Directory Services

Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products (contrary to some interpretations out there). This is because each product has a unique set of capabilities that address different market segments and use cases. Oracle will innovate both directories, which includes adding some of the administration, reporting and systems management capabilities that have been built for the OID and OVD products to the DSEE product. Sun DSEE will be re-branded as Oracle Directory Server Enterprise Edition.

Meanwhile, Sun OpenDS will continue as an open-source project.

Oracle Virtual Directory will be the strategic product for identity virtualization.

Access Management

Oracle Access Manager will be the strategic product for web single sign-on. Sun OpenSSO will continue on as an open-source project for the community.

Sun’s Fedlet capabilities will be integrated into Oracle Identity Federation, which will be the strategic product for Federated Single Sign-On.

Sun’s Secure Token Service will become part of the Oracle Access Management Suite going forward.

Products that aren’t impacted by the Sun acquisition, and therefore remain strategic for their specific areas are Oracle Entitlement Server (fine-grained authorization), Oracle Adaptive Access Manager (strong authentication and risk-based access management), Oracle Web Services Manager (SOA + Web Services security) and Oracle Enterprise SSO (SSO for Desktop and Mainframes).

Identity Administration

Oracle Identity Manager will be the strategic identity administration and provisioning product moving forward. Sun Identity Manager, re-branded as Oracle Waveset (didn’t think I’d hear that name again outside of reunions), will be maintained for quite some time, and some of its key features like IDE integration and tamper-proof auditing will be integrated into OIM.

Identity Governance

Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product in the Oracle Identity Management Suite. It will provide capabilities in the area of role mining, compliance attestation, and identity dashboards and reports, and will be enhanced to leverage some of the best-of-breed capabilities that Oracle has in the area of business intelligence and data mining. Note that role lifecycle management capabilities continue to be offered currently via the Oracle Role Manager product.

General

Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. This is reflected in some of the strategic decisions made, and in points made throughout the webcast:

• In most cases, Oracle will be developing migration tools to help customers move to the new strategic products.
• Oracle will be providing support and maintenance for all the Sun products for a very long period of time, including lifetime support in certain cases.

Obviously, there will be a lot more information coming in the next few weeks/months. Stay tuned, and check out oracle.com/identity for more information.

Tags: Identity Analytics, Identity Governance, OpenSSO, Oracle Access Manager, Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Directory Server, Sun Identity Management, Sun Identity Manager, Sun Role Manager

It took so long, I think of lot of people thought this day was just a mirage. And unfortunately, the delay has cost us (in the identity management team) the opportunity to work with some great folks like Eve Maler and Pat Patterson. But now it is done, and the real work can begin as we start to lay out exactly how the IAM suites of the two companies – arguably the best in the business – will come together. It isn’t going to be easy, and our emphasis on our customers means that it can’t be quick, but the result should be great. In the Oracle+Sun strategy update this morning, Thomas Kurian gave the following overview on the Identity Management product strategy:

• Oracle Identity Management Suite continues as the strategic family of products, but Oracle will continue to invest in and share technology between Sun and Oracle products
• Both Oracle Internet Directory (OID) and Sun Directory Server will be supported, with common LDAP administration through our DS Management tools. Oracle will continue to maintain OpenDS
• Sun Role Manager will become Oracle Identity Analytics, the strategic identity analytics tool
• Oracle Identity Manager, Oracle Access Manager, Oracle Virtual Directory, Oracle Entitlements Server and Oracle Identity Federation continue as Oracle’s strategic products for their respective areas, with technology incorporated from Sun
• Oracle will invest in Sun Identity Manager and integrate it with Oracle Identity Manager
• Oracle will also invest in Sun OpenSSO and integrate it with OAM

Of course, the devil is in the details, and I expect that the coming weeks and months are going to be a little crazy as those details are laid bare. Planning has been going on for a while, and now those plans can finally be communicated and the ramifications thrashed out. That should provide a fair amount of fodder for discussion in the blogosphere and twittersphere (so stay tuned). I’ll try to provide some information here as and when it can be made public.

