Moving Towards the ISF: Announcing the Identity Governance Framework

This week, Oracle took a long awaited first step towards the realization of the Identity Services Framework that I have been talking about. At the Gartner IAM Summit this week, Oracle announced an open initiative, the Identity Governance Framework (IGF), to address governance of identity related information across enterprise IT systems. The IGF will enable enterprises to declaratively control how identity related information, including Personally Identifiable Information (PII), access entitlements, attributes, etc. are used, stored, and propagated between their systems.

This is a key part of the ISF. The biggest challenge in IdM is making identity-related data available to the enterprise as a service that is part of the identity infrastructure layer. Without it, the enterprise is forced down traditional paths of trying to consolidate all that identity data in a central directory, or forcing individual applications to maintain their own redundant identity silos. As enterprises become more distributed, and as the definition of identity-related data continues to expand, such approaches are no longer adequate and cannot scale.

The IGF solves this problem by providing a standard way to support access to identity attributes originating from other sources (application-centric stores, departmental information, SAML assertions, InfoCards,…). It’s function is give organizations and business managers responsible for the security of identity-related data the ability to define more specifically how and when information may be used on a contextual or transactional basis.

The four key components of the Identity Governance Framework that
vendors and customers can currently review include:

  • Client Attribute Requirement Markup Language (CARML): an
    XML-based declarative contract defined by application developers that
    informs deployment managers and service providers about the attribute
    usage requirements of an application
  • Attribute Authority Policy Markup Language (AAPML): a set of
    policy rules regarding the use of identity-related information from an
    identity source that allow these sources to specify constraints on use
    of provided data by consuming applications
  • CARML API: an Application Programming Interface that makes it
    easier for developers to write applications that consume and use
    identity-related data in a way that conforms to policies set around the
    use of such information
  • Identity Provider Service: a policy-secured service for accessing identity-related data from multiple identity sources.

The essential elements missing were standards that governed how the consumer-provider interactions would take place, and policies that would control them. The initial draft specifications of CARML and AAPML being contributed by Oracle to the community are an attempt to address that gap. These specifications provide a common framework for defining usage policies, attribute requirements, and developer APIs pertaining to the use of identity related information. They fit in nicely with the identity provider service in the ISF, as illustrated below (click on the image for a larger view).

What is even more encouraging is that other leading identity vendors – CA, Layer 7
Technologies, Novell, Ping Identity, Securent and Sun – have reviewed a draft of the IGF and plan to work with Oracle to develop full specifications. The industry involvement will be crucial to making this a reality.

There is a lot more information available on this topic, including overview documents, draft specs and examples at Check it out and send in your comments.