The European Identity Conference 2008 closed its doors last Friday, and for me it has been a fantastic event in all aspects. Obviously you should take my comments with a grain of salt as I am working for Kuppinger Cole and am therefore part of the organising team. However, I have never before attended a conference that combined such a breadth of topics, number and quality of speakers and depth. Many conferences are either at the “C*O level” or pure “geek conferences”. At the former, the geeks still intermingle since they are brought to the event to do exactly that, or to showcase their solutions. At the latter, it’s mostly tech-talk, pure and deep. EIC 2008 covered the whole range and therefore appealed to everyone as well as offering unique opportunities to learn more about the topics from other points of view.

The agenda was packed, and including BoFs (bird of feather sessions) many days went straight from 7 in the morning to 7 in the evening. I was actually surprised that so many people actually showed up at 7 AM for the integrated breakfast + BoF sessions. And yes - unfortunately having many tracks going on in parallel can be frustrating for those who are interested in multiple topics at once. But I think the track organisation has been done pretty well after a lot of fine-tuning, and besides - we’d all love to meet for two weeks, but nobody in charge would sign off on the travel request!

The identity federation track that I moderated was packed to the brim. Good to know - we definitely need a larger room for next time! Some people were standing, and we had to open the windows. Conor Cahill kicked off the track to give a overview of the technology within the area. He had a lot of ground to cover, and since the agenda was packed, I joked that he had agreed to speak faster in order to keep the presentation to 30 minutes. In fact that’s exactly what he did - finishing with still 5 minutes left for questions. He just emailed me his presentation and it will go online tomorrow to join all the other presentations already downloadable (those who attended the conference will have received the link). We followed with an experts panel discussing the current state of federation technology and where it’s likely to go, and where new technologies such as information cards will fit in. After that we had two user presentations: Anton Shmagin from the United Nations talked about a unique multi-technology and multi-protocol federated circle of trust in three months and how the organisational, political and of course technical challenges were solved. After that, Brian Puhl spoke about Identity Federation tales from the trenches at Microsoft. Brian is a real barnstormer and his presentations are excellent, funny, insightful and offer many nuggets of information that you wouldn’t get anywhere else. He is in Microsoft’s IT department, and in charge of Microsoft’s internal Active Directory systems. He uses the term “dogfooding” to describe what he is often asked to do - use beta versions coming from devlopment and putting them to production use in such a large environment - and then putting out the fires. I’m sure he has many of the developers’mobile phone numbers on speed dial! After the user presentation we had a vendor panel, which gave everybody the chance to exchange jabs and score points, as well as explain their specific vision and value-add. And we could have gone on, but there were only three hours for the track - hardly enough to “cover it all”. Several presentations on federation were also to be found on some of the other tracks and workshops and usually very well attended - an indicator on how important the topic is.

Conferences give a unique opportunity to meet up with peers, and for me this has been the perfect opportunity to network with users, customers, vendors and experts in the field. One of my personal highlights has been a 45 minute talk with Dave Kearns, Kim Cameron, Jackson Shaw and Dave Olds where we discussed the future “identity bus” concept that Microsoft’s Stuart Kwan introduced at the Directory Expert Conference in March. Following that announcement there’s been quite a bit of speculation of what such an “identity bus” might look like, and what it would replace. In my opinion, this “identity bus” would be the future fundament of identity management, like today’s directory services. Our discussion has been videotaped, and our camera man Bernd almost broke down after carrying that heavy camera on his shoulder once the interview was over.

Joerg also sent me out with Bernd the camera man to do several video interviews with some of the important players in the space. These interviews are currently being converted into streamable format and will be posted on this site “real soon now” (TM). Watch this space

An interesting conversation is taking place within the blogsphere about meta-directories, with Dave Kearns and Kim Cameron on both sides of the argument. This was all inspired by a blog entry on the 4th of March from Jackson Shaw called “You won’t have to kick me around anymore!”. That musing was about HP’s retreat from the identity management market, but makes a statement about meta-directory technology:

Let’s be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind.