And a warm welcome to all my new colleagues from Sun. Buckle in for what should be a very interesting ride. I’ll be at Oracle HQ in a couple of weeks to participate in some of the planning and discussions that will be happening. So if you will be around, then lets meet up.

Tags: Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Identity Management, Sun Role Manager

Gartner has released their latest Magic Quadrant on User Provisioning. It’s good to see that we have built on our previous success to emerge as one of the best (if not the best) in the Provisioning industry. I can remember the days at Thor when we would have given up our firstborns to achieve something even close to this kind of recognition.

Good to see that all the hard work at making Oracle Identity Manager easier to use, configure and manage is starting to show dividends. Gartner specifically recognized some of the key improvements we made to the product in the last release: our new Graphical Workflow Designer, the new Connector Installation Wizard, and improvements to our Generic Technology Connector and Reconciliation Manager.

The report also gives props to our strategy of Service-Oriented Security, which is laying the foundation for an identity services based deployment of identity management. The report does seems to assume that our Application-Centric concept is different from SOS, and that we have moved away from it. The truth is that SOS is simply an expansion of our earlier Application-Centric vision, which looks to make it easier for identity-enabled applications to be built by using identity constructs made available in the development environment.

Gartner makes note of the strong competition we will continue to face from Sun, IBM, Novell and a slew of other products. And there is no dearth of recent articles noting the continuing troubles enterprises face in provisioning deployments. So while it feels good to be at the top of the pile, there is still a lot of work to do as we try to keep the momentum going.

You can check out a copy of the report, compliments of Oracle, here.

Tags: Gartner Magic Quadrant, Oracle Identity Manager, Provisioning

The post is grossly inaccurate on several counts. For one, Oracle IdM wouldn’t be experiencing the phenomenal growth it is if we were giving away the software for free (a dirty word in many quarters). Paul also says “Every day of every week we go head-to-head with Oracle and we never  loose technically”. Really, never? That’s a bit of an overstatement, isn’t it? I have personally been involved in quite a few deals where we (as Thor and later Oracle) won the technical evaluation. And Sun was always part of the competition. Paul thinks that “when it comes to Identity Management they (Oracle) certainly have an advantage in that they own the back-end”. If owning the back-end were such an advantage, Microsoft would rule the roost because of AD (uh oh, I’m not starting that whole fracas again), and we would have won no deals as Thor.

Sun has always been our strongest competition in the provisioning space (back since they were just Waveset), and it was always a healthy competition, which is why such a post surprises me. They have a very good product, just like a few other vendors, and each product brings something different to the table, which means that the customers that bought them usually did so because they were a better fit for their needs.

Being big bad Oracle can be an asset in some deals, but it can also be a disadvantage. On a few occasions I have tasted the bitter pill of not getting the deal despite the evaluation win for business/political reasons, a reality that every company has to deal with no matter how big or small they are. But by and large. most enterprises work very hard to try and make the right choice of vendor based on who solves their problems, not backroom politics or a difference in dollar amount. IdM is just too complex to cripple yourself further with bad decisions made for petty reasons. Oracle, Sun and every other IdM vendor is competing in a congested market where the winning formula is value proposition and customer satisfaction. Boutique vendors wouldn’t survive, even thrive, in this market if that were not the case. HP would not have exited the market if this wasn’t true.

But the post did remind me of something that I do want to touch on, and would definitely play to Oracle’s position in the space – the many customers that are looking for deeper integration between ERP and IdM. I’ll touch on this in a later post.

Tags: Oracle Identity Management, Oracle Identity Manager, Provisioning, Sun Identity Management

But I couldn’t keep myself from commenting on the most recent wave of acquisitions in the identity space. Both have some interesting consequences for the identity management market.

