Tuesday, July 18

Identity Management Architecture Interoperability

Neil Macehiter of MWD published a document a in May 2006 titled What drives identity management requirements. It's available on the MWD website (with registration) and worth the read. He states:

Enterprises need more than a rich portfolio of identity management functionality; they need an architectural approach which promotes interoperability.
Very true.

One of the on-going trends in IT is a move toward service-based architecture. The introductory rise of software-as-a-service has already taken place. As new applications are rolled out into organizations, IT managers are keeping on eye on making the platform open and interoperable. I've seen this in Identity Management projects. The people implementing IdM within an organization are doing so as a service to the larger organization. Systems and applications throughout the organization need to be able to interoperate with the IdM infrastructure to grant and deny access, verify privileges, create accounts and more. The main point of the paper seems to be that an IdM infrastructure ought to be built with a clear architectural approach that meets these increasingly more prevalent requirements.

I see this as another important reason why businesses should be including a Virtual Directory as part of their IdM infrastructure. Adding a virtual directory into the solution immediately improves the solution's ability to be flexible and interoperable. Virtual directories enable organizations to make their identity data:

  • As open and available as the organization wants it to be
  • Accessible with a completely flexible and dynamic organizational structure that can be customized for each application that is accessing the data
  • Accessible via LDAP or virtually any other data structure
  • Accessible as a web service via DSML, SPML or other protocols
  • Available in real-time to applications across the organization regardless of protocol on the back-end data store


  • The organization can continue to manage identity data in its preferred system and format
  • There's no need for multiple repositories to support multiple sets of application requirements
  • There is virtually unlimited flexibility in how data could be presented

Virtual directory as an abstraction layer eliminates much of the complexity associated with getting the other IdM components connected appropriately to the data stores. IdM services like provisioning, federation, authentication and access control can leverage a single point of contact to an organization's identity data.

The document provides a blueprint for next generation IdM architecture. And it's a blueprint that makes sense.

No comments: