Just in time for Christmas Samba 4.0 was released. This big news here is Samba 4.0 adds Active Directory Domain Controller emulation, including Kerberos, LDAP, DNS, and a bunch of other services.
While this is an impressive technical achievement, I don’t really see many enterprises adopting it. Samba 4 is fighting against one of the biggest IT pressures, headcount reduction. Most enterprises are now willing to pay more for the license cost of the software if it saves them administrative man hour costs.
So unless Samba 4 is going to be easier to install and maintain than Windows servers, it’s not really going to have an impact. Who knows, maybe it will be that easy. If you have Samba 4 in production drop me a comment and let me know what you think.
Meanwhile, Jackson Shaw is … unimpressed.
Posted in AD, Identity, Kerberos, LDAP, Linux, Open Source, Security, Software
Tagged Active Directory, AD, Kerberos, Open Source, Samba 4
Last week at TechEd Microsoft disclosed their new Graph API for Windows Azure Active Directory. Graph API is a RESTful web service for accessing the identity system behind Windows Azure and Office365.
This is an interesting development because it will enable Azure and Office365 customers to provision with systems other than FIM. While Graph API is not specifically an identity management API like SPML and SCIM, the capabilities are effectively the same in the context of the Azure environment.
There is a great presentation on this here, including a demo of the soon to be released OptimalIdM support.
It seems strange that there is so little attention being paid to this. It really an important step in cloud identity.
There is an idea that has been kicked around in IdM for years called Security Policy Provisioning. Basically the idea is that you have a system that takes centrally managed security policies and pushes them out to disparate system, the same way provisioning systems manage user accounts. We kicked around the idea of building a Security Policy Provisioning product back at OpenNetwork, but never did. In all honesty I had expected some IdM vendor to have added this feature to their provisioning engine by now, but as far as I know none ever went farther than user role management.
Well Axiomatics has apparently rolled it out in the guise of pushing their XACML policies to Windows Server 2012 to leverage the new authorization features. This is a very neat idea.
Of course after you push out the policies, Windows Server 2012 becomes the PDP as well as the PEP. You could develop a similar solution without using XACML at all.
I recently saw two polar opposite recommendations; one from Jeff Atwood begging you to not write code; and one from Radovan Semančík suggesting that the only practical software to use is open source software that you can fix as needed.
Obviously Radovan’s approach is not a scalable one. While there are a lot of terrible software products out there, especially in the enterprise space, there are also a lot of good ones that just work. Limiting yourself to coding solutions is a waste of time that most companies won’t pay for. Also Radovan’s solution limits you to open source solutions implemented in a language you are familiar with.
At the same time there are some problems that just need a coding solution, or are best solved that way.
For enterprise solution I am going to thread the path between Jeff’s Scylla and Radovan’s Charybdis by posing these questions:
- How much coding should be expected to implement an enterprise solution?
- How can you find enterprise solutions the works well enough you don’t need the source code or extensive customizations?
An enterprise solution that requires you to write code or scripts to do basic functionality is not well designed, in my opinion. Coding or scripting should only be required wheen the functionality needed is unique to a specific deployment (or too uncommon enough to be a main feature of the product). This is a core philosophy at OptimalIdM as well. Although the VIS virtual directory does support .NET plug-ins, most of our customers never need one. When we have seen the need for plug-ins in the past we looked for a common feature that could be added to the product.
So not having to write code one measure an enterprise solution’s quality. Here are some others:
Ease of install – they say you only get one chance to make a good first impression and install time is it for enterprise software. If your vendor is telling you that you need consulting hours just to install the software, it’s not going to get better from there.
Ease of use – requiring training to use enterprise software is a bad sign. Did you have to have training to use your browser or word processor? Enterprise software should be like that.
Stability – once installed and configured the software should just work. Baby-sitting should not be required. And if you really need two weeks of work or the source code to figure out why your solution stopped working, you made a poor vendor choice.
So go ahead and write code, but only when you have to.
OptimalIdM announced its new Office365 offering this morning. You can read the announcement here.
This has been an great project to work on. OptimalIdM can now enhance Office365 with a great set of new features and can do so for both the WS-Federation Passive and Active profiles. The Active Profile is used for Office365 Lync and Outlook support.
The new features we add to Office365 include easy multi-forest support, support for non-AD users, support for users with non-addressable UPNs, two-factor authentication, auditing, and a whole bunch of other features.
Posted in AD, Authentication, Cloud computing, Identity, Identity Management, Microsoft, Security, Standards, WS-Trust
Tagged Identity, Office365, WS-Federation
Softerra has released an open source C# implementation of SPML V2 (DSML profile). I haven’t had time to play around with it yet, but it looks interesting.
Now what would be really great would be some developers to take this and create some implementations that do useful stuff. For instance write a service provider for provisioning and reconciling AD accounts. Or perhaps integrate it with Microsoft FIM.
Posted in AD, Identity Management, Open Source, Provisioning, SPML
Tagged AD, DSML, FIM, Identity Management, Open Source, Provisioning, SPML