IBM acquires Encentuate
First up is the acquisition of Encentuate, a provider of enterprise single sign-on (E-SSO) and strong authentication technology, by IBM (see the press release here). The big effect of this acquisition will be on customers who bought IBM’s current offering in the eSSO space – IBM ITAM ESSO (that mouthful stands for IBM Tivoli Access Manager for Enterprise Single Sign-On). That product was based on an OEM of Passlogix’s v-GO product suite. Obviously IBM cannot have two products in their stable doing the same thing, so the logical assumption is that over the next release or two, ITAM ESSO will shift from being based on the Passlogix technology to the Encentuate technology.

You can read the views of some folks on the acquisition here, here and here. I found Ian Yip’s reaction most interesting, especially since he used to work at IBM. He pulled no punches in telling customers of ITAM ESSO what to expect, saying that in the future they will be forced into an upgrade that isn’t really an upgrade:

“What marketing won’t say is that the “upgrade” from 6.0 (based on Passlogix) to 7.0 (based on Encentuate) is essentialy a rip and replace. There is no seamless upgrade. Sure, they’ll probably offer some tools to “help”, but the upgrade process will need professional services either from IBM Software Services or IBM Business Consulting Services because the single sign on templates will be completely different between the Passlogix and Encentuate products.”

Ian thinks that IBM ITAM ESSO customers are the losers in the deal (along with Passlogix, who suddenly lost a revenue stream). However, it doesn’t really have to be that way. Passlogix is also the OEM component in Oracle’s E-SSO offering,
Oracle Enterprise Single Sign-On Suite (something that Ian believes raised IBM’s ire). So there is another option available to ITAM ESSO customers – instead of doing a rip and replace of ITAM ESSO with the next version of ITAM ESSO, do an upgrade of ITAM ESSO to Oracle eSSO Suite. Being based on the same product, the shift is sure to be so much smoother. And you get the added benefit of direct integration with Oracle Identity Manager, through the Oracle eSSO-Provisioning Gateway that Oracle ships.

Of course this sounds self-serving, and a bit simplistic, but it is also quite logical, and likely to be an approach that could save many an enterprise many a headache.

And IBM’s move certainly serves as validation of the maturity and viability of E-SSO as a technology.

Microsoft acquires Credentica
Next is the acquisition of Credentica by Microsoft. Credentica’s U-Prove technology attempts to tighten up the security of identity transactions by decoupling the parties involved in a manner that prevents transmission and use of extraneous data, without sacrificing authenticity of everything involved in the transaction. It uses PKI technology to secure the authentication and identity data flow between an Identity Provider (Issuer) and a Service Provider (Verifier) in a user-centric manner. The big claim of the technology is the ability to enforce minimal disclosure of identity data (also referred to as “zero-knowledge” proofs for privacy).

In layman’s terms, the U-Prove technology claims to provide people a way to disclose personal information in a manner that does not threaten their privacy, or expose them to identity theft. It also limits the disclosure of information to unintended parties, preventing accounts from being linked across different service providers. Kim Cameron does an excellent job of explaining (and making a case for) all this on his blog.

Everyone is talking about the ability of U-Prove to immediately provide a security layer to Microsoft CardSpace that it previously lacked. The way that managed cards work, the IdP can accumulate knowledge about the user by analysing the card requests it is fulfilling on behalf of the user. Minimal disclosure tokens make it possible to obfuscate the SP interaction, making it impossible for the IdP to understand how the issued cards are being used, thereby rendering it unable to aggregate any information.

To understand more, read this article in eWeek’s Microsoft Watch.

Tags: Access Control Management, Identity 2.0, Information Cards, Oracle Identity Management, Oracle Identity Manager, Personal Identity Management, User-Centric Identity

• Brand new Graphical Workflow Designer
• Major enhancements to the Generic Technology Connector (first introduced in OIM 9.0.3, and discussed here)
• Enhancements to the Attestation Framework
• Enhanced support for Multiple Authorities of Identity Information
• Support for inbound SPML v2.0 provisioning requests (via web services)
• Richer constraints in Password Policies
• New Connector Installation Wizard

The release also includes a number of fixes, enhancements aimed at improving usability and manageability of the product, and greater platform support.

One of the impressions that seem to exist out there is that after acquiring products, Oracle focuses more on integration projects and less on feature development and innovation. That couldn’t be farther from the truth, and hopefully this release will prove that. While there usually is a post-acquisition lull in terms of releases, it is usually to accommodate the cost of assimilating into the machinery of a big company, and the expansion into a global marketplace. This involves improving platform and language coverage, and porting over to the new release processes and standards. And priorities also tend to shift dramatically when you go from being a startup product to one from an established software vendor.

But one thing that the Oracle Identity Management team has been very good at is listening to our customers and the marketplace. Most of the work in release 9.1 has been driven out of recommendations from our Customer Advisory Board and feedback from the marketplace.

In the coming weeks, I will write in greater detail about some of the major additions to the product in release 9.1. If there are specific topics that you would like to know about, send those in to me and I will see what I can do.

Tags: Oracle Identity Management, Oracle Identity Manager, Provisioning

Interestingly, Oracle has pulled ahead of other vendors on “Completeness of Vision“. That is reflective of the strong leadership that exists within Oracle’s identity management group right now. It also reflects a lot of the innovation going into the vision for Fusion architecture and Application-Centric IdM. This is important considering the strong competition we face in the UP market (Novell and Courion just entered the Leaders quadrant in this report with some strong product offerings).

There is no intention within the team to rest on our laurels, and we have some really cool things planned for the Oracle Identity Manager product that will take it to the next level. You will start seeing these over the next few releases, so stay tuned to this blog for more on that.

You can read the report here.

Tags: Application-Centric IdM, Gartner Magic Quadrant, Oracle Identity Management, Oracle Identity Manager, Provisioning

A while back, I was pulled out of the world of identity services, Open ID, protocols and exotic role structures by a simple request posed by a prospective customer. In evaluating our product, they were wondering (quite innocently) if there was any way to improve the rate of identity on-boarding and ongoing reconciliation by a factor of 10.

“A factor of 10″, we mused? Why? Obviously everyone wants fast performance, but this is taking things to a whole new level. As an engineering organization, we have already put in a fair amount of time optimizing the behavior of the product to make it work as efficiently as possible, bringing performance to a level that matches the benchmark requirements of our (fairly large and sophisticated) customer base. On top of that, we have tools and best practices to help customers create solutions that fit their needs. Despite all of these, we were not going to meet their requirements.

A little work helped us identify the solution to their problem (it was based on a divide-and-conquer approach of data segmentation and parallel scheduled jobs). So we were able to achieve the required throughput. But it required some fancy footwork and fancier system configuration.

And just this week, I heard the same requirement again. Except that this time, the required factor was a 100. It made me think “The more things change, the more they stay the same”. For all the fancy capabilities we are trying to add on to our product lines, we just can’t afford to ignore the fundamentals.

Yesterday I read a post by Mark Dixon talking about China Mobile. The statistics are incredible:

• 327 million subscribers
• 5.28 million subscribers added in May alone.

The implications are pretty clear. For identity services to become a reality, IdM products (like ours) need to scale up tremendously, without sacrificing all the bells and whistles that have been added (for auditing, role management, automated provisioning and compliance, among other things). As technologies like Open ID and CardSpace move us closer to the day of a single internet identity (one hopes), the applications that rely on the identity services to make all this possible are going to demand better functionality without any sacrifice in performance.

This will require work at every level of the stack – the data store, the application container, the IdM service provider, the identity frameworks and the applications themselves. Oracle is working hard on all of these. But for all that, I look at some of the efforts underway (like in the Higgins project) and some of the technology protocols (like XACML) and wonder: Are we really ready for something like this?

