Too Many Identity Standards
October 10, 2007 - 1:44pm — bexNishant Kaushik has another good post on Identity management... this time talking more about Identity as a service. People should make it brain dead easy for developers to integrate enterprise identity management into your applications, regardless of which system you use. He also linked to his presentation. I liked it a lot... I think its a great idea... but something about it gave me a chuckle.
At present, there are at least nine identity "standards": CardSpace, LDAP, OpenID, SXIP, SAML, SPML, WS-*, XACML, XDAS... not to mention basic username/password authentication, custom modules, and proprietary systems like SiteMinder. And even the most commonly used standards are a pain to develop with.
The solution -- which I fully support -- appears to be to wrap all the "standards" in a functional, proprietary API. Then you only need to know one API, and have one repository, for all your identity management needs.
Makes you wonder why people bother to call them "standard," doesn't it?
I remember three years ago at Stellent, Sam White was so fed up with so many security standards, he sketched out a version of the Content Server that did nothing but authentication and authorization services. A bit ahead of its time, because it took till now for the market to beg for something like this.
Anyway, good luck to Nishant...
UPDATE: Gerald Beuchelt is upset because my list above isn't exhaustive, it mixes pure identity protocols with partial ones, and that I dared to include SXIP. Then he misquotes me. I told him to chill. Although I do empathize that he's frustrated... many of us are.
standards
hmm... while everything you list is a "standard" of some sort, they aren't really competing, most are complementary. CardSpace and OpenID are similar as are SAML and some parts of WS-I. Sxip is a server based on the OpenID model, while LDAP is a directory access protocol (and could be used by all of the above). Likewise, XACML is a language for exchanging data and could be used within a CardSpace/OpenID environment (or not).
Oh, and we've had authentication servers for a whole lot longer than 3 years...
-dave
cool...
so, 3 years ago, which SOA-based authentication servers worked with more than 5 "standards"? Any available today with an easy-to-use API?
Also, the fact that these standards are "complimentary" instead of "competing" actually makes the problem worse for the application developer. Instead of 10 possible options, you have several hundred combinations...
I look forward to what Oracle spits out there...
Oracle Spits Out...
Ya, when they produce the 10th, additionally complimentary standard that should be pretty cool.
What makes you think they will do anything better? Is that insider-insight?
authentication services
>>so, 3 years ago, which SOA-based authentication servers
Oh, so now it's "SOA-based" authentication servers? Wake up to the real world, where "SOA" is just another buzz phrase for the stuff we've been implementing over at least the past 20 years...
nuts to buzzwords
>> Oh, so now it's "SOA-based" authentication servers? Wake up to the real world, where "SOA" is just another buzz phrase for the stuff we've been implementing over at least the past 20 years...
hehehe... yeah, but now there's a name for it! I should be less buzzwordy: I'm looking for something that had the following features:
1) loose coupling between connector and auth server
2) simple API with an open communication protocol (like very basic XML over HTTPS)
3) no tight data binding (ie, response as text or XML that can be easily transformed)
4) coarse-grained transactions to get ALL auth data in one swoop (no multiple round-trips EVER)
5) support for a wide range of auth tokens (NTLM, pure Kerberos, cookies)
6) ability to sync or federate with multiple repositories in multiple ways
7) not a PITA to set up, configure, or manage
The last one is where a lot of systems fail...
nope! just bias...
What I see is a lot of people coming out with better and better "standards," that try to be clever and solve every problem under their sun. What is rare is to find somebody who cares about the effort on developers -- except perhaps Microsoft. That's what this blog post from Oracle says to me...
If your security system is difficult to configure, then you probably don't have security. I don't care about standards; I care if something is secure, easy to maintain, easy to add new features, and easy to develop against.
An über wrapper for all (known) security protocols, offered as a service, seems to fit that bill. Forget asking the standards bodies to agree on a way to cooperate... just do it. If an eleventh protocol comes along, you can upgrade your "security server", and (hopefully) not need to tweak much existing code to gain the benefits.
That's a good goal, in my mind.
Take a Look At The openLiberty IGF Project
I invite you to take a look at the openLiberty IGF project. We're working on a multi-protocol API that does a lot of what everybody is talking about.
I'd love to get more input on what developers really want to have and what they define as success.
Check it out at:
http://www.openliberty.org/wiki/index.php/IGF_Introduction
Re: IGF Project
Joy. Homework. ;-)
I like this page: http://www.openliberty.org/wiki/index.php/Existing_Identity_Systems
I had only heard of about four of those open source projects... do you really plan to support ALL of them? I like that it uses CARML: that's simple and easy, and not significantly more bloated than other XML schemas...
It looks like you won't have any code to download for a while... the architectural diagrams are helpful, but kinda high-level. Any preliminary specs, or should I play the waiting game?
From my perspective, I'd like to be able to set up a federated system close to my application, in order to speed up the round-trip auth calls. I'd also like to be able to "tweak" the data in the federated system, so I can map a poorly designed general schema to one more specific to my app. I know that makes governance difficult, but its better that such rules be in an official "user repository" than in my app. Then I'd like a quick and easy API that gets me a list of all "groups" or "roles" for an entity in one single call.
If its all that, AND easy to maintain, you got a fan.
Yup. What you are looking
Yup. What you are looking for is exactly what we are after.
You are correct there is no code to download yet. What we're trying to do is a parallel standards development and open-source approach. Rather than Oracle just write a bunch of stuff and give it to y'all, we would like to develop this in the "open". It clearly needs broad input and shouldn't be owned by any particular vendor.
I should also point out that we expect to start building on a lot of the Higgins code base and in particular the Identity Attribute Service. We're going to take that implementation and further abstract client applications - the goal is 100% abstraction (well as close as we can get)!
http://wiki.eclipse.org/Bandit_STS/IdP_Deployment
This will really get things going quickly at least as far as Java goes. I'm hopeful we'll also recruit open source implementations of IGF in other languages and platforms.
Cheers.
My reply ...
I replied to your comment - overall, I do sympathize with your desire for the identity uber-API, but I think that it will always be an insular solution.
Peace...
Post new comment