I started in this area in 1993 and some of the same architectures are still out there.

The certainly struck a chord with me when I read it. Dave Kearns picked up the topic in his newsletter when he wrote about Optimal IDM, the new virtual directory kid on the block, and made the case that meta-directories have “finally given way to the virtual directory”. Kim Cameron picked up Dave’s entry and disagreed. Up to now, this has lead to an interesting ping-pong of opinions between Dave and Kim, which has not exactly been easy to follow, not just because new contributions are being made on a daily basis up to now, and also because Kim uses the term “meta-directory” to mean something different than what Dave (and myself included) understand. I am going to take this opportunity to jump into the commotion as well, knife not freshly sharpened, but armour freshly polished!

First of all, to clarify what “meta-directory” means (at least, to me!). I am thinking about “Via” (Kim’s baby, the product that Microsoft acquired in 1999 together with Kim’s company, Zoomit). I’m also thinking about Novell Dir-XML, Siemens DirXmetahub and the Critical Path Meta-Directory Server. Old products, created many years ago. You don’t really see much happening with this technology any more, because it has its share of problems, and unless assisted with other technologies, does not fit well into today’s much more dynamic identity and access models. The only exception to that is probably MIIS, but I’ll get to that in a minute.

The old traditional “meta-directory” technology works by creating one big “centralised directory” (or “metaverse” as it’s known in MS-speak), pulling data from everywhere into that centralised directory and then pushing data out into all directions either. This approach is usually not a good fit by itself, because it has several significant shortcomings. I would not go as far as call the technology “dead” (it’s impossible to ignore the many MIIS installations out there), but I’ll call it something else: “quaint”. Now that word has several meanings according to the dictionary, but I sure don’t mean “marked by skillful design, beauty or elegance”!!!

Microsoft has made an investment into that technology by rewriting MIIS pretty much from scratch. And Siemens to this date probably has the most comprehensive and advanced meta-directory implementation with its DirXmetahub component that is part of its Dir-X offering. Nevertheless, meta-directories are arguably still around mostly because Microsoft forces this technology onto its customers for what I think are political reasons: Several people working for Microsoft in the field have told me that it was in Microsoft’s interest to have Active Directory as a central component, and believe it against Microsoft’s interest to have a “filtered access”, such as a virtual directory in front of AD, abstracting information away from what should be the authoritative source. I never really understood this fear, but recently it seems that this brick wall may be slowly starting to crumble (see below).

Some experts in the field still obstinately (in my opinion) push meta-directory technology as the only way to integrate multiple sources of identity information. I think this is very short-sighted. This might have been true in the last century, which is not even that far ago. But in a truly dynamic environment, meta-directory technology and a “synchronisation-only” approach just tends to get into the way. Likewise, the idea that virtual directories by themselves could solve all integration issues is wrong. It’s never been only one or the other, unless you had a specific problem to solve. It’s not synchronisation or virtualisation. You need both, at least if you are in a dynamic identity environment, or have a vision to get there.

So what is the solution for the future? Some people believe that virtual directories will eventually fully supplant meta-directories. Coming from the virtual directory world myself (I worked for Symlabs before joining Kuppinger Cole), I never truly believed that - at least not the virtual directories that were around at that time. Virtual directories and meta-directories could co-exist, and the combination of both had in the past shown great benefits. Think of it as the screwdriver vs. the hammer. Sure, with some brute force you might argue that you can use a hammer to put a screw in, and with some agility you might use a screwdriver to hammer in a nail. But you’re likely to damage something in the way, or at best, not be very practical about it.

