Identity management, meet Service Oriented Architecture
There is no denying the fact that modern identity management systems are complex. Provisioning tools pull and push data between systems with proprietary adapters and connectors. Metadirectories synchronize data from disparate sources using complex rules and transformations. Access management technologies share security responsibility with application code, and LDAP directories provide opaque views of the underlying identity data. Plus, a single infrastructure may consist of offerings from multiple vendors.
Of course there is no doubt that there are a plethora of very tangible benefits derived from identity management technology. Because it involves almost every aspect of a user’s life-cycle within an enterprise - from their initial on-boarding, through day-to-day access of computing resources, until the end of their affiliation with an organization - there is a huge opportunity for savings. Through standardization of platforms, processes, and policies a company can develop an excellent business case for the deployment of a shared identity infrastructure.
However, for many organizations that have deployed identity platforms, return on investments have not lived up to the estimates so carefully worked out in these business cases. Like many enterprise software investments, the effectiveness of, and return on investment for, an identity infrastructure grows with the maturity of the environment. However, identity management also presents a unique challenge: it is an economy of scale where reduction in cost is tied directly to increased service utilization, realized through operational efficiencies. In short - cost savings will be minimal in the absence of widespread platform adoption.
Unfortunately many identity management deployments achieve early success only to stall when application adoption becomes most critical, often because the integration model places a huge burden on everyone involved in the process. For example, in order to write working code, a developer must understand every intricate facet of identity management technology including LDAP, schema, topology, token authentication systems, provisioning flows, etc. Likewise, Identity service organizations find a need to allocate additional resource to support project teams, notwithstanding their responsibilities for 24/7 support of the infrastructure. Typically identity and application architects are tied up dealing with one-off integration issues, or developing voluminous documentation, even for simple designs. And management shares the pain when they struggle to accurately predict project costs and timelines. They must justify large resource outlays for each integration and are constantly challenged to find resources who understand identity management.
Perhaps worst of all, this complexity can lead to brittle integrations that break the minute anything in the infrastructure changes. These factors all contribute to a growing perception that identity management integrations are expensive, high risk, and low reward. This is how adoption problems begin - when complexity makes it impractical to onboard a large volume of applications or users.
Regardless of the underlying issues, in order to achieve top maturity levels and maximize value from identity management, the following key goals must be met:
- Ubiquitous adoption of core service platform - with the identity service recognized as a standard with 90% + adoption by new applications for most common operations like authentication, authorization, entitlement management, etc.
- A fully established, simple, shared service framework. Developers should not need a detailed understanding of the identity architecture and schema to use the service. Integration should be a quick and easy process, or at least not drawn out and painful!. The framework must also minimize common risk factors like poor performance, fault tolerance, etc.
- Loosely coupled architecture - Access to the identity system must be encapsulated within an abstraction layer so that changes to the underlying infrastructure do not wreak havoc on an unprepared population of applications.
- “Write once, run everywhere” - integrators and developers should not need to reinvent the wheel or create duplicative code for each application.
- The system must immediately meet core use cases, and should be adaptable to accommodate ongoing requirements.
If these requirements sound familiar, you’ve probably been reading up on the service oriented enterprise. And, in fact, this is exactly where Service Oriented Architecture (SOA) fits nicely into an identity management infrastructure. Usually discussions about SOA and are focused on the implementation of Enterprise Service Bus (ESB) technologies, BPEL wizardry, and enterprise service integration. A huge volume of information already exists about how SOA can solve integration challenges, and it would be redundant to go into further discussion in this post. But at a basic, and very realistic, level the SOA movement all about developing a core framework of simple, flexible services. Thus, SOA patterns can be utilized in any scenario where a shared service is exposed to applications and rapid integration (RAI) is desirable.
By effectively leveraging SOA models, a company can develop a robust contract between the identity service providers (backend systems like LDAP directories, access management / Web SSO tools, provisioning systems, metadirectories, virtual directories, etc.) and identity consumers - the core resources that make up the bulk of their application portfolio. Of course, even SOA models can fall into the trap of rampant complexity. The key to success here is simplicity - the identity services must:
- Utilize established standards, with maximum support for language tools like proxy code generators.
- Support cross platform interoperability - a solution tied to a single language will not suffice.
- Work with existing tools and technologies - most companies have already made investments in identity management that should be fully leveraged.
- Ease integration for service providers, architects, developers, and management. The solution should minimize support burden, eliminate common integration issues, shorten the learning curve, cut the amount of code required for integration, and reduce overall costs.
I believe that Identity management could be the poster child for SOA. Try to envision the common requirement that exists in every single application your company maintains. Its not resource planning, ordering, or manufacturing. It’s identity, and it’s the single common thread permeates every application in a modern company’s application portfolio. Yet, there has been very little industry progress towards enabling large scale identity enablement through SOA and web services.
identicentric aims to change this. Our product, idBUS, leverages SOA patterns to meet common identity integration requirements. It is one of the first tools of its kind to expose 100% of its functionality using a web service interface. With standards support and interoperability between major languages and development environments, idBUS frees integrators from the need to understand complex technologies, APIs and interfaces. idBUS doesn’t replace existing identity management investments. It works alongside existing products and technology to ease application enablement, reduce costs, cut complexity, and increase operational effectiveness - results that are the hallmark of a successful service oriented architecture solution.