IBM's identity management becomes user-centric: HP's identity management exit strategy
Courtesy of InternetNews on Tuesday I learned that IBM has added support for OpenID, Windows CardSpace and Eclipse's Higgins Identity Framework to its Tivoli Federated Identity Manager (FIM) offering. As one of the enterprise identity management heavyweights, IBM's announcement is an important endorsement of user-centric identity approaches. Such approaches are still in the formative phase of the adoption curve, particularly in the enterprise, so I see this is an investment for the future for IBM. IBM's significant installed base should help to increase awareness, particularly for organisations supporting external user communities.
IBM's
press release provides more details on the user-centric credentials (
no pun intended!) of FIM. It also discusses the product's SOA Identity Service, which is designed to address some of the challenges associated with identity lifecycle management and audit where service-oriented approaches are applied to siloed applications with siloed security. These challenges are something
I highlighted back in February 2006 and are a barrier to the realisation of the value of SOA as it moves out of project-level deployments. I see the SOA Identity Service as the more important aspect of this announcement, with SOA being a more pressing IT (and hopefully business) concern than user-centric identity.
As an aside, the InternetNews article mentions that the enterprise identity management market
is becoming increasingly competitive with offerings from HP, CA and Oracle.
Can't fault the journalist on CA and Oracle ... but HP! Earlier in the year the company announced that it was no longer going to be selling its Identity Center products to new customers: hardly a competitive force. As part of this (hopefully for its customers) graceful retreat from the market,
HP announced that it has established an exclusive agreement with Novell whereby the two companies will
jointly offer migration services, HP will resell Novell identity and security management solutions and Novell will license HP Identity Center technology
When HP originally announced that it was exiting the market, it stated that it would continue to support and develop Identity Center for its existing customers so I was somewhat surprised to see it offering a migration programme. I wonder whether those customers didn't see this as an effective way forward for what is critical infrastructure. Whilst the programme was a surprise, the partner wasn't. Where else could HP have gone? BMC, CA or IBM: hardly, given the competition in the IT service/systems management markets (and numerous others in the case of IBM). Sun: difficult given competition in the hardware space. Oracle: would have made things difficult for HP's SAP alliance team. Microsoft: lacks the heterogeneous environment support and breadth of functionality that HP's customers need. So, whilst I am sure the sentiments behind Ben Horowitz's (VP and GM, Business Technology Optimization, Software, HP) statement that HP chose Novell
because of its outstanding set of technologies, recognized market leadership and tremendous commitment to working with HP customers
are real, the company didn't have too many others to chose from!
Labels: BMC, CA, CardSpace, Eclipse, Higgins, HP, ibm, identity, Microsoft, Novell, Oracle
Realising the identity metasystem
It's perhaps unsurprising, given all the brouhaha surrounding
Microsoft's claims that open source software infringes on 235 of its patents (which incidentally I take to be largely 'sabre rattling' from Redmond in the face of the implications of the GPLv3 for its deal with Novell, as discussed in
the Risk Factors of the latter's recent 10-K filing), that
some recent news regarding the Redmond company's very positive collaboration with the open source community has not received the attention it deserves.
The news in question concerns a series of announcements the company made at last week's
Interop conference in Las Vegas. These announcements, as the title of the post suggest, all revolve around Microsoft's vision for an Internet-scale, interoperable
identity metasystem and range from additions to the
Open Specification Promise (OSP) through to support for OpenLDAP with
Microsoft's Identity Lifecycle Manager.
So, what did they announce? First, Microsoft is
making the Identity Selector Interoperability Profile available under the OSP to enhance interoperability in the identity metasystem for client computers using any platform. An individual open source software developer or a commercial software developer can build its identity selector software and pay no licensing fees to Microsoft, nor will it need to worry about future patent concerns related to the covered specifications for that technology In other words, third parties are free to build the equivalent of Microsoft's CardSpace, following the likes of the
Higgins project, Ian Brown's Apple
Safari Plug-In and Chuck Mortimore's
Firefox Identity Selector. This is important not only because it extends the reach of CardSpace-like capabilities beyond Windows but also because it facilitates the consistent user experience (I know because I have used CardSpace, the Safari Plug-In and the Firefox Identity Selector) which helps to reduce errors and misunderstanding by users.
Second, Microsoft
is starting four open source projects that will help Web developers support information cards, the primary mechanism for representing user identities in the identity metasystem. These projects will implement software for specifying the Web site?s security policy and accepting information cards in Java for Sun Java System Web Servers or Apache Tomcat or IBM?s WebSphere Application Server, Ruby on Rails, and PHP for the Apache Web server. An additional project will implement a C Library that may be used generically for any Web site or service. These implementations will complement the existing ability to support information cards on the Microsoft® Windows® platform using the Microsoft Visual Studio® development environment.Or, to put it another way, doing for back end servers what the first announcement is doing for the front-end: enabling web sites and enterprises running a wide variety of web server infrastructure to support authentication using CardSpace and the other identity selectors.
The cyncical amongst you might be forgiven for thinking that these two announcements are just Microsoft paying lip service to interoperability.
This post should help to allay your concerns: at the Internet Identity Workshop earlier in May the Open Source Identity Selector (OSIS) group demonstrated interoperability amongst 5 identity selectors, 11 relying parties (the party relying on authentication to prove an identity), 7 identity providers (the party asserting the identity), 4 types of identity token (the mechanism for conveying the identity assertion), and 2 authentication mechanisms. Also, on the same day as the Microsoft press release, Internet2
announced plans to extend
Shibboleth, a federated web single sign-on solution based on SAML that is widely used amongst educational institutions, to support CardSpace and compatible identity selectors.
The third piece of news from Redmond last week, concerned the new
Identity Lifecycle Manager product and is thus primarily focussed behind the firewall. Microsoft is going to be working with KERNEL Networks and Oxford Computer Group to enable bi-directional synchronisation of identity data between
OpenLDAP, an open source implementation of the ubiquitous directory standard, and Microsoft's Active Directory. Identity Lifecycle Manager already supports a wide range of the commonly-deployed identity data repositories so I think this move is primarily in the "playing well with open source" category - but valuable nonetheless.
These announcements are further evidence that the likes of
Kim Cameron, Microsoft's chief identity architect, and
Mike Jones, the company's Director of Identity Partnerships, have been working hard to foster the relationships and commitment (both from Microsoft and third parties) required to help make the identity metasystem a reality. That reality is too important for the results of those efforts to be diluted by political shenanigans around patents and GPLv3.
Labels: CardSpace, Higgins, identity, Microsoft, SAML, Shibboleth
