Monday, December 19, 2005

F-ing about with identity

Ping ID's Andre Durand reacted to a Burton Group report (no public link available) on Identity Management (a compendium and round-up of 2005 activity) by focusing on "federation." Well, after all, that's what Ping's business is! According to Andre, Burton is predicting that:
* Long term, federation isn't a separate product
* Federation standards already seeping into many product classes: Firewalls, gateways, application servers, and IdM products
* Federation likely won't be point-to-point like SSL; various tiers of the infrastructure will act on claims as necessary
* Systems need to federate, but that doesn't necessitate an uber-federation system

Durand then brings in his own CTO, Patrick Harding, to point out what he says are the problems with this scenario. Harding gets right to his main point: "My point was that if every piece of infrastructure (i.e. firewalls, SSL VPN's, App servers, IdM systems, apps, proxies, XML gateways etc etc etc) can consume or generate a SAML Assertion then the overall trust model becomes completely unwieldy."

But, as the old saying goes, if your only tool is a hammer, then every problem looks like a nail. Durand, Harding & Ping ID are heavily invested in SAML. Federation, though, does not require SAML assertions and all of the unwieldy claptrap that it brings along with its trust model.

Durand's synopsis of the Burton report, though, specifically says: "Federation likely won't be point-to-point like SSL." But the report does point out that the desire for federation technology to be built in to all the devices on the network is growing inexorably. So what's the solution?

Maybe, just maybe, it's time to think beyond point-to-point SAML-style federation and to design a web-like structure of built-in identity authentication, verification and validation. Nothing full-blown, of course, but client-side and server-side pieces so that identity data can be federated (small "f") as a mesh, or web, of services.

The Burton Group study was actually pretty good. Federation really shouldn't be a separate product and believe that it should be incorporated directly into operating systems similar to the approach MS is using with AD...
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]