{"id":948,"date":"2008-04-05T16:14:33","date_gmt":"2008-04-06T00:14:33","guid":{"rendered":"\/?p=948"},"modified":"2008-04-05T16:22:31","modified_gmt":"2008-04-06T00:22:31","slug":"identity-bus-and-administrative-domain","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=948","title":{"rendered":"Identity bus and administrative domain"},"content":{"rendered":"<p>Novell&#39;s <a href=\"http:\/\/virtualsoul.org\/blog\/2008\/04\/02\/metavirtualdirectory-hubs-and-the-need-for-the-identity-bus\/\">Dale Olds<\/a>, who will be on<a href=\"http:\/\/www.id-conf.com\/speakers\/247\"> Dave Kearns&#8217; panel<\/a> at the upcoming <a href=\"http:\/\/www.id-conf.com\/eic2008\">European Identity Conference<\/a>, has added the &#8220;identity bus&#8221; to the metadirectory \/ virtual directory mashup.\u00a0 He <a href=\"http:\/\/virtualsoul.org\/blog\/2008\/04\/02\/metavirtualdirectory-hubs-and-the-need-for-the-identity-bus\/\">says in part\u00a0<\/a>:<\/p>\n<blockquote><p>Meta directories synchronize the identity data from multiple sources via a push or pull protocols, configuration files, etc. They are useful for synchronizing, reconciling, and cleaning data from multiple applications, particularly systems that have their own identity store or do not use a common access mechanism to get their identity data. Many of those applications will not change, so synchronizing with a metadirectory works well.<\/p>\n<p>Virtual directories are useful to pull identity data through the hub from various sources dynamically when an application requests it. This is needed in highly connected environments with dynamic data, and where the application uses a protocol which can be connected to the virtual directory service. I am also well aware that virtual directory fans will want to point out that the authoritative data source is not the service itself, but my point here is that, if the owners shut down the central service, applications can\u2019t access the data. It\u2019s still a political hub.<\/p>\n<p>Personally, I think all this meta and virtual stuff are useful additions to THE key identity hub technology \u2014 directory services. When it comes to good old-fashioned, solid scalable, secure directory services, I even have <a modo=\"false\" href=\"http:\/\/www.novell.com\/products\/edirectory\/\" class=\"broken_link\">a personal favorite<\/a>. But I digress.<\/p>\n<p>The key point here as I see it is \u2018hub\u2019 vs. \u2018bus\u2019 \u2014 a central hub service vs. passing identity data between services along the bus.<\/p>\n<p>The meta\/virtual\/directory administration and configuration is the limiting problem. In directory-speak, the meta\/virtual\/directory must support the union of all schema of all applications that use it. That means it\u2019s not the mass of data, or speed of synchronization that\u2019s the problem \u2014 it\u2019s the political mass of control of the hub that becomes immovable as more and more applications rendezvous on it.<\/p>\n<p>A hub is like the proverbial silo. In the case of meta\/virtual\/directories the problem goes beyond the inflexibility of large identity silos like Yahoo and Google \u2014 those silos support a limited set of very tightly coupled applications. In enterprise deployments, many more applications access the same meta\/virtual\/directory service. As those applications come and go, new versions are added, some departments are unwilling to move, the central service must support the union of all identity data types needed by all those applications over time. It\u2019s not whether the service can technically achieve this feat, it\u2019s more an issue of whether the application administrators are willing to wait for delays caused by the political bottleneck that the central service inevitably becomes.<\/p><\/blockquote>\n<p>Dale makes <a href=\"http:\/\/virtualsoul.org\/blog\/2008\/04\/02\/metavirtualdirectory-hubs-and-the-need-for-the-identity-bus\/\">other related points\u00a0<\/a>that\u00a0are well worth thinking about.\u00a0 But let me zoom in on the relation between metadirectory and the identity bus.<\/p>\n<p>As Dale points out in his piece, I think of the &#8220;bus&#8221; as being a &#8220;backplane&#8221; loosely connecting distributed services.\u00a0 The bus exends forever in all directions, since ultimately distributed computing doesn&#39;t have a boundary.<\/p>\n<p>In spite of this,\u00a0the fabric of distributed services\u00a0isn&#39;t an undifferentiated slate.\u00a0 Services and systems are grouped into\u00a0continents by the people and organizations running and using them.\u00a0 Let&#39;s call these &#8220;administrative domains&#8221;.\u00a0 Such domains may be defined at any scale &#8211; and often overlap.<\/p>\n<p>The magic of the backplane or &#8220;bus&#8221;, as Stuart Kwan called it,\u00a0is that we can pass identity claims across loosely coupled systems living in <em><strong>multiple discontinuous<\/strong><\/em>\u00a0administrative domains.\u00a0<\/p>\n<p>But let&#39;s be clear.\u00a0 The administrative domains still continue to exist, and we need to manage and rationalize them as much tomorrow as we did yesterday.<\/p>\n<p>I see metadirectories (meaning <strong>directories of directories<\/strong>) as the glue for stitching up these administrative continents\u00a0so digital objects can be managed and co-ordinated within them.\u00a0<\/p>\n<p>That is the precondition for hoisting the layer of loosely coupled systems that\u00a0exists above administrative domains.\u00a0 And I don&#39;t think it matters one bit whether\u00a0a given digital\u00a0object is accessed by a remote protocol, synchronization, or stapling a set of claims to a message &#8211; each has its place.<\/p>\n<p>Complex and interesting issues.\u00a0 And my main concern here is not terminology, but making sure the things we have learned about metadirectory (or whatever <em>you<\/em> want to call it) are properly integrated into the evolving distributed computing architecture.\u00a0\u00a0A lot\u00a0of us are\u00a0going to be at the <a href=\"http:\/\/www.id-conf.com\/eic2008\">European Identity Conference<\/a> in Munich later this month, so I look forward to the sessions and discussions that will take place there.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Metadirectories (directories of directories) provide the glue for stitching up administrative continents so digital objects can be managed and co-ordinated within them.  <\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[49,37,6,8,58],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/948"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=948"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/948\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}