Another Catalyst conference (now Gartner Catalyst) has come to an end with the former Burton Group analysts challenging us once more to do better as an industry. It’s an unfortunate reality that cost overruns, unrealized benefits and missed objectives still plague most customers of identity management solutions. While there are still things we need to do on the technology side of the equation (most notably, moving towards a pull-based identity architecture in our application and platform layers), there is much more we can do in a more immediate fashion on the business and deployment side of identity management. And since any new proposal must be accompanied by an appropriate buzzword, here’s the one I took away from Catalyst – fit-for-purpose (putting $1 in the Bob Blakley piggybank).

For a while now, it’s been fashionable to bash provisioning. But to me, this was always misguided anger. Yes, it’s true that many provisioning projects suffer from missed deadlines and budget woes. But that was never because of the technology, which did exactly what it was supposed to (though there is still much we can do to improve it’s maturity and stability). It was always because of the way it was sold, deployed and mismanaged. How often did we hear massive provisioning projects being drafted to achieve regulatory compliance, only to find out that it wasn’t a sufficient control? How many connector development projects were defined to automate provisioning to many 100s of targets, without any ROI calculations ever being done to determine it’s value to the business (though it’s value to the implementing SI was all too obvious)?

Look Familiar

The angst has gone so far as to create a whole new market – Identity & Access Governance (IAG) – and marketing terms like “next generation provisioning”. But there is nothing revolutionary (or even evolutionary) about the model of automating provisioning to your most sensitive and/or high volume targets, while only setting up approval workflows and manual provisioning for the rest. You could do this with Thor’s Xellerate provisioning product (now Oracle Identity Manager) back in 2003, when we created full fledged functionality for manual provisioning that included email notifications and a provisioning task list (with detailed data and instructions) for your IT admins. Through all the noise and FUD, what is actually coming to the fore is the deeper and more relevant concept of understanding exactly what your use cases are for your IAM deployment, and focusing the features, design and deployment on meeting those use cases.

The most successful IAM projects have always done exactly this, with plans that classified their applications into tiers corresponding to the controls they wanted to put in place, creating role management projects that emphasized defining only the higher value business roles instead of trying to blanket everyone in the enterprise, and finding the right blend of automated controls, manual decision-making and oversight mechanisms. The defining characteristic in these projects was always an attitude of rational, measured response to the risk involved – in other words, an emphasis on making sure that any solution rolled out was fit-for-purpose.

This is the philosophical approach to IAM that attracted me to Identropy, where it exists both in the advisory and implementation aspect of our business, and in our approach to designing SCUID Lifecycle. Lifecycle is not meant to be all things to all people. It’s meant to be exactly what is needed for the majority of customers out there. We’ve used our years (decades?) of expertise in this space to come up with just that measured set of features and use cases, and will continue to refine them in conjunction with our customers. That is the part that excites me most about this new journey I’ve started. And I’m glad that Lori, Bob and the rest of the Catalyst gang validated our core belief for us.

These Guys Are Here To Help

Tags: Access Governance, Best Practices, Identity Governance, Identity Management, Provisioning

The central idea of the presentation was that the cloud has caused the seemingly well-understood, albeit reviled, discipline of user provisioning to splinter (SPLITTER!) into 3 different factions – the Traditionalists, the Progressives and the New Age Thinkers. You’ll have to listen to my talk to understand it in more detail, but the reviews of my talk on Twitter seemed to be “certified fresh“. While Ian Glazer pondered:

This JIT + Pull model that @NishantK proposes in a new age wrapper on a traditional core – externalized authZ fixes some problems #cis2011

I did have Paul Madsen raving:

I declare @nishantk Python theme for #cis2011 prez a success. And am reconciled to seeing it over and over for next 3 years

All in all, I think I accomplished my goal of edutaining the folks at CIS on the continued existence of user provisioning, and its future prospects. Because the account CRUD problem will continue to be a weight around the neck of enterprise cloud adoption unless we put in place the right solutions.

Tags: CIS11, CIS2011, Cloud Computing, Cloud Identity Summit, Federated Provisioning, JIT Provisioning, Just-In-Time Provisioning, Monty Python, Provisioning

This was the topic of discussion at a SIG on Standards-based Provisioning organized by Gartner’s Mark Diodati at the recent Catalyst conference. The meeting was attended by some really smart folks in the community, and engendered a lively discussion on the future of SPML and the direction it should take. Mark has published a statement on the Gartner blog network that reflects the outcome of the discussion. Given the recent reboot of the Provisioning Services Technical Committee at OASIS, this is an important document for everyone concerned to read.