I think the future is definitely in the convergence of traditional directory servers, virtual directories and synchronisation solutions to provide rock-solid dynamic directory infrastructure. To a certain extent we can already see this. Maxware (before getting acquired by SAP) and Radiant Logic have already released early, basic versions of synchronisation solutions that harness the power of virtualisation and combine synchronisation with dynamic, abstracted multiple views of data, rather than the static meta-directory approach.

In the future I believe we will see “super-directories” that combine traditional data storage with LDAP access, virtual views and synchronisation features. Some of the players in this space are gearing up to do this already. As synchronisation is usually well-established technology by most of the large players in the identity management space, the missing part is currently still virtualisation, and especially the integration of virtualisation and synchronisation.

Sun and the OpenLDAP foundation, for example, have already added some basic virtualisation features to their directory servers. Oracle has acquired OctetString a while back, and has arguably the most complete, all-around implementation of directory services, synchronisation and virtualisation. Novell, IBM and Microsoft are still lagging behind in this space, with some of the “old guard” defiantly resisting directory virtualisation and hanging on to last century’s belief that synchronisation can solve everything. But there are signs that this resistance is crumbling. It better be. Recently, at DEC2008, Microsoft’s Stuart Kwan presented Microsoft’s vision of a truly dynamic identity infrastructure based on an “identity bus”, where applications could plug in, and “transformers allow us to fold, spindle and mutilate the data in any way we want” - changing internal claims into any other format required by applications. Surely virtualisation is not the only piece that is needed to fulfill such vision, but it is an important (and still missing!) piece. Kim Cameron has not been known to be a big fan of virtual directories - and he still shows some scepticism for the “virtual only” approach, but seems to be warming to virtualisation in combination with synchronisation in one of his recent postings:

So we are led to the conclusion that we need a spectrum of synchronization and remote access capabilities. We should be able to use policy to define what information is stored where, and how to get to information that is not stored locally - e.g., combine metadirectory and virtual directory functionality.

I pretty much agree with Dave and Jackson in that traditional meta-directory technology just doesn’t cut it anymore, at least by itself, and is at best “quaint”. I very much agree with Kim in what I think is his vision of a future “super directory service” that integrates synchronisation and virtualisation with traditional directory services. Where I completely have to disagree with Kim however, is his use of the term “meta-directory” for this new type of “super-directory” technology. OK, I agree that “super directory” sounds a bit tawdry. A better term should be found. But c’mon Kim, “meta-directory” is sooooo… 20th century

Yesterday, the news hit the wire that Ping Identity had acquired the Sxip Access product line. I’ve written an article on the topic here (you may need to register, but it’s free). When I heard the news, I immediately wrote to Andre and Dick asking them for some more info. Andre got back to me pretty much straight away (thanks, Andre!).

I was curious about the acquisition of the product line - and not the whole company. Many times in this space, whole companies are bought, especially when they are the size of Sxip. Andre confirmed that this had been Ping’s original intent - to acquire Sxip entirely. Ping had been interested mainly in the Sxip Access product line. Dick apparently wanted to keep the company Sxip and Sxipper, and knowing that Ping did not really have a major interest in Sxipper, the deal was for Sxip Access, and not for the whole company.

Since these were the “crown jewels” of Sxip, I am very, very curious what Dick Hardt is up to now. I’ve sent him a couple of emails, but I’m sure that I’m not the only one… I can guess what his Inbox looks like, so it’ll probably take him a bit to get back to me. So for now I can only guess! According to the Sxip press release, the company will now focus on consumer solutions, such as Sxipper. However, Sxipper was basically a freebie. Sxip is a commercial company, and needs to make money. Sxip can make revenue from future versions of Sxipper either through paid support, or by having a “light” and a “commercial” version. Or maybe Sxip will focus more on the consulting side.

I admit, I’m speculating. But I’m sure Dick is up to something, and as soon as I find out, I’ll let you know!

