ILM Core Concepts and Architecture

Challenges: No formal relationship between the language of the enterprise and the system. We don't know what we dont know. People interpret policy. Policies are interpreted. Policies are often nebulous. Systems cant understand policy unless people who program them understand policy.

Wait, isnt this an “under the covers” look at ILM2? Don't give me marketing technobabble!!!

Communication = Contracts

Workflows = Process

Policy = ????

Assertions: Common Patterns

• Provisioning
• Group Management
• Password Management
• White Pages
• Policy Management
  

“We react to events on sets of identity with processes.”

What are the issues presuming this axiom is true

• collection of resources
• request model on collection
• sets which organize data
• blah blah blah

ILM 2 Steps

1. Resources you want to manage

• regulate your processes
• synchronize with environment
• CRUD on identity in ILM2
• core object types and schema
• you can modify types or create new ones

2. requests on resources has three phases

• authorization
• authentication
• action

3. sets organize resources
4. events trigger processes

• request events are defined as a quad
• transition events are a double
  processes formalize responses to events

5. Demo

Now Demo of the tool...again

What happened to architecture?

What if the language you create to mirror the business process isn't granular enough to reflect your needs?

how do you manage these processes? You dump them and they have to resubmit?!?! NFW!!

Clients Outlook, Sharepoint, Windows, Custom, Office 2007 (IE 6, Firefox, Windows XP SP2+)

ILM 2 will use web service standards (Windows Communication Framework, Windows Workflow Foundation)

ILM 2 will be server heavy up to 5 servers minimum – Sharepoint (WSS not MOSS), Resource Management Service, Resource Management DB, Metadirectory Service, MetaDirectory DB, **Exchange Server 2007**

Longhorn Server Standard with SQL 2005 SP2+ 64 bit ONLY

They MIGHT cluster MIIS **NO COMITTMENT and NO commitment on SQL Clustering with Support on MIIS

No event based model for MA's. No error handling for MIIS. Here's what we get maybe

“codeless” provisioning, improved performance, more adapters

The Impact of ILM

Opinion – Identity Management is a set of business processes and a supporting infrastructure for the creation, maintenance and use of digital identities.
Inherent IdM is after service based IdM? Whats Inherent IdM? Its the entire IDM Business Suite.
Card Spaces (CardSpace, OpenID, etc) is coming soon. How soon? Gerry says 18 mos. Pam Dingle says 3-4 years. I believe Pam. No offense Gerry but I'm not talking about nascent efforts, I'm talking a mature, ready for the business technology.
User Provisioning:
“Integrated set of tools for managing life cycle of user entitlements”
Components: Workflows, administrative tool integration, password management, rule based processing, auditing and logging, connectivity to AD/LDAP/etc and Identity Repository.
Leaders of IdM: CA, IBM, Oracle are tops
Microsoft and Novell make quite a few claims but they cant back it up. Workflow is the gating factor to these two vendors being in the top end. Business drivers, process improvement will happen this year. Really? no proof of that....this is a bad version of what I saw at the Gartner Conference. Ah...he's suggesting that virtualization of the IdM tools will have this effect, he's not suggesting we're re-engineering business processes yet. Any implementation experience is a multi-year engagement .
Standards
SPML v2 limited adoption, more important to Federation
BPEL Oracle and Intalio are the only two vendors, only important as Oracle is pushing it. He views this as a workflow engine for business rules, Sun may support BPEL over time. What about BPM?
Trends – Vendors still in acquisition mode. Vendors will start to work on early adopters to smooth experience for mainstream users over time. (2-3 yrs) **WAY TOO MUCH TIME on IdM deep dive. Get to the ILM bashing MAN!**
Ahh....now to ILM (a potentially disruptive technology) Microsoft has been slow – no workflow, no user interface capabilities, etc. Good metadirectory and data synchronization technology. ILM2 will be Microsoft's FIRST move into real IdM. Workflow, Web Services API (but no SPML Support) Any impact? NONE. Role management Bridgestream, BHOLD, Eurekify, Omada, Vaau. Roll your own: Courion and Voelcker, Oracle will likely acquire some of these small vendors
Enterprise Access Control Management – Logical applicationss like Approva, SAP/Virsa. Provisioning lacks awareness within ERP Stack. It checks with EACM policy engine before provisioning. Auditing tools are also big as well.
Conclusions: ILM going different direction than the rest of the UP market. ILM will be heavily partner reliant, MSFT is in this long term, don't expect them to be chased out of the market. This is a rehash of things I already knew with Gartner