What do you think?

Tags: Application-Centric IdM, Identity Services, Oracle Identity Management, Oracle Identity Manager, Provisioning

• Oracle Identity Manager 10gR3 Datasheet (PDF)
• Generic Technology Connector Administration Guide (HTML)

Tags: Generic Technology Connector, Oracle Identity Manager, Provisioning

However, for applications that are not supported out of the box, or custom applications that customers have built themselves, building a connector can be an arduous task. It takes planning and resources (both in time and manpower). Quite often, APIs are simply not available for build a good connector. And the number of applications in an enterprise that need to be managed can prove overwhelming to a small IdM team.

Introducing the Generic Technology Connector
This is where the Generic Technology Connector steps in. Introduced in OIM 9.0.3, the name is actually a misnomer. The GTC is really a wizard that provides an alternative connector development environment to rapidly create all the necessary functional components that make up a target system connector in OIM. It’s power comes from the way it leverages standardized mechanisms and tools instead of application specific APIs. The GTC framework also eschews the more powerful, but complex, process-based connector approach for a far simpler dataflow-based connector approach.

The GTC is one part of a three pronged comprehensive integration offering (see diagram above). The GTC allows customers to easily build connectors for target systems that support standard integration mechanisms like flat-file imports via FTP, or SPML-based provisioning over Web Services. Target systems that do not need complicated provisioning process flows can be quickly brought under management in OIM, dramatically reducing the deployment timelines. While a GTC-based connector does not have all the rich capabilities an API-based application-specific connector has, the fact is that for most applications the deeper integration capabilities are not needed.

Architecture of a GTC-based Connector
The following diagram shows the component level architecture of a connector (supporting both provisioning and reconciliation) built using the GTC (click on the image for a larger view).

The GTC framework provides basic building blocks that are used to rapidly assemble a custom connector. The architecture shows the dependence of the GTC framework on the data migration aspect of the connector. The building blocks are:

• Reconciliation
  • Reconciliation Transport Provider: This provider is responsible to moving the reconciled data from the target system into OIM.
  • Reconciliation Format Provider: This provider parses the message received from the target system (that contains the reconciled data) into a data structure that can be understood by OIM’s reconciliation engine.
  • Validation Provider: This provider validates any data received before passing it on to OIM’s reconciliation engine.
• Provisioning
  • Provisioning Format Provider: This provider converts OIM provisioning data into a format that is supported by the target system.
  • Provisioning Transport Provider: This provider carries the provisioning message received from the Provisioning Format Provider to the target system.

The term Provider is pretty ubiquitous in the above architecture, and represents one of the fundamental features of the GTC framework. OIM administrators can add to the building blocks that make up the GTC framework simply by defining and dropping in new providers supporting additional technologies/mechanisms. The Transport Providers support standard communication protocols like HTTP, SMTP, FTP and Web Services. Format Providers support generic message formats such as CSV, SPML and LDIF.

The GTC Framework builds on top of the existing connector framework in OIM, leveraging all of it’s existing capabilities (like auditing, security, export/import capability etc).

Developer Experience
A major feature of the GTC is the improved developer experience. The GTC employs a web-based point-and-click graphical wizard that clearly shows to the user the data flows that they are defining within the connector. It stores in metadata all the configuration information regarding the connector, so that it can reload the GTC view of the connector and enable ongoing maintenence of the connector in the same graphical environment. Since the GTC builds the connector using the standard connector framework behind the scenes, the developer is actually free to go into the standard OIM development environment and make further modifications to the generated connector. However, once the GTC-based connector has been “customized” in this manner, it can no longer be maintained using the GTC.

For more information, visit the page for Oracle Identity Manager at oracle.com/identity.

Tags: Generic Technology Connector, Oracle Identity Manager, Provisioning