One of the most important points raised during the meeting was this:

In trying to address every possible use case, interoperable provisioning services leveraging the SPML v2 standard became impractical. Since the approval, few (if any) conformant implementations exist due to the complexity of the v2 standard.

The path to success in the standards world is based on a focused approach to solving specific use cases. No standard can be all things to all people, and with provisioning in particular, we need to recognize that there are different approaches that solve the challenge in optimal ways for their use cases (my recent assertion regarding IGF as underlying pull-based provisioning is an example). So there need to be an effort to continue refinement of SPML 2.0, making it simpler to implement and based on specific use-cases that are of interest to the community. If you have such use-cases, please consider joining the discussion within the PSTC and submitting them there. There is much that needs to be done.

And a big thank you to Mark for pulling together the SIG. It was an excellent and timely effort, one that I hope proves instrumental in accomplishing it’s goal.

Tags: Burton Catalyst Conference, Cat10, Provisioning, SPML

On Wednesday, I gave a talk entitled “Beyond SPML: Access Provisioning in a Services World” which built on my Gluecon talk and work with Fusion architecture to provide a vision for the future of provisioning. The central thesis is that as we move from Push to Pull models in Identity, provisioning becomes a key component in making sure that policy and process controls are still enforced. But this requires a fundamental evolution in application and middleware architecture towards services-oriented security and externalized identity.

I was extremely gratified to receive lots of positive validation and feedback about the vision I expressed in my presentation. And it really fit in with the theme flowing through the presentations in the provisioning section, which was focused on moving to a more streamlined, manageable, scalable provisioning future. It also echoed sentiment that provisioning is a multi-faceted problem with different interaction points and flows and will therefore require a combination of standards rather than just one standard. This was really driven home by the extremely interactive SPML SIG meeting that I participated in (organized by Mark Diodati) where there was generally agreement that SPML needs to get really focused on specific use cases rather than trying to be all things to all possibilities.

I am looking  for input, so check out the deck and leave me comments on this post. I will definitely be building on the ideas in there with our identity management team to move the vision of service-oriented security forward. But for it to be useful, it has to resonate with the IdM and application development communities. And that’s where we all have to work together in making this a reality.

Tags: Burton Catalyst Conference, Cat10, Federated Provisioning, Provisioning, SPML

Please note that the rooms for the different tracks at Catalyst were switched, with IdPS moving to Sapphire AB. So if you were going off the information Oracle sent out, or the Oracle Hospitality Suite invite in your Catalyst registration bag, then please note that my session will not be in Sapphire CD, but will be in Sapphire AB instead.

And be sure to drop by the Oracle Hospitality Suite in Aqua 308 on Wednesday evening to check out the 11g demos, enjoy some good food and drink, and hang out with some of the cool cats of Oracle Identity Management (and me!).

Tags: Burton Catalyst Conference, BurtonGroupCatalyst10, Cat10, Oracle Identity Management, Provisioning

But as Mark also points out, “…it (or something like it) is desperately needed“. Because access provisioning is still the most complicated engagement in any identity management project, and the biggest complexity currently comes from the need to develop, customize, deploy and maintain connectors to hundreds, even thousands of systems. The cloud amplifies the issues to emerge, since without standardization, an enterprise simply will not be able scale out to meet the management needs of their environment.

At Oracle, we have been talking about Service-Oriented Security for a while. The idea is simple – all the security functions, which includes identity management, need to take the form of discrete, easy to consume, standardized services that are part of the platform on which applications are built. This has always been an easy concept to understand when discussing certain service categories like authentication. But provisioning has been a tougher nut to crack.

Provisioning systems today add a vital business process layer to your identity management deployment, dealing as they do with the lifecycle management of identities and the orchestration of policies, rules and workflows around that. So even in a future where architectures will rely on the “pull” model (as Bob Blakley has been talking about), there will be a need for the more complex applications to interface with a provisioning service (different from the attribute service use case) to deal with lifecycle management issues around application access. This is where we believe the next iteration of SPML (however radically different it looks) needs to fit in. This idea is illustrated in the figure below.

This is one of the challenges we have been trying to solve as part of our Fusion architecture project. Do we have it solved? Well, we’ve started the journey at least. Asking applications to come around to a new architecture and way of thinking takes time. And we have to remember that there are still a lot of applications that will not be dropping their user tables and identity silos any time soon, so we have to be mindful of accommodating those applications as well.