Update

Dick just got back to me and did confirm that in fact he is up to something:

Subject: Re: So what are you up to now?
From:    "Dick Hardt" <dick@sxip.com>
Date:    Wed, March 12, 2008 4:38 pm
To:      "Felix Gaehtgens" <fg@kuppingercole.com>
--------------------------------------------------------------------------

Hi Felix

We are looking at a number of revenue streams from Sxipper including a
PRO version. Right now we are focused on building a great product
that provides value to users and that they will trust. We have a 2.0
release that is imminent.


I will be curiously awaiting what Sxip is going to be cooking next and report in due time. Good luck, Dick (although I don’t think you’ll need it because you seem to be on the right track)!

WEDNESDAY, March 5th. Chicago, seems a tad warmer, but still too cold for my taste!

The last day of the conference was a short one for me - I had to leave around 11:30 to catch my plane. I had a nice long chat with Dieter Schuller from Radiant Logic, who brought me up to par with their vision and technology. In my previous job Dieter and I were competitors, so we had a lot in common and of course knew each others products, but I got a much deeper understanding on Radiant Logic’s vision and approach to virtual directories. As I am currently writing Kuppinger Cole’s technology report on virtual directories (due before the European Identity Congress in April), this came in very handy. DEC 2008 has been an intense, and immensely rewarding experience, and my head is spinning! This has been my first, and certainly won’t be my last!

TUESDAY, March 4th. Chicago, back to freezing temperatures.

Microsoft’s Stuart Kwan kicked off the second day with his keynote address where he spoke about an “identity bus”, where off-the shelf applications can plug in for all their authentication and access control needs. It was exciting to hear this from Microsoft. The concept is actually not even that new - Phil Windley wrote about this in his book “Digital Identity. But it’s great to see that Microsoft seems fully committed to (several selected) open standards (most of them likely to start with the letters W and S) and interoperability, and assuming that this stays that way, I agree with Stuart that “it does not seem as far off as you might think”. His vision is that claims, or “assertions” in SAML-speak, are the core of identity data within the bus that can be transformed into different formats depending on application needs. Somehow I had a quick excursion down memory lane during the end of the presentation to a place in time a few years ago when I was briefly involved in a project for a large service provider who had deployed two web application environments. One of them was called the “Microsoft Environment” and the other one was called the “Open Environment”. I remember that they had quite a challenge getting identity management to work across both environments at that time. So in future, that unnamed company will just have one “Open environment” that includes all the Microsoft web applications as well.

Later on in the exhibition area I took a closer look at the latest virtual directory server product that had just been announced a day previously by a company called “Optimal IDM”. I was given a comprehensive tour by chief software architect Nada Dickerson who graciously let me monopolise her for an extended period (I couldn’t help it, coming from the virtual directory space, this really peaked my interest). Optimal IDM has deployed identity management solutions over several years and has run into the same types of issues over and over again, which led them to develop their virtual directory product. The product is specialised to handle three specific “modes”. The first mode is called “Union Mode” and aggregates unique entries from multiple containers into a virtual consolidated view. The other two modes are variants of this, and add join rules. Object Precedence Mode can be used to specify which back-end has the precedence when the same object exists in multiple back-ends. Attribute Precedence Mode can additionally join attributes from the same object in multiple backends so that the returned object contains data from all objects of the same name. This is essential the “shadow joiner” or “data augmentation” feature found in competing products. Optimal IDM has developed their virtual directory product entirely with .NET technology and believes this to be a competitive advantage over other virtual directories.

Even before the conference, I had already earmarked the slot at 11 AM for Pamela Dingle’s presentation entitled “Hanging Out in the CardSpace Kitchen”. I hadn’t met Pamela before, but read some of her excellent material on the subject. It turned out exactly as I had hoped - an excellent, educational and lively presentation from *the* authority on CardSpace (apart from Microsoft’s Kim Cameron, of course). She also made the connection clear between Microsoft’s implementation, Project Bandit and Project Higgins. Microsoft’s Brian Puhl chimed in at the end to give an excellent scenario on how CardSpace can be used to work around some tricky legal issues in federated environments.

