Clever slogan in the title of a recent article, Authentication - The Power of Who from Campus-Technology Magazine.
Identity Management is all about an organization knowing who its constituents are. I thought the article was a bit random, and incorrectly labeled as all about "athentication" since authorization and provisioning topics are covered. However, it is a good overview of several of the approaches that schools are taking to meet the opportunity. So from a case study perspective its worth a read...
The most interesting tidbit from the article, is finding that Gettes and company at Duke have went with Novell's eDirectory. It is good to hear that they were able to take advantage of its provisioning tools. Its no suprise that Novell eDirectory is picking up some steam in this space, after all, Novell was a leader in bringing directories to organizations by way of there network operating system. Wisely, they spun it off as its own product, and many organzations ran it for their Windows environments, it being the only external directory officially supported by Microsoft (with some legal arm twisting of course).
Gettes is the author of the LDAP-Recipe and one of the leaders in the Internet2 Middleware Initiative. A few years ago when I first saw him at a Middleware CAMP Conference, the audience was be polled for which directories were being used. Some OpenLDAP, but primarily Sun One Directory Service were being used. A few groans of those who were forced into using Oracle's Directory (forced because oracle apps for all practical purposes could only use their own directory service). And a couple eDirectory schools. Oracle and IBM's Directory Service were listed as the slowest of the bunch. Not much said of eDirectory, and Sun One's Directory server toutest as the highest performance and most acceptable.
The intersting thing about Sun One's Directory Server, stated at the time, was not that it offered management or provisioning features. In fact, it was liked by most insitutions, precisely because it didn't try to do more than the spec. The management interface they actually said stunk, and so everyone did things the same way we do them with OpenLDAP, that is command line, or scripted, standard ldap utilities. When I went to the most recent Internet2 conference, there were several more institutions using eDirectory. It seems as though this was for a few primary reasons: support, management tools, NOS directory integration tools, and provisioning. Perhaps the market has matured, and most institutions, are looking for more features from their directory provider.
Regardless of the integration features of these IdM suites, there is always more to be developed. For instance in Duke's, case the article states that advanced business rules and supporting applications were developed. This will always be the case, and perhaps is the very reason for this strategy. If you can have a larger supported base to start from there is less to maintain on top. This is of course dependent on the vendor either following standards, or keeping healthy relationships with partners. Fortunately with Novell's case they have come around to being all about standards. Unfortunately however, Novell is still a bad word in IT land, from a time when they weren't. People can't seem to get past that.
