Is AD really the dominant Identity Store out there?

James McGovern has challenged my position that applications should not be written to go directly against AD. And he got the backing of Jackson Shaw in this argument. James says:

If pretty much every Fortune 500 enterprise has Active Directory, why should any of them consider yet another product?

Martin (no last name) left a comment on my post that included the following point:

AD is the directory in just about every organization running Windows. Let me see. What does that work out to be? 99% of them out there?

Here is my point. Martin says “AD is the directory…”. I say that “AD is a directory…”, and that too because Windows forced it on those enterprises, not because of their Identity Management needs. Yes, almost all the Fortune 500 have AD, but are they using it as an Identity Store, or as a Windows Account Store (which is very different)?

Obviously our opinions are shaped by our experiences. My experiences, coming from the provisioning world, would be different from James or Jackson’s. In a lot of the projects we were involved in, AD was a downstream repository, a target of the provisioning system and not the source of identity data. That was usually an HR system or, more often, a Sun directory. Most of the time, the provisioning system would push the bare minimum attributes to AD to enable the Windows environment to work.

In a few deployments, we actually were responsible for populating a directory with identity data so it could act as an identity store for other applications. Most of the time, that directory was a Sun directory. So while AD may be more widely deployed, I would contend that based on my small but relevant sample size, Sun is dominant in the Identity Store business. And that is really what we are talking about here – what should applications be going to for their identity data. Sure, AD being more widely deployed positions it to be used as an identity store, but that is seldom the case, primarily because AD administrators often closely guard their environments and do not want it overloaded with data or consuming applications.

Again, when James asks about practical futures, my hope is that the future eliminates all such arguments about directories and metadirectories by having applications code against Identity Services APIs, like the IGF APIs or the Higgins IdAS APIs. James asked what we at Oracle are doing to help application developers. Clayton mentioned our work on the IGF, and the APIs that are being defined as part of it that eliminate the need for application developers to have to worry about LDAP, instead providing simple APIs that use a provider model to get the data from where it needs to. And I have joined the Burton Groups Identity Services Working Group (now that it is open to vendors), where I hope to work with the community to help advance the concepts and reality of Identity Services. Hopefully, soon, this will be a question that nobody will need to ask any more.

By the way, why is it that architectural purists don’t ask when Microsoft will make it possible for Windows environments to work against any directory and not just AD, but Oracle Applications must support directories other than OID? In the end, both Microsoft and Oracle are wrong to push proprietary stores into deployments, contributing to the mess we have.