Will the “real” federated provisioning please stand up?

Nishant has commented on my post about federated provisioning.  He has provided two different examples of federated provisioning.  One of these, the advanced provisioning example, involves a company who manages its employees’ access to a service provider service via provisioning.  In this case, Nishant agrees with me that provisioning of this sort is no different than provisioning the UNIX box down the hall.


But it is Nishant’s second example, the just-in-time provisioning example, which is a bit tougher.  In this case, the enterprise and its service provider have a federation in place.  Using SAML-based authentication, a new user attempts to access the service provider’s service.  The idea (hope?) is that the service provider recognizes the new user request, provisions the user, and authenticates the user in the same conversation. Nishant does add a degree of difficult in this scenario as he ties the federation service to a provisioning service.  Grabbing attributes from the SAML token, creating a SPML message, and handing that to a provisioning service is possible, but as a commentator points out this sort of interop isn’t spec’ed out so the heavy lifting is left to the service provider.  And even if the service provider doesn’t want to directly link its federation and provisioning services, it still needs to grab that assertion attributes and create the account in the backend system. 


It turns out, to my surprise, that there are people doing this.  Parties in a federation agree to which attributes are needed and send those in their authentication assertions.  A process at relying party uses those attributes to provisioning new accounts.  This is a fairly lightweight and effective approach, but there are some catches to be aware of.


The first catch, as Nishant points out, is if the service provider needs attributes above and beyond what are in the assertion, there’s not an easy way for the service provider to ask for them.  To deal with this, the service provider has to present a registration screen of some sort to the user.  Compared to the first scenario in which the federate account is already waiting for the user, the second scenario is herky-jerky and will annoy/confuse the end user.


The second catch is deprovisioning.  The provisioning process hinges on an authentication event.  Deprovisioning cannot be activated on de-authentication.  This does leave the problem of how to remove accounts when people have left a federation partner.  In the approaches we have seen, when a new account gets built it has an expiration date associated with it that gets updated on every login.  After some period of time without an authentication, the account is suspended or deleted.  Not a bad way to go.


JIT Provision may in fact be “real” federated provisioning, but not provisioning, as a dogmatic, dyed-in-the-wool provisioning guy would immediately recognize.  While I take my dogma for a walk, this quarter Lori and Bob are going to looking into some of the intersection point of identity management and SaaS and I think they’ll have more to say on this type of conversation in the coming months.


Down with federated provisioning

There’s been a bit of recent blogging activity about federated provisioning and SPML.  Having worked on both federated provisioning and SPML in a past life, it warms my heart to see this discussion.  Jackson, quoting the CIO of Education Testing Services, Daniel Wakeman, restates the observation that SaaS providers are providing when it comes to federated identity management.  This “major shortcoming” leaves service subscribers to fend for themselves in managing user lifecycle events like on-boarding and off-boarding.  Not acceptable.

That got me thinking – there really ought not to be a concept of federated provisioning.  Provisioning an application in the data center must be the same as provisioning an application in the cloud.  However, in the course of the conversation between JamesJackson, and Mark, it seemed SaaS applications and in-house applications were different from a provisioning perspective.

SaaS applications may be harder to provision and de-provision than non-SaaS application, but that doesn’t make them fundamentally different animals.  The point was made that SaaS apps lack a standards-based provisioning interface, an SPML interface.  The fact is the vast majority of applications, SaaS or not, lack a standards-based provisioning interface and this makes dealing with them very much the same.

Now there are two reasons that we don’t hear the same short of clamor about provisioning non-SaaS applications as we do with SaaS applications:

  • We’ve dealt with it so long that pain isn’t as acute
  • Provisioning vendors built an array of connectors, shifting the pain up a level, allowing companies to focus on the provisioning technology and not each and every application they want to provision

Provisioning vendors spent lots of time and money to build connectivity to traditional applications.  Lots.  And in doing so provided a bit of absolution for application vendors from their failing to provide a standards-based provisioning interface.  Having gone through all that pain and suffering, vendors are not eager to go through it again with SaaS applications, coding connectors to each one’s different web service.  Customers aren’t too keen on the idea either.