I remembered Dave Kearns mentioning in one of his posts from way back when that when Pamela Dingle presented on CardSpace at one of the Digital ID World conferences, she had Microsoft employees clamoring to ask questions. Well they didn’t do this time, but I certainly did. I met Pamela again that night in Centrify’s hospitality suite at a virtual bowling tournament on a Wii. Both Pamela and I were new to the Wii and immediately noticed that it even offers its own variety of “InfoCards” in the way of avatars (pictures) of the participants that our host configured for us.

Another highlight was the BoF (birds of a feather session) on ADFS that I attended. Stuart Kwan and Brian Puhl were there as well, and shared some interesting details on why we actually need to use claims and can’t just instead stick additional identity information in a Kerberos token (some applications would just choke on that), as well as throw around some ideas on how home realm discovery could be used in an environment where multiple federation protocols are used. Then suddenly we were all deep into CardSpace again. Stuart also offered a very interesting opinion how internal security tokens might look like in a hypothetical, futuristic Windows version. Unfortunately I had to run out because I had an appointment, but I think the BoF ran well over its allocated time - definitely another DEC highlight.

Against good judgement and to the bewilderment of my bowling buddies at the Centrify hospitality suite, I decided to forego the invitation to Oxford Computer Group’s party featuring a band called “Hairbanger’s Ball” and instead head off to early retirement for the day. In hindsight this was not the smartest thing to do, because it must have been a real blast, and overall the particular session in the morning that I wanted to attend was cancelled. Well, I’ll know better next time!

MONDAY, March 3rd, Chicago (surprisingly warm).

I’ve already reported from the pre-conference workshop last Sunday that gave a very good introduction to Identity Lifecycle Manager 2 and Certificate Lifecycle Manager, and Microsoft’s Joe Long kicked off DEC 2008 with his keynote session presenting Microsoft’s vision on Identity Management, and how Active Directory will evolve to meet those needs in the future. Apart from being a good summary on what I had already heard a day before, it highlighted Active Directory being in the centre of Microsoft’s Identity Management ecosystem, surrounded by four cornerstones: Identity Lifecycle Management (ILM), Strong authentication (i.e. smart cards and CLM), data protection (Rights Management) and federation (ADFS). The idea is certainly going in the right direction. It is certain however, that Microsoft leaves many opportunities to be filled by partners that can harness the framework and complement it by filling in the gaps. No surprise of course, that some of these partners were present at DEC, showing off their latest wares.

As expected, many of the sponsors used the opportunity at DEC to announce availability of new products and releases. Netpro, the organisers of the event, went even further and “pre-announced” (announced that they will announce?) an upcoming new release to its ChangeAuditor product, a leader in the Windows auditing space. The upcoming 4.5 release is to feature a new SQL Server module and comprehensive Exchange auditing, including permission change and non-owner mailbox alerting. As companies in this space continuously strive to catch up with the ever-increasing demands of audits, this helps Netpro maintain a competitive edge in the space, as was explained to me by Brad Hibbert, who kindly took the time to brief me on Netpro’s plans. Brad also mentioned that Netpro will release a free tool built on top of Netpro’s SOA architecture that will integrate and extend the native Users and Computers interface. According to Brad, this AD Management tool will add business rules, workflow, and task automation to the ADUC interface. It help tighten security and instill better Idm practices into AD management, without requiring people to change how they manage AD today. The first release is planned to ship in May. Later this year a subsequent release will also provide a web console for AD management with these same capabilities.

Netpro is also planning a script management solution in Q3. This will allow organizations to integrate their custom scripts and batch jobs into an management console that will provide distribution, scheduling, security delegation, auditing and performance statistics. Over time NetPro will also publish its SDK such that other vendors and integrators will be able to extend the architecture to write and snap in additional management tools and utilities. This will make it much easier for many organisations to manage custom tools, scripts and batch jobs written for the purpose of administrating and automating the identity management infrastructure, and definitely tickled my interest. I shall be following up with Brad and share some further insight.

