The End Of The Extranet

So I was out having pasta last Thursday with a buddy of mine... his job is setting up Active Directory Federated Services (ADFS) at Microsoft HQ, and has been for many years... When stuff doesn't work right, he's one of the guys who gets to tweak the system till it does. When things go really wrong, he gets to phone a real live Active Directory developer, shake him out of bed, and see if the developer knows the voodoo incantations to get things working again.

Fun job... and I'm sure a lot of Active Directory admins would give their left arm for his rolodex...

Under the hood, ADFS uses Kerberos (plus voodoo) for authentication, and a SAML token for authorization -- a.k.a. entitlement management... he's helped set up federated access between Microsoft and several partners (such as Intel). He said its a whole lot easier now than it used to be. Its still far from simple to configure and manage, but setting up certificates is a breeze compared to the early betas.

I told him about my reservations regarding SAML (noted by certain bloggers)... I like the goals and all, but it was so complex I just didn't think it was (yet) worth the well-known maintenance effort. I preferred a "wait and see" approach. If I saw it hit a critical mass, then I'd bite. Then he said, "don't you understand? SAML completely eliminates the concept of the extranet!"

Then it hit home...

I've been doing web content management (WCM) for so long I'm stuck in the internet/intranet/extranet thought mode, and I just assumed that people would keep doing it that way... but a SAML integration would mean that one single logical server could satisfy the security needs for all audiences.

As Alec says: that's the way the internet used to be, and its about time it went back.

Not that such a pipe dream would necessarily happen... you might currently have dozens of content silos. However, if they are bound to a SAML enabled user repository, you could have no fear allowing access to that content from your extranets. Extracting data from a silo is a whole separate issue, naturally... but at least when you do so, it's secure.

Of course, the extranet as a concept isn't fully eliminated... I'd like my parter Company Foo to see a Company Foo branded site... and my other partner Company Bar to see a Company Bar branded site... but that's more personalization than anything.

Naturally, the devil's in the details. Just because it's possible to do it all with one system, that doesn't mean it'll happen. Setting up flexible personalization, reusable content, and getting everybody to agree on an "Entitlement Management" system won't be a picnic... The three p's always rear their heads: politics, paranoia, and performance. Also, from a security standpoint, some may consider SAML to be brittle and not defensible -- a single point of failure, in other words. Also, it's probably economically infeasible to force everybody onto one logical system... much to the chagrin of IT.

I'm still not sold, but I'm warming up to SAML...

Content silos -- the sworn enemy of enterprise content management -- are perhaps inevitable... because consolidating all that information is a never ending task. Consolidation helps mitigate the negative effects of silos, but even better are tools and systems that make consolidation unnecessary...