In providing SPML interfaces to their applications, SaaS vendors would do everyone a service.  Provisioning vendors could use their SPML connectors and not have to build to each SaaS application.  Customers wouldn’t have to write custom code to different service interfaces.

You don’t want that fired sales guy walking away with your customer list no more than you want him walking out the door with your pricing information.  To that end, there should be no reason why deprovsioning from an application like Salesforce.com is any harder than deprovisioning from LDAP.  Federated provisioning should not exist; there is only provisioning.

(Cross-posted from Burton Group’s Identityblog)

Considering identity consolidation

James has provided me more to work with

Identity consolidation says that I figure out how to get user stores out of my enterprise application and instead get these applications to bind at runtime to a directory service such as Active Directory.

Ah, so identity consolidation is centralized authorization.  Got it.

I am making the assumption here that when James says user store he means authorization store.  (Applications in this model still need some modicum of a user store if nothing else for auditing purposes.)  I am assuming the implication here is that after authentication comes a round of authorization that the directory service provides.  The application would consume this authorization data, at runtime, and act accordingly.  Theoretically, an enterprise policy (XACML) store could theoretically reproduce the authorization models of every application in the enterprise today and that policy tools would interact with this store.  Though I think this is a very viable model for customer applications (especially J2EE and .NET), I do not see it as an enterprise approach where complex applications like mainframe security and ERP roam free.

Identity management says that I should go create a strategy around provisioning of identity and leverage tools such as Sun’s IDM, Thor, etc where I still fundamentally allow enterprise applications to have their own user stores and takes me down the path of building lots of connectors… [snip]  I am of the belief that identity management (provisioning) propagates and encourages an otherwise bad architecture.

I look at user provisioning as dealing with the reality (and foreseeable future) of the enterprise landscape.  That landscape involves lots of user and authorization stores.  For reasons I discuss below, that is not going to change any time soon.  It is better to provide flexible, short time-to-value solutions, as identity management does, that address the reality of today than to wait for the ideal enterprise landscape to arrive at its glacial speed.

I disagree with James’ assertion that user provisioning requires the construction of connectors.  The connector wars of the provisioning world are over.  Connecting to systems like a complex bespoke application or RACF or SAP has become a science, not an art.  On the whole, provisioning doesn’t require connector construction; it requires configuration.  Each provisioning vendor worth their salt has a way of quickly connecting to “unknown” systems that don’t require core engineering efforts.

The one thing that I would also love insight into is how to get vendors who still insist on having their own user stores (e.g. Documentum, Alfresco, etc) to see the error of their ways and to take quick steps towards remedying them.

I think you’ll find the reason the vendors give on maintaining their own user and authorization stores is much the same reason why they have yet to adopt Service Provisioning Markup Language in a meaningful way.  There is nothing in it for them.  Nada.  The only vendors who might stand to gain (and thus adopt) centralized authorization are mega-vendors like IBM who have dozens upon dozens of applications.  For these vendors, producing a common auth store with the requisite halo of tooling becomes a path to customer lock-in.  “Ms. Customer, you can use AuthStore 5.0 to manage all of the authorizations for all of our products.  And here is AuthManage 6.0 to help you do just that.”  And if the customer ports their bespoke applications to the common auth store, the vendor gets big-time lock-in.  Want to get rid of XYZ Vendor?  You’ll have to reincorporate authorization stores into your applications. I have to imagine externalizing an auth store for a homegrown application would be painful, undoing that work even more so.

Stepping back to what I originally wrote about: no amount of centralized user and authorization management will make up for a lack of strong organizational and business process understanding coupled with appropriately defined controls.  That is the fuel for identity management and, frankly, identity consolidation as well.

On the Applicability of SPML

Jeff Bohren has joined the blogosphere. I’ve known Jeff since the Access360 days. He has been intimately involved in SPML.

One of his first posts is a continuation of the discussion Conor and I had on SPML. He makes the point, and rightly so, that:

SPML is not the solution to every problem that has the word “provisioning” in its description