An interesting conversation is taking place within the blogsphere about meta-directories, with Dave Kearns and Kim Cameron on both sides of the argument. This was all inspired by a blog entry on the 4th of March from Jackson Shaw called “You won’t have to kick me around anymore!”. That musing was about HP’s retreat from the identity management market, but makes a statement about meta-directory technology:

Let’s be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind.

I started in this area in 1993 and some of the same architectures are still out there.

The certainly struck a chord with me when I read it. Dave Kearns picked up the topic in his newsletter when he wrote about Optimal IDM, the new virtual directory kid on the block, and made the case that meta-directories have “finally given way to the virtual directory”. Kim Cameron picked up Dave’s entry and disagreed. Up to now, this has lead to an interesting ping-pong of opinions between Dave and Kim, which has not exactly been easy to follow, not just because new contributions are being made on a daily basis up to now, and also because Kim uses the term “meta-directory” to mean something different than what Dave (and myself included) understand. I am going to take this opportunity to jump into the commotion as well, knife not freshly sharpened, but armour freshly polished!

First of all, to clarify what “meta-directory” means (at least, to me!). I am thinking about “Via” (Kim’s baby, the product that Microsoft acquired in 1999 together with Kim’s company, Zoomit). I’m also thinking about Novell Dir-XML, Siemens DirXmetahub and the Critical Path Meta-Directory Server. Old products, created many years ago. You don’t really see much happening with this technology any more, because it has its share of problems, and unless assisted with other technologies, does not fit well into today’s much more dynamic identity and access models. The only exception to that is probably MIIS, but I’ll get to that in a minute.

The old traditional “meta-directory” technology works by creating one big “centralised directory” (or “metaverse” as it’s known in MS-speak), pulling data from everywhere into that centralised directory and then pushing data out into all directions either. This approach is usually not a good fit by itself, because it has several significant shortcomings. I would not go as far as call the technology “dead” (it’s impossible to ignore the many MIIS installations out there), but I’ll call it something else: “quaint”. Now that word has several meanings according to the dictionary, but I sure don’t mean “marked by skillful design, beauty or elegance”!!!

Microsoft has made an investment into that technology by rewriting MIIS pretty much from scratch. And Siemens to this date probably has the most comprehensive and advanced meta-directory implementation with its DirXmetahub component that is part of its Dir-X offering. Nevertheless, meta-directories are arguably still around mostly because Microsoft forces this technology onto its customers for what I think are political reasons: Several people working for Microsoft in the field have told me that it was in Microsoft’s interest to have Active Directory as a central component, and believe it against Microsoft’s interest to have a “filtered access”, such as a virtual directory in front of AD, abstracting information away from what should be the authoritative source. I never really understood this fear, but recently it seems that this brick wall may be slowly starting to crumble (see below).

Some experts in the field still obstinately (in my opinion) push meta-directory technology as the only way to integrate multiple sources of identity information. I think this is very short-sighted. This might have been true in the last century, which is not even that far ago. But in a truly dynamic environment, meta-directory technology and a “synchronisation-only” approach just tends to get into the way. Likewise, the idea that virtual directories by themselves could solve all integration issues is wrong. It’s never been only one or the other, unless you had a specific problem to solve. It’s not synchronisation or virtualisation. You need both, at least if you are in a dynamic identity environment, or have a vision to get there.

So what is the solution for the future? Some people believe that virtual directories will eventually fully supplant meta-directories. Coming from the virtual directory world myself (I worked for Symlabs before joining Kuppinger Cole), I never truly believed that - at least not the virtual directories that were around at that time. Virtual directories and meta-directories could co-exist, and the combination of both had in the past shown great benefits. Think of it as the screwdriver vs. the hammer. Sure, with some brute force you might argue that you can use a hammer to put a screw in, and with some agility you might use a screwdriver to hammer in a nail. But you’re likely to damage something in the way, or at best, not be very practical about it.

I think the future is definitely in the convergence of traditional directory servers, virtual directories and synchronisation solutions to provide rock-solid dynamic directory infrastructure. To a certain extent we can already see this. Maxware (before getting acquired by SAP) and Radiant Logic have already released early, basic versions of synchronisation solutions that harness the power of virtualisation and combine synchronisation with dynamic, abstracted multiple views of data, rather than the static meta-directory approach.

In the future I believe we will see “super-directories” that combine traditional data storage with LDAP access, virtual views and synchronisation features. Some of the players in this space are gearing up to do this already. As synchronisation is usually well-established technology by most of the large players in the identity management space, the missing part is currently still virtualisation, and especially the integration of virtualisation and synchronisation.

Sun and the OpenLDAP foundation, for example, have already added some basic virtualisation features to their directory servers. Oracle has acquired OctetString a while back, and has arguably the most complete, all-around implementation of directory services, synchronisation and virtualisation. Novell, IBM and Microsoft are still lagging behind in this space, with some of the “old guard” defiantly resisting directory virtualisation and hanging on to last century’s belief that synchronisation can solve everything. But there are signs that this resistance is crumbling. It better be. Recently, at DEC2008, Microsoft’s Stuart Kwan presented Microsoft’s vision of a truly dynamic identity infrastructure based on an “identity bus”, where applications could plug in, and “transformers allow us to fold, spindle and mutilate the data in any way we want” - changing internal claims into any other format required by applications. Surely virtualisation is not the only piece that is needed to fulfill such vision, but it is an important (and still missing!) piece. Kim Cameron has not been known to be a big fan of virtual directories - and he still shows some scepticism for the “virtual only” approach, but seems to be warming to virtualisation in combination with synchronisation in one of his recent postings:

So we are led to the conclusion that we need a spectrum of synchronization and remote access capabilities. We should be able to use policy to define what information is stored where, and how to get to information that is not stored locally - e.g., combine metadirectory and virtual directory functionality.

