Darren Calman posting something that has attracted some attention from Matt Pollicove and from Ping. I think it is worth paying attention to. You will find some good historical and pragmatic information, but of particular interest to me was what was stated about identity virtualization.
Virtual directories are being touted as a IdM 2.0 by Matt Pollicove, as a "identity virtualization" service. Virtual Directories have been around for almost a decade now (8-9 years). Perhaps their value is being increasingly realized. The need for directories is not going away soon, their secure hierarchical structures give context and the high-performance needed for such things as web portals, which could be servicing millions of users.
I believe that the need for this type of value will continue long term, even if we see a decline in the use of directories and LDAP There persists a real need for applications to understand the semantic relationships that are not easily represented in more traditional, and more prevalent RDBS AND in security or externally facing applications (which user volume is typically higher) a real need for high-performance and availability that can not be easily achieved through other database systems. Using a thin virtualization layer on top of other databases to provide the functionality of directory for security, but not the primary storage of data, is an interesting evolutional possibility in the identity space. Security, search, and querry could still be serviced through this layer, but insert, update, delete operations could be handled by an RDBS, maximizing effeciencies.
The virtual directory offers this "virtualization of identity", solution, where relational tables can be presented as hierarchical views, accessible as LDAP or other protocols as needed. To acheive this value your "identity virtualization" service must offer:
- data modeling (as to not constrain you to the existing structures if a different view is needed, but still maintain the existing relationships),
- the ability to maintain high performance (because if back-end sources are NOT primarily LDAP, there are complex joins, or cross-application searches needed for authorization, performance will not be high enough),
- a choice in deployment (proxy AND data model; dynamic AND event-driven update of an instantiated model (materialized hierarchical views) and
- choice of protocols (not only LDAP, but a object oriented system that is more agnostic about delivery, at minimum you should get LDAP, SQL, and web services)
Perhaps we are about to pass the "hype" stage of identity management, but that means it is now is time for the heavy lifting to begin, the work of deployment and implementation. Is your infrastructure ready?