Some interesting thoughts on SPML were presented in the Burton Group posting SPML is on life support. Everyone involved in identity management, at least all those trying to do a good job, spends way too much time on provisioning. Some of the Too Much Time is spent on non-standard integration, because every single integration has to be hand made.
Hand made integration is
- expensive (and consultant-intensive)
- not even close to scaling, since every integration is between two individual systems
- error prone, since hand tailoring is by definition one shot wonders
- tailored to the needs of the team specifying the integration, usually not the needs of the organization as a whole (unless there is a clear architecture)
The two main alternatives to provisioning both involve exposing information from the distributed infrastructure
- Virtual directories and local LDAP exposure. This is a chilling option to those of us who know details about everyday LDAP security practices. If people knew how to install SSL and close off parts of their directories, I would be less scared. But still scared, since exposing LDAP servers directly is an elevated art.
- Federations and SAML event-driven information exchange. This requires changes to the usual workflow for provisioning, but is a feasible alternative.
Groups and roles are not easy to share across applications, and this needs to happen in an understandable secure solution space. Emerging work on virtual organizations and multiple attribute sources for federated login looks promising, but is not likely to deploy in production real soon.
It looks like provisioning will be an area to watch, simplify and spend Way Too Much Time on – yet another year.
Am I being too pessimistic? I hope I am.