I pretty much agree with Dave and Jackson in that traditional meta-directory technology just doesn’t cut it anymore, at least by itself, and is at best “quaint”. I very much agree with Kim in what I think is his vision of a future “super directory service” that integrates synchronisation and virtualisation with traditional directory services. Where I completely have to disagree with Kim however, is his use of the term “meta-directory” for this new type of “super-directory” technology. OK, I agree that “super directory” sounds a bit tawdry. A better term should be found. But c’mon Kim, “meta-directory” is sooooo… 20th century

TUESDAY, March 4th. Chicago, back to freezing temperatures.

Microsoft’s Stuart Kwan kicked off the second day with his keynote address where he spoke about an “identity bus”, where off-the shelf applications can plug in for all their authentication and access control needs. It was exciting to hear this from Microsoft. The concept is actually not even that new - Phil Windley wrote about this in his book “Digital Identity. But it’s great to see that Microsoft seems fully committed to (several selected) open standards (most of them likely to start with the letters W and S) and interoperability, and assuming that this stays that way, I agree with Stuart that “it does not seem as far off as you might think”. His vision is that claims, or “assertions” in SAML-speak, are the core of identity data within the bus that can be transformed into different formats depending on application needs. Somehow I had a quick excursion down memory lane during the end of the presentation to a place in time a few years ago when I was briefly involved in a project for a large service provider who had deployed two web application environments. One of them was called the “Microsoft Environment” and the other one was called the “Open Environment”. I remember that they had quite a challenge getting identity management to work across both environments at that time. So in future, that unnamed company will just have one “Open environment” that includes all the Microsoft web applications as well.

Later on in the exhibition area I took a closer look at the latest virtual directory server product that had just been announced a day previously by a company called “Optimal IDM”. I was given a comprehensive tour by chief software architect Nada Dickerson who graciously let me monopolise her for an extended period (I couldn’t help it, coming from the virtual directory space, this really peaked my interest). Optimal IDM has deployed identity management solutions over several years and has run into the same types of issues over and over again, which led them to develop their virtual directory product. The product is specialised to handle three specific “modes”. The first mode is called “Union Mode” and aggregates unique entries from multiple containers into a virtual consolidated view. The other two modes are variants of this, and add join rules. Object Precedence Mode can be used to specify which back-end has the precedence when the same object exists in multiple back-ends. Attribute Precedence Mode can additionally join attributes from the same object in multiple backends so that the returned object contains data from all objects of the same name. This is essential the “shadow joiner” or “data augmentation” feature found in competing products. Optimal IDM has developed their virtual directory product entirely with .NET technology and believes this to be a competitive advantage over other virtual directories.

Even before the conference, I had already earmarked the slot at 11 AM for Pamela Dingle’s presentation entitled “Hanging Out in the CardSpace Kitchen”. I hadn’t met Pamela before, but read some of her excellent material on the subject. It turned out exactly as I had hoped - an excellent, educational and lively presentation from *the* authority on CardSpace (apart from Microsoft’s Kim Cameron, of course). She also made the connection clear between Microsoft’s implementation, Project Bandit and Project Higgins. Microsoft’s Brian Puhl chimed in at the end to give an excellent scenario on how CardSpace can be used to work around some tricky legal issues in federated environments.

I remembered Dave Kearns mentioning in one of his posts from way back when that when Pamela Dingle presented on CardSpace at one of the Digital ID World conferences, she had Microsoft employees clamoring to ask questions. Well they didn’t do this time, but I certainly did. I met Pamela again that night in Centrify’s hospitality suite at a virtual bowling tournament on a Wii. Both Pamela and I were new to the Wii and immediately noticed that it even offers its own variety of “InfoCards” in the way of avatars (pictures) of the participants that our host configured for us.

Another highlight was the BoF (birds of a feather session) on ADFS that I attended. Stuart Kwan and Brian Puhl were there as well, and shared some interesting details on why we actually need to use claims and can’t just instead stick additional identity information in a Kerberos token (some applications would just choke on that), as well as throw around some ideas on how home realm discovery could be used in an environment where multiple federation protocols are used. Then suddenly we were all deep into CardSpace again. Stuart also offered a very interesting opinion how internal security tokens might look like in a hypothetical, futuristic Windows version. Unfortunately I had to run out because I had an appointment, but I think the BoF ran well over its allocated time - definitely another DEC highlight.

Against good judgement and to the bewilderment of my bowling buddies at the Centrify hospitality suite, I decided to forego the invitation to Oxford Computer Group’s party featuring a band called “Hairbanger’s Ball” and instead head off to early retirement for the day. In hindsight this was not the smartest thing to do, because it must have been a real blast, and overall the particular session in the morning that I wanted to attend was cancelled. Well, I’ll know better next time!