Care and Feeding of your MIIS SQL Server Database

So far the best presentation of the conference *sorry Brad
Highlights:
Clear out the run history of all your jobs. This can really impact your jobs if you let it get cluttered

Spedometer - Use PerfMon
MIIS Objects
For Imports Objects Read/Sec
Objects Synchronized/Sec
For Exports Objects Exported/Sec

But wait, there's a script: http://www.ilmbestpractices.com/Articles/Speed_of_Past_Runs

as tables grow - Page splits, fragmentation, more scans than seeks, growth of log and data files.

monitor with Page Splits/Sec in perf mon how do we avoid it

scan v seek you get more scans as get more fragmented indices

read entire tables versus using an index

monitor with PerfMon

Full Scans/Sec
Auto Create/Update stats are enabled

File Growth
if auto growth is enabled
clear run history script on website

http://www.ilmbestpractices.com

DBCC SHRINKDB('MicrosoftIdentityIntegrationServer', NO TRUNCATE)
maybe preset size if you can predict
Log file should be 1/4 of total data file
Transaction Log is key to performance as well


Recovery Models
Full - LOG EVERYTHING
Simple - only as good as last full or diff
Bulk Logged hardly ever used with MIIS - only good for bulk logged operations

Red Gate SQL Backup to compress backup files (compression eats CPU time but far less Disk IO

When you clear run history it will host your transaction log. Do this during a maintenance window and
a. Truncate log
b. Change to SImple Recovery Mode
c. Clear run history in small chunks
d. Then go to Full Recovery mode and Perform a Full Backup

you can also add some indices to better performance

indexdefrag on DB every month, index rebuild quarterly till SQL 2005 EE. With SQL2005EE we get to rebuild index with DB online as well as rebuild index in TempDB
http://www.sqlbestpractices.com

Where's the WIFI?

So the sponsor of this conference is NETPRO. NETPRO as in Network Professionals. Their logo is KNOW YOUR NETWORK. Thus it is that I am at a loss to explain WHY?! WHY cant I get wifi in the conference rooms. NO ONE CAN! Turns out they've outsourced that to Cox. Nice.

Think Gloves

So the last two presentations I've seen have been technically brilliant. Things like Fuzzy Logic algorithms and using bit vectors and GUIDs to derive group memberships in AD, etc. Here's the thing, both solutions are geared to companies wanting to take shortcuts with their problems. I'm baffled why those companies don't spend more time crafting proper simple solutions to their problems as opposed to coming up with an overly complex solution.

The first was a means of provisioning access to non-AD based applications (applications that cant leverage AD for authentication) based on AD Group Memberships. The problem was notoriously difficult to solve and as it ended up, they crafted an XMA based on AD Groups using MVGuids and the bit vectors from AD which are used to denote group memberships. They then provisioned this in the applications in question. Brilliant right? Lots of code and very fancy terms. Then I thought, what was the real problem? Why manage access via AD Groups to an application that can't natively talk to AD? Well most companies don't have a website to allow them to request access to roles so the Tech Support teams manage Roles (see Groups) via Active Directory. The far simpler solution would have been to modify the applications in question to query AD directly rather than create new XMA's for every group in AD.

The fuzzy logic presentation was equally bright. There was lots of code and pattern matching with confidence scores, etc. All to allow non unique field to match up and create solid joins. There's obvious appeal to the idea, we could have used it for increasing the reliability of the name matched between HR and IDMGMT. But here's the kicker, why not create a GUID to match all the entries on both sides? Again, I think of the next version of something really complicated and then I stop and I think to myself...GLOVES.

The only positive outcome of all of this is that Apollo seems to have been very fortuitous in its software development leadership and wise in its choice of solutions to thorny problems. We remain light years ahead of the competition. We should seriously consider selling our solution or at least consulting with companies headquartered in sunny, tropical seaside locales.

Finally the meat

After being nauseated by yet another vaporware Microsoft presentation, BMC gave an excellent overview of how to use XMA's to do things like provision OpenLDAP, MySQL, and ORACLE.

Privileged access project? Done. Now the only challenges are really getting the access to do the actual provisioning and getting the list of servers to maintain. One small wrinkle, XMAs seem to be based on one off connections so we'd have to run quite a few XMAs to cover all of our Oracle databases. Still, good problems to have compared to I cant do it with MIIS.

Kim Cameron's Keynote

Seems like he is making a case for the OpenID movement. So, point one, we're becoming more and more interconnected. Businesses will do more and more business digitally, hence the need for agreed upon standards for communication, interconnectedness, etc. This will result in “de-perimeterization”, the dissolving of corporate boundaries, firewalls, routers, etc. He's advocating “legonic” (Lego like) technologies and businesses where they can easily be connected. Tomorrow's systems will be “agile and self organizing” and good at handling multiple sources of information with variable credibility. Cameron's point is that just like Remote API fell to the wayside in favor of loosely coupled Web Services and SOA, so to will identity management.

Enter in CardSpace and OpenID. This allows people to make “claims” about themselves or others and then to set up infrastructure to allow independent third party providers to validate the claim. This is EXACTLY the same point that SXIP's founder Dick Hardt made two years ago in his presentation to Open World (although his use of the Lessig style was far more compelling). Cameron also postulates, as a side note, that there will be increasing regulation around the concept of identity and anonymity on the Internet and the interconnected world.

So Microsoft's work is geared towards building out Cardspace to interact with things like ADFS, Security Token Services (STS), and Web Service Security protocols. Questionable? I wouldnt know, there was NO question and answer period provided for Mr. Cameron's keynote. Is he asking us to blindly validate his “claims”?

Microsoft to the...oops BSOD

Well well...no shock that the show came to a close when the Microsoft rep got up to speak. Showing off ILM2 (with some admittedly cool features) caused the Virtual Server (Microsoft's competition to VMWare's ESX server) to crash. Of course he was using Vista and getting messages ALL THE TIME.

The real kicker was knowing that all of this was
a. Not available until Mid 2008 (when did Microsoft ever miss a ship date)
b. Gonna cost us an arm and a leg given its coolness.

To boot, the guy doing the presentation was an unkempt retro hip version of Bill Gates with a bad accent. While I love Bill he's not selling me anything.

So far so good

Advanced MIIS training is good but its not the 504 course (Advanced MIIS). Its new technologies and it is COOL. Some items to get excited over?

XMA's: Imagine you want to connect to a MySQL database with MIIS. Normally I'd say you're SOL (look it up yourself). NOW, with Extensible MA's (XMA) you can write your own MA connection to it and then leverage it in MIIS. Web Services not a database? No problem. Centre Vu id's? Have an API we'll plug it in...

PowerShell: Almost had the big O on this one. Imagine a Cygwin/Ruby/Shell for Windows Servers....Now imagine scripted .NET where EVERYTHING is an object. Now imagine Kevin Feingold or Eric Treeman turned loose on this bad boy. IT IS SWEEEEET! We're going to retire the CMD files and Launcher.exe and go with the Power Shell scripts.

Advice: We're always really scared of putting bad data out there...Oxford's advice? NO BAD DATA in the MV. No garbage in....no garbage out. Lots of work on validation of data in and validation of Brad Turner's advice.

Gotta run...self service password reset is on....