James’ thoughts on bloggers and federated identity has been one of my own followup subjects for early this year, but it seems SuperPat has beaten me to it, prompting me to actually write something.

I’m going to only touch on a few of James’ points (coloured by my reading of SuperPat and others, certainly) though:

Identity Bloggers pretend that notions such as Sarbanes Oxley don’t exist (or at least never mention them). Do they think that federations also need the notion of attestation? If so, don’t you think this will become an impediment to corporate adoption of federated identity for many verticals?

I guess it depends which blogger you read. Whilst I certainly don’t talk much about Sarbanes Oxley, it might be because I have to worry more about Basel II. That said, the concept of the necessary audit trails and documentation needed for this type of compliance is something that has coloured the entire Identity Management project I’ve been working on, and has been a cornerstone of the design. It’s not that I’m not talking about Sarbanes Oxley, it’s that to me it’s only another piece in the puzzle.

SAML 2.0 is a good move to increase interoperability and should be implemented in all security oriented products. Maybe you can tell us why within the enterprise we should use SAML 2.0 between say Active Directory and RACF vs. sticking with tried and true approaches such as Kerberos?

Because we’re replacing the inter-application communication channels (in a lot of cases) with a mediator and access control manager. But where existing secure communications channels exist that are outside the bounds of managing Identity, then we have no reason to touch or change them.

Do you think that enterprises are well-served by consolidating identity stores vs keeping them spread all over the place and doing SAML? If consolidation is a good thing, why wouldn’t it be a good idea to consolidate identity within Active Directory?

There’s been a lot of discussion about consolidating identity stores, with arguments both for and against enterprise directories (I’ll dig out the links later). Of course, the question )to me at least) is more about whether it’s a good idea to consolidate identity stores or identities within stores. A small difference sure, but one means putting everything in the same place, the other means making sure the identities held in different places all match up. Personally I like the idea of a virtualised meta directory of identity, where there is a central identity store that only exists as a virtual entity, and is made up of information stored in a lot of different authoritative sources.

If you want corporations to embrace the notion of federated identity, wouldn’t it require more than simple “look at me” interoperability demos and for all the vendors in this space to create some publicly available notion of “reference architecture” above and beyond what exists in Project Liberty?

The Shibboleth project is already in use, as is AthensDA, both federation services. In my current project though we need to (and will be) supporting both of these federation services, as well as Liberty and most likely JANET-LIN. We’ll also be supporting as many other types of federation as possible. As a research organisation one of our aims is to ensure that collaboration between organisations and individuals is made easier, something that a federated identity service can assist greatly with.

Any thoughts on how federated identity can integrate with Digital Rights Management?

Our approach is that federated identity can be used to enahnce access to any DRM system that we may need to put in place, especially in relation to digital content archives. But then working in an educational environment is slightly different to working in the corporate world :) (I was looking into a European scheme late last year that aimed to allow greater community access to digital content (including DRMed content) through the use of federation services. Certainly an interesting project as it crosses several disciplines, not just Federated Identity services).

How come pretty much all of the identity bloggers don’t support trackback in their blogs?

I do!

Technorati Tags: Identity, Digital Identity, Federated Identity, Shibboleth, Liberty Alliance, AthensDA, Sun, SuperPat