Let’s talk about such trendy thing as Cloud Computing. Now it is hardly to find an ITPro who had not heard about cloud and new potential it gives to the enterprise. Let’s put away all positive things and take a closer look at some technical aspects people are used to underestimate.

What about Identity and access management for the cloud? As companies are going to build their business applications in the cloud the essential problem appears: centralized authorization and solution for access management.

Let’s take Microsoft Azure Platform as an example. As you might know, there are two components for the Platform:

• Windows Azure
• Azure Services

Windows Azure allows you to store data remotely and provides runtime for your applications. Pretty clear, right? Now, what about Azure Services? It is formed by several components that you can use in a way you need:

• .NET services
• Access Control Services – authentication and authorization engine, remote decision point for applications (claim-based)
• Service Bus – application messaging exchange
• Workflow Services - manage and execute the interactions between services
• SQL Services
• Live Services – for using Live identities and framework
• Sharepoint Services (future) - write code in SharePoint that uses Web Services to make calls to Azure services.

We have particular interest in the Access Control Services. Authentication in Azure is based on claims. So if you present superadmin claim and target application trusts your claim provider you are assigned superadmin role in the application. But the world is cruel. Application owners do not want users to wear superadmin’s hat, they just want to allow them only what they are supposed to do. And users simply do not know what tokens target application consumes. All that they have is a claim with group membership in Active Directory.

In this case Azure team suggests using claim transformation for authentication and authorization. That is, when you present your ‘group=Sales’ claim it gets transformed to ‘role=Salesman’ application-specific claim. There is a special MMC snap-in that allows you to define these transformations in drag-and-drop fashion:

You can find a detailed description of this technique here:
http://blogs.msdn.com/vbertocci/archive/2009/03/17/a-visual-tour-of-the-net-access-control-service-part-2-fun-with-scopes-and-issuers.aspx

This method works well for applications with few roles defined but I dare not speak about centralizing authorization of ten apps with thousands of scopes defined, because in this case you will end up with a classic problem which is known since the beginning of identity management trend – role proliferation, also known as “role explosion” (where the number of roles exceeds the number of users). Tools for identity management are critical for success – you will probably need workflow to approve role membership or periodically verify it.

So, what we have is a lack of authorization mechanisms for identity and access management for cloudy applications. There is a standard called XACML that seems to solve authorization tasks, but is needs a lot of work to suite cloud IAM tasks.

To become a really useful solution, cloud needs to be “identity management aware” - externalize authentication, authorization, and even audit data. Identity and access management tools for Cloud is an unoccupied niche for both cloud vendors and ISV, so you are to expect solutions in this area pretty soon, as Cloud gains maturity. Stay tuned!

This is my first post so far and I before writing it I was in doubt what would be interesting to blog about. Really, there are so many cool things, but forgive me not writing about trendy cloud computing or Iphones
So, let us start with quite old, but still highly effective SPML, which stands for Service Provisioning Markup Language. Almost 2.5 years have passed since adoption of v2.0 by OASIS (http://www.oasis-open.org/specs/index.php#spml). So what about usage in real life? Well, not so bad as expected. Though identity management armament drive recently begin to slow down, major IdM vendors had adopted SPML, finally. So did IBM, Sun, Oracle and others. Also, SPML remains the effective way of identity provisioning from and to home-grown applications, because it uses simple SOAP communication model and Java developers are pretty happy with SPML toolkit (http://openspml.org/) they can use in their applications.
So what about ActiveRoles? You probably know that we have released ActiveRoles SPML Provider http://www.quest.com/activeroles-server/spml.aspx), but did you know that this provider could be used for provisioning to ActiveDirectory without ARS? Well, actually, it is quite obvious, because SPML Provider is just an IIS web app that uses ActiveRoles ADSI provider (or Active Directory ADSI Provider) for communicating with tagret audience (AD or AD LDS).
Use cases? Take a look here: http://www.quest.com/identity-management/Quest_and_ITIM.aspx
If you have ever tried to develop an adapter for Tivoli Directory Integrator from ground up…do not try doing it again and use the whitepaper!
Integration with other products should not cause difficulties as well, because SPML is quite straightforward, uses standartized messages for provisioning and relies on common web services security methods, like SSL.
Are there any tricky moments? Well, yes, probably
ARS SPML Provider does not support some of SPML ‘verbs’. They are not critical and it is just a matter of time. Also, at some point we run into compatability issue. There is a discrepancy between the main SPML 2.0 specification and the DSML Profile specification (which ActiveRoles SPML provider conforms to). This issue affects only ‘modify’  SPML verb, so if I have ecouraged you to try SPML Provider (haven’t I?) consider looking through samples, located at provider’s sample page. By the way, this page contains demo client and you can easily test how SPML provider works.

That’s about it. Feel free to drop a line for clarification.