creating user accounts. Instead, you are creating “profile entries”. These are not to be counted as “accounts” or “identities” when the auditors arrive, because the profile entries themselves don’t carry any entitlement per se - you are not authenticating user entries. You are instead just keeping track of, say, a user’s preferences. That is a completely different type of animal.

Another good reason, especially for the first recommendation is that you’ll be saving yourself a lot of maintenance if you provision “on the fly” as opposed to manage synchronisation links (including the headaches that come with it). Again, the world is not perfect, and you may find yourself with your back to the wall surrounded by synchronisation links that all cry for constant love and tending.

I could go on and on, but instead I’ll refer to the presentation “How to efficiently manage external identities” that my colleague Stefan Rohr and I held at EIC 2008. Hmm. Somehow I can’t find the link to it. I guess that’ll have to be added tomorrow.

Obviously these recommendations come from the use cases that I’ve been seen or have even been personally involved in. I’d be really interested in YOUR use cases. Do you agree with my recommendations? Did I perhaps overlook anything, or am I just plainly wrong or “not applicable” in some scenarios? Please let me know by either commenting, or if you prefer, email me.

As I already wrote in my last blog, one of my personal highlights at the European Identity Conference was the discussion that I had with Dale Olds, Jackson Shaw, Kim Cameron and Dave Kearns on the concept of the “Identity Bus” of the future. It’s now online! So here you go, enjoy

We’re obviously just at the very beginning, but hopefully we’ve kicked off a good discussion to be continued via our blogs, papers, etc! I think it is very important that we do this and solve many issues around identity. A new type of identity plumbing, indeed. Let’s keep up the momentum that’s been building over the last few weeks - now is the time to do it

Thanks to my colleagues Bernd and Alexei who’ve been working hard to digitalise and cut the videos that we’ve shot at the European Identity Conference 2008. And of course, a big THANK YOU from my side to Dale, Jackson, Kim and Dave!