OptimalIdM has announce support for Microsoft WIF (you can get more info here). What they have done is pretty interesting. The have created an STS that front ends their Virtual Directory. This allows a single STS to be used to issue claims against multiple identity stores.
Of course the main use case here is the multiple AD forest scenario, but it could also support disparate identity stores such as other LDAP directories, databases, etc.
[Full disclosure: I have done consulting work for OptimalIdm in the past.]
Posted in AD, Identity, Identity Bus, Standards, Virtual Directory
Tagged AD, ADFS, Federation, Identity, OptimalIdM, Virtual Directory, WIF
Nishant Kaushik posits an interesting question; can OAUTH fill the provisioning role in Just-in-time federated provisioning. Mark Wilcox follows up here and here.
I agree with Mark’s commenter who suggests that a SAML attribute service fills the role just as well. Mark suggests that a SAML attribute query is too difficult to implement in some development environments. But I am not sure that I buy the argument that there are environments where doing the SAML SSO is doable but doing the attribute query isn’t.
Regardless all this got me thinking about impedance matching. When we wear our standards hat, all things are possible. But we need to step back at times and put on our developer hat and think about how are designs are going to be implements. While we could mix SAML and OAUTH to support JIT federated provisioning, implementation now requires tools, libraries, and implementers that can implement both SAML and OAUTH as well as handle the rough edges where the don’t mesh well. That’s an impedance mismatch in my opinion.
Posted in Authentication, Identity, Open Source, OpenID, Provisioning, SAML, SPML, Standards
Tagged Federated Provisioning, Federation, Identity, OAUTH, OpenID, Provisioning, SAML, SPML
My current employer, CareMedic, has been acquired by Ingenix. The announcement is here. I am cautiously optimistic that this will be a good deal for both parties.