Yesterday I talked about the state of identity standards with regards to authentication and authorization. Today I’ll cover attributes, user provisioning, and where we ought to go as an industry.

Attributes

The wheel of attributes is roundish. There are two parts to the attribute story: access and representation. We can access attributes… sorta. There’s no clear winner that is optimized for the modern web. We’ve got graph APIs, ADAP, and UserInfo Endpoints – not to mention proprietary APIs as well. Notice I added the constraint of “optimized for the modern web.” If remove that constraint, then we could say that access to attributes is a fully solved problem: LDAP. But we are going to need a protocol that enables workers in the modern web to access attributes… and LDAP ain’t it. As for a standardized representation, we have one. Name-value pairs. In fact, name-value pairs might be the new comma. And although NVP are ubiquitous, we don’t have a standard schema. What is the inetOrgPerson of a new generation? There is no inetOrgPerson for millennial developers to use. But does that even matter? We could take SCIM’s schema and decree it to be the standard. But we all know, that each of us would extend the hell out of it. Yes we started with a standard schema, but every service provider’s schema is nearly unique.

User Provisioning

User provisioning is nearly round. Let’s face it the wheel that SPML v2 built was not round. The example that the standard provided wasn’t even valid XML – not an auspicious start. In fact, SPML was a step away from roundness when we think about DSML v2. DSML v2 was a round wheel. It wouldn’t be very useful to day but it would roll. So what about SCIM? I’m bullish on it. Some really smart people worked on it, including my boss. We (saleforce.com) are supporting it. Others such as Cisco, Oracle, SailPoint, Technology Nexus, and others are supporting. We hope you support it too. In fact, hopefully, at the end of this week it might just get a final version of the 2.0 draft at the IETF meeting in Toronto. SCIM definitely needs more miles on the road, but I believe that the use cases that have been used to form SCIM are fairly representative of a majority of use cases we have. It can’t do everything but better believe it can do something. And this narrow focus is important as we think about the work we must do. As we as an industry shift from just dealing with employee identities to those of customers, citizens, and things, there is shift from heavy rich user provisioning to lighter weight registration and profile management. SCIM is just as applicable in an employee identity scenario as it is in a customer identity scenario. And thus is well positioned to make the transition.

More than just wheels

How do you discover identity services of from a service provider? I don’t mean in a specific ODIC way, but in a more general way. How do you know if they use SAML, SCIM, a proprietary attribute API, FIDO U2F, etc?

Is there a way to kickstart point-to-point identity relationships without paying the cost of point-to-point drudgery? Could I point my identity system at yours, form a relationship between the organizations, and start to use our joint identity services to meaningfully interact?

Let me ask this a different way – do we have hubs and axels for our roundish wheels? Can we build something that removes the heavy lifting when offering and/or consuming identity services? I believe this is the uncharted standards territory into which we must blaze a trail.

Measuring our progress

As we continue to refine our standards, we need a way of evaluating the roundness of those wheels, so to speak. We need some set of design considerations to help use decided whether a standard will get us from here to there. A few weeks ago I debuted the laws of relationships. They a set of considerations that we as identity professionals must be mindful of as we begin to navigate the waters of modern IAM – of identity relationship management. They can help evaluate the roundness of our standards… but only if you lend a hand. Kantara is creating an Identity Relationship Management working group to which I am giving these Laws of Relationships. I hope you will join me, Joni, Allan, and others in this new working group to help make identity ready for the modern era.

The challenge ahead

That modern era is one in which more people and more things are more closely related. It is an era that holds the promise of “identity as business enabler.” And in this modern era identity will not only deliver the right access to the right people at the right time but the right experience to the right people at the right time. Not just people but things too. To be fair, this modern era will require us to haul a heavy load. To do that we need round wheels. We need workable identity standards. We have made great progress but we are not there yet. I’ll ask 3 things of this audience and of our industry. First, adopt standards. If you aren’t using identity standards, you are inventing your own wheel. That is a strategy only optimized for the short-run. If the current ones don’t work for you, bring those use cases to standards bodies. If you don’t know where to go, ping people like Kelly, Eve, Justin, Nishant, or Patrick, and they’ll help you find the right place to go. Second, help others adopt standards. Build SDKs to help people use OpenID and SAML. Support open source implementations of SCIM and OAuth. Start at home – with you organization’s developers and move out from there. Third, demand standards. From your identity technology providers. Demand standards. From your business service providers. Demand standards. From your own development teams. Demand standards. If for no other reason than to kill off the need for password vaulting. Demand standards. Lastly, keep in mind that a round wheel is not an end in and of itself. A great spec is potentially satisfying to the hard-core identity dorks in the room, me included, but that isn’t the real goal. We reinvent the wheel, we revisiting and rebuild our standards to get round ones – beautifully functioning ones that help carry the loads we must shoulder and us get to where we need to go in this era of modern identity.