I’ve also taken a closer look at Centrify, after my colleague Martin told me to check them out, and he was right: I was positively impressed after talking to David McNeely, Centrify’s director of product management. He told me how Centrify’s DirectControl product seamlessly integrates Unix, Linux, Mac, Java and web platforms with Microsoft Active Directory. The product goes so far as to extend group policy objects onto those other platforms and allow for delegated administration. Another feature is zoning, which is used for two things: identity mapping from AD to the target system (so that my account “felix” on AD could, for example, be mapped to my Linux account “felixg” on the Linux development system, and to my accont “fga” on the production Solaris servers). Zones can also be used to manage granular access permission on specific sets of machines (like the “sudo” command on many UNIX machines). A second product, DirectAudit, can provide a complete log of everything that a user does on a system - up to the point of being able to replay an individual session like a VCR. Although I can understand the requirement for such a detailed audit on a highly sensitive system, I actually found it kind of scary from an old system administrator’s point of view.

Monday was also the day of the Directory & Identity Experts Panel Discussion, in which I had the privilege of joining Joe Long and Robert DeLuca from Microsoft, Kevin Kampman from the Burton Group, Gil Kirkpatrick from netpro, Laura DiDio from the Yankee Group and Christopher Voce from Forrester. Joshua Hoffman from TechNet magazine chaired the panel and opened up with a few questions before opening the flood gates to the audience. Joe was definitely in the front line of fire, being barraged with many questions with regards to when Microsoft would finally support SAML 2, SPML, virtual directories and other things that Microsoft doesn’t really seem to want to get its hands dirty with, at least at this time. I certainly felt sympathy, but he did a good job of defending Microsoft’s position. I got my share of questions as well. I have to admit that I was a bit nervous in the beginning, and in hindsight might have done a bit better with the first question about where I see OpenID in two years. But I think I did a pretty good job on the other questions of whether LDAP will be replaced by something else, and what needs to be done in order to enable applications for federation. After the expert panel, many lively discussions in the hospitality suites, and their aftermath! A perfect first conference day, and I collapsed happily into federated DreamSpace.

It’s been an exciting last week starting off with DEC 2008 in Chicago, and ending with a roller coaster ride into JFK Saturday evening, on the way back to Europe. DEC, as always, is packed with interesting presentations from the best technology experts all around the topic of directories and identity management in the Microsoft technology space. Virtually all of the latest knowledge is packed into three full days, which sometimes unfortunately means that you have to make a very difficult choice of choosing which presentation to go to when some really interesting ones take place at the same time. But that’s unavoidable, unless of course DEC was to be stretched out over two weeks - and I wouldn’t want to know what corporate travel departments would think about that! Luckily, rumour has it that slides to all of the sessions are available for those that went to the conference.

Unfortunately the WLAN card in my (almost) brand new HP collapsed and steadily refused service afterwards, so I was relegated back to the world of wireless-less Internetworking, which proved a challenge due to the business center closing at 7 and the wired connection in my room without a link. Now as I have got it fixed (thanks, HP!) I’m back in business, so here are my two other reports from DEC 2008!

I am at Netpro’s Directory Expert Conference in Chicago this week, and very excited to be here! I’m keeping my eyes and ears wide open for the latest tech and trends around Microsoft AD and Identity Management, and also participating at an experts panel this afternoon. Knowing that DEC is an action-packed event, I came a day early, and it was well worth it. Sunday’s ramp-up to DEC 2008 was a pre-conference workshop on Microsoft Identity Lifecycle Manager (ILM) 2 beta, Certificate Lifecycle Manager (CLM), Active Directory Federation Services (ADFS) and Active Directory Rights Management Service (ADRMS). It was a hands-on lab experience given by David Lundell from the Oxford Computer Group, who did a brilliant job putting it together.

