Middleware and SOA-based identity management
Chaired by Lewis Carr, BEA Systems
Horst Walther described SOA as a chance and a challenge for IM. For example, there are three major pre-IdM streams feeding into IM: PKI dates back to 1976, the CCITT, now ITU, came up with the X.500 standard in 1988, and five years later the NIST published RBAC. As a result, the WS-suites show a huge functional overlap. Breaking them down into monofunctional services may ease the situation considerably. The challenge is how to carry out authentication and authorisation when there is no longer an application. Should each of the thousands of services be provisioned with authentication and authorisation information, or should there be a component responsible for that in an SOA world? In Horstís view, there should be one or several components, or a whole layer dedicated to the task.
SOA will force developers to make design decisions they should have done before: factoring out the authorisation component to form a stand-alone service, extracting the authorisation rules from the code, and stating them as explicitly processable rule sets (e.g. in XACML).
In this model the process replaces the application, and the authorisation policy has to cover it: formally documented and machine readable policies have come of age. With authentication, it is easier to provide a self contained service and that has been successfully achieved already, albeit with some outstanding questions such as wider support for identity propagation. At present, a SAML token is attached only to SOAP protocols. It would be useful to extend it to other native protocols such as JMS, SQL*net/ODBC, or even Inter-ORB. Ideally, all SOA-protected resources should be able to leverage SAML tokens.
So why are we in the middle of a SOA hype today? The drivers are:
The answer to these contradictory requirements is to use standard, off-the-shelf operating models for non-competitive business functions such as IdM.
In conclusion, we are well advised to design an appropriate set of services to cover traditional IM tasks in the SOA world, and to look for easy, robust and standard ways to orchestrate identity services. SOA is here to stay. Horst Walther recently found 75 different WS standards in a book on SOA. He therefore doubted that we have an urgent need for another 25 and recommended that we should instead sort the existing standards, try to understand them thoroughly and use them properly.
Contributions: Lewis Carr of BEA Systems is co-ordinating a white paper on SOA. Anyone who is interested in contributing should contact firstname.lastname@example.org.
… from …
June 12th-13th 2007
Radisson SAS Hotel, Paris, France
"Hell is full of systems that failed because they didnít have any attraction for users."
Kim Cameron, Chief Architect of Identity, Microsoft Corporation