Is SPML on life support? Not quite, judging from all the RFP requests that still ask for it to be supported. But it desperately needs some energy to be put behind it. And it needs to adapt to these new architectures, new use cases and the ecology of standards that is far out-pacing it. I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.

Tags: Identity Services, IdM Standards, Provisioning, Service-Oriented Security, SPML

Pat’s post is definitely worth a read as it describes how Liberty Alliance has proposed a solution to the thorny issue of data exchange between the two parties in the case of Scenario 2: Just-In-Time Provisioning. It sounds like an elegant solution, especially since it solves the issue Karl brings up in the comments to my post regarding not overloading the SAML assertion with extraneous information. Would love to hear if anyone knows of any issues in the solution.

Ian and Pamela also discuss the issue of federated de-provisioning, which has also been a thorny issue in federation discussions. Pam talks about being able to initiate de-provisioning when a user who should no longer have access tries to authenticate. That is certainly one way to do it. But more often than not, de-provisioning cannot be initiated during an authentication flow because the reason the user should no longer have access is that they are no longer employed at the company they got federated from. Meaning: they cannot authenticate from the RP in the first place.

What harm then, is there in a federated account sitting around if it cannot be authenticated to? Well, the answer I usually get (from customers) is that in the reality of today’s systems, creating federated access to a service often involves creating some sort of account in an underlying legacy system. An account that can be authenticated to outside of the federation context, albeit only from a back-channel. While this is a scenario less likely to get abused, it is nonetheless a scenario that security audits frown upon, and that get flagged for remediation as a compliance risk.

So what to do? Ian talks about expiring accounts that have not been accessed in a while. Out-of-band de-provisioning between the RP and the SP is also a possible option, as described by Pam. That makes the overall integration between Acme and Omega a blend of Scenario 1 and 2, where federated provisioning happens just-in-time, but de-provisioning happens out-of-band (probably on a periodic basis) through a well-defined interaction. The de-provisioning can be made real-time as well, in that the provisioning server at Acme can issue a de-provisioning SPML request to the provisioning server at Omega, just like it would to any internal system, when the user is de-provisioned at Acme.

As you can see, solutions abound, and customers can choose the one that suits their needs the best. So it is pretty obvious that it is possible to solve the federated provisioning/de-provisioning problem. The issue is that none of this is standardized or formally productized in any way, and is left as an exercise for the customer to solve (Translation: Costly integration problems when different vendor products are involved). And where this issue was a costly annoyance in federation deployments between businesses, SaaS (where this whole discussion started) takes this to a whole new level, creating a barrier for adoption.

But as Pat says “Seems like that might change now…”

Tags: Federated Provisioning, Provisioning

Suppose two companies, Acme and Omega enter into a federation agreement, whereby employees of Acme will be able to access a service at Omega using their Acme credentials. There are two scenarios here for federated provisioning.

Scenario 1: Advance Provisioning

Acme decides that they will decide beforehand which employees are allowed to access Omegas service (based on business rules or approved requests). They will therefore do some advance work sending provisioning requests to Omega for those employees that are to have access, allowing Omega to set up federated accounts (with the appropriate mappings) for those employees. A lot of times today, this is done in the form of a batch file/spreadsheet/LDIF file containing all the users that should have access going from Acme to Omega. In an ideal situation, this would be handled by Acme’s provisioning engine sending SPML-based provisioning requests to Omegas provisioning engine.

This is the scenario that Ian is referring to when he says that federated provisioning is no different than regular provisioning, and he’s right. As a provisioning target, Omegas service is no different from a sensitive target within Acmes own boundary (the logistics of setting up the trust may be a little harder). And whether or not the service is SPML-enabled or not really doesn’t change the problem statement.

However, there is another scenario that changes the discussion a bit.

Scenario 2: Just-In-Time Provisioning

Acme decides that they are not going to decide beforehand which employees are allowed to access Omegas service. Instead, a link to the service is available on Acmes intranet, and whenever a user decides to go to the service, they should be given an account. In this case, no pre-provisioning is taking place. Instead, the provisioning has to occur in real-time, when the user accesses the service via the intranet link for the very first time.

The idea here is that when Omegas federation server encounters the incoming SAML token for a new user, it would recognize that the user does not have a federated account, and send the SAML token to Omegas provisioning server. The provisioning server would create the account right then and there, and return the necessary result back to the federation server so that the federation server can proceed to grant the user access.

This scenario is much more complicated than scenario 1 because of multiple dimensions. First off, the interaction between the federation server and the provisioning server has to be responsive and well-defined (and to prevent vendor lock-in, standards-based). An added wrinkle may be that the federation server may need to collect additional user information not available from the SAML token, in order to provide the complete set of information necessary to provision an account to the provisioning server (an alternative could involve a handoff to the provisioning servers self-registration screens to do the same). And the provisioning server needs to be able to understand the needs of the federation server with respect to provisioning and responses. I won’t even go into the need for cache invalidation, etc.

This is where federated provisioning is not like regular provisioning (as we know it today). There are a number of things needed here that regular provisioning isn’t set up for. The standards-based interaction between the federation server and the provisioning server isn’t defined today, and SPML is not set up to accept SAML tokens as data inputs, or handle the just-in-time nature of this scenario. This is where a lot of work still needs to be done.

I would be interested in hearing if anyone has done anything to do with scenario 2. And, of course, any dissenting opinions on the matter (Ian?).

Tags: Federated Provisioning, Provisioning

Gartner has released their latest Magic Quadrant on User Provisioning. It’s good to see that we have built on our previous success to emerge as one of the best (if not the best) in the Provisioning industry. I can remember the days at Thor when we would have given up our firstborns to achieve something even close to this kind of recognition.

Good to see that all the hard work at making Oracle Identity Manager easier to use, configure and manage is starting to show dividends. Gartner specifically recognized some of the key improvements we made to the product in the last release: our new Graphical Workflow Designer, the new Connector Installation Wizard, and improvements to our Generic Technology Connector and Reconciliation Manager.

The report also gives props to our strategy of Service-Oriented Security, which is laying the foundation for an identity services based deployment of identity management. The report does seems to assume that our Application-Centric concept is different from SOS, and that we have moved away from it. The truth is that SOS is simply an expansion of our earlier Application-Centric vision, which looks to make it easier for identity-enabled applications to be built by using identity constructs made available in the development environment.

Gartner makes note of the strong competition we will continue to face from Sun, IBM, Novell and a slew of other products. And there is no dearth of recent articles noting the continuing troubles enterprises face in provisioning deployments. So while it feels good to be at the top of the pile, there is still a lot of work to do as we try to keep the momentum going.

You can check out a copy of the report, compliments of Oracle, here.

Tags: Gartner Magic Quadrant, Oracle Identity Manager, Provisioning

The post is grossly inaccurate on several counts. For one, Oracle IdM wouldn’t be experiencing the phenomenal growth it is if we were giving away the software for free (a dirty word in many quarters). Paul also says “Every day of every week we go head-to-head with Oracle and we never  loose technically”. Really, never? That’s a bit of an overstatement, isn’t it? I have personally been involved in quite a few deals where we (as Thor and later Oracle) won the technical evaluation. And Sun was always part of the competition. Paul thinks that “when it comes to Identity Management they (Oracle) certainly have an advantage in that they own the back-end”. If owning the back-end were such an advantage, Microsoft would rule the roost because of AD (uh oh, I’m not starting that whole fracas again), and we would have won no deals as Thor.

Sun has always been our strongest competition in the provisioning space (back since they were just Waveset), and it was always a healthy competition, which is why such a post surprises me. They have a very good product, just like a few other vendors, and each product brings something different to the table, which means that the customers that bought them usually did so because they were a better fit for their needs.

Being big bad Oracle can be an asset in some deals, but it can also be a disadvantage. On a few occasions I have tasted the bitter pill of not getting the deal despite the evaluation win for business/political reasons, a reality that every company has to deal with no matter how big or small they are. But by and large. most enterprises work very hard to try and make the right choice of vendor based on who solves their problems, not backroom politics or a difference in dollar amount. IdM is just too complex to cripple yourself further with bad decisions made for petty reasons. Oracle, Sun and every other IdM vendor is competing in a congested market where the winning formula is value proposition and customer satisfaction. Boutique vendors wouldn’t survive, even thrive, in this market if that were not the case. HP would not have exited the market if this wasn’t true.

But the post did remind me of something that I do want to touch on, and would definitely play to Oracle’s position in the space – the many customers that are looking for deeper integration between ERP and IdM. I’ll touch on this in a later post.

Tags: Oracle Identity Management, Oracle Identity Manager, Provisioning, Sun Identity Management