Microsoft’s vision is to have Directory Services in the centre of a comprehensive infrastructure that supports Identity Lifecycle Management, Strong Authentication, information protection and federation. Harnessing the tools presented in this workshop, one can see where this is going. Although some of the components (specifically ILM 2) are still in beta and not expected to be released until the “second half of 2008”, the picture may still be a bit rough and blurred, but one can see that it will be quite a beautiful one, once completed.

I was particularly impressed by Certificate Lifecycle Manager (CLM), an add-on to ILM that facilitates string authentication, specifically in the area of smart cards. It seems that Microsoft has managed to add significant value to an area that is often notoriously difficult for many enterprises to implement. Starting with an abstraction layer to the underlying card’s hardware stack to a comprehensive lifecycle implementation, CLM supports the full work-flow of the whole lifecycle of issuance, PIN reset, revocation and retirement. Self service is of course part of the offering and is streamlined for efficient and secure management from initial issuance to retirement and secure recycling. Just like the Dot Net Factory, Microsoft is harnessing the new Windows Workflow Foundation for all of its workflow management. For data flow, uses its MIIS meta-directory technology.

Just before the session closed, Microsoft’s Bobby Gill gave us a “sneak peak” of some additional features of ILM 2 beta 3 “hot off the disk” that he compiled a few hours ago. It is obvious that many significant enhancements are still being made, and Microsoft is very actively involved with its beta partners to collect their feedback and make improvements before the official ILM 2 is released.

Back to keeping my eyes and ears open, and I shall be back soon with some more news from DEC 2008!

Over the last few weeks, the Liberty Alliance’s IGF caught my attention several times. Fulup Ar Foll and Jason Baragry, both working for Sun Microsystems wrote a paper called “Next Generation of Digital Identity”. About a month ago, HP’s Marco Casassa Mont and Oracle’s Phil Hunt published an article in “Sarbanes-Oxley Compliance Journal” entitled “Identity Governance Framework”. I’ve been wanting to blog about this for several weeks, but kept putting it off. Last week I had the fortune to be briefed by Prateek Mishra, Oracle’s Director of Security Standards, who explained in detail what the IGF was about and clarified some of the questions I still had.

In late 2006, several companies got together and created the Identity Governance Framework (IGF), an initiative of the Liberty alliance. Originally driven by Oracle, other companies in the space quickly joined the effort. The purpose of the IGF is to provide an open architecture that addresses governance of identity related information. This architecture is meant to bridge the gap between regulatory requirements and the lower-level protocols and architecture.

What does this mean and why is it so important? I like examples to understand things, so let’s start with a few of them. For a starter, many enterprises still have private identity data stored in many different data stores. Even though the trend is to minimise the number of “data silos” (places where identity data is stored), the reality is still that data can be found in many places. This creates a problem in our globalising society, where the HR department might be run in one country, and the support desk in another, and a myriad of services being outsourced yet to other locations. How can one ensure that the flow of data is controlled in such a way to ensure that all privacy laws are being complied with? Another example could be a federated environment of several suppliers working together in order to process an order. The order is received by company A, which then sends out several orders for parts to companies B1, B2 and B3, who then ship everything to company C that assembles everything and uses company D to ship out the finalised order to the customer.

In both cases, identity data is transferred and processed. How can the inherent risks associated with the creation, copying, maintenance and use of this data be mitigated? Who has access to what data for which purpose, and under what conditions? Ideally, policies on data usage are created by sources (attribute authorities) and consumers (attribute authorities) of identity data. These policies can then then be used for the implementation and auditing of governance. In other words: if you know what the rules are, express them in a policy, and make sure your policy is watertight when the next audit comes.

Exactly this is what the IGF attempts to create: a standardised mechanism for expression and implementation of these policies. The IGF is working on several standards and components to make this happen. One of them is the CARML protocol. It defines application identity requirements, in other words what type of identity information an application needs, and what that application will do with that information. CARML stands for “Client Attribute Request Markup Language”, and yes you’ve guessed right - it’s XML-based. As stated previously, CARML defines what attributes an application wishes to consume, and the privacy rules of the application: Will the data be persisted (stored) by application? If so, how long? What purpose is it used for? Will it be forwarded? When an application is then made available, administrators can review the CARML file for that application, ensure that privacy constraints are being met, and then connect the application to the respective data stores to make the information available.

On the other side of the spectrum there is AAPML, the “Attribute Authority Policy Markup Language” that describes the constraints on the use of the provided identity information - under what conditions specific pieces of identity data is made available to applications, and how this data may be used, and possibly modified. For example: what part of the users data can be modified by the users directly at a self-service portal? Or: under which condition may a marketing application use a users data, and what type of explicit consent needs to be given by the user? AAPML is proposed as a profile of XACML, the “extensible Access Control Markup Language” so that AAPML policies can be consumed directly by a policy enforcement point (PEP) to enforce access over the requests for identity data.

So now you can probably see where this is going. In one side, you have the applications, and CARML that specifies the identity information that they need. On the other hand you have the identity data sources (attribute providers), and the policies under which they make data available. In the middle, an identity service can broker between both sides. This identity service can read the CARML requirements from the applications, and the AAPML policies from the attribute providers, or use an external identity policy engine that enforces the AAPML policies.

So why another set of protocols? Isn’t this already addressed in some other standards? Liberty’s ID-WSF springs to mind, or SAML 2.0’s AttributeQuery, SPML, or even - to a certain extent - WS-Trusts Security Token Service. However, CARML and AAPML bridge a very important gap that is not addressed anywhere else: not how to request and receive attributes, but to express the need and purpose of identity data, and on the other side the allowed use and conditions for its consumption. IGF’s framework conceptually fits seamlessly into architectures harnessing today’s frameworks and picks up where CardSpace, Higgins, Bandit and WS-Trust, leave off.

In my mind, the IGF makes some very important contributions for important issues that have somehow “fallen through the cracks” in the last few years. The IGF’s standards ensure that privacy requirements can be met and audited against, and facilite the secure and controlled exchange if identity data. This has the potential to fuel adoption of technologies such as federated identity, and open up business opportunities that were up to now constrained by uncertainty about privacy or lack of tangible technology in that area. I will definitely keep the IGF on my radar!

Now who says that federated identity can’t be entertaining as well. On January 24th, Sun’s Daniel Raskin, who is involved in Sun’s OpenSSO project, poked a bit of fun at competitor Ping Identity by putting a short videoclip up on his blog which would help “explaining the differences” between Sun and Ping. It didn’t take long for Ping’s crew to respond in kind, promising an “epic battle” in their own video posted on Ping’s blog.

What I quite interesting about these little jabs carried out in good humour were the comments about “federation auto-connect” that Ping announced a few weeks ago in the latest version of PingFederate. The idea of this feature is to make federating between different entities easier by automating the exchange of meta-data. At Symlabs, the company I worked for previously, my then-colleague Sampo Kellomaki had developed the same feature about a year earlier, and had even mentioned it in his presentation at the first European Identity Congress last year. At that time, I must confess that I was unsure this feature’s value in most scenarios - apart from very specific low-risk “open” federations which were already being catered to by OpenID. Charts such as the one featured in this blog entry from Ping still raise a certain scepticism, but maybe that scepticism might prove to be wrong. I am certainly interested in exploring further the value proposition of auto-federation and will make sure to tickle some answers out of the participants in the federated identity track that I’m moderating at our next Conference in April.

As both Sun and Ping will be at the European Identity Conference 2008, we will try to set the stage for an epic battle to be carried out there! And to make it even more interesting, we’ll throw the other contenders into the foray as well!