Thursday, April 26, 2007

DEC'd Out

Just got back from DEC 2007 and still buzzing from the good times. I hope to cover more topics in future blogs but will just sum my conference experience for now.

  • built on top of existing investment in metadirectory, but reaching way farther towards the user with really slick UI
  • ILM2 becomes a lot different than other IDM vendors because of the integration with the Microsoft platform (Windows client, Office, Certificate Services, Windows Workflow, Communication Foundation, Presentation Foundation, etc, etc).
  • migration story should be very good since the core engine is likely to be the same
  • CLM integration should be very slick, no longer looking like a separate product
  • apps supplied in ILM2 (self-service, workflow, etc) will all use public interfaces to ILM so in theory it will be a rich platform for identity apps
  • codeless provisioning is a big scenario
  • Microsoft's adapter framework opens the doors to the connectivity barn
  • SPML is not at the top of the connectivity list, but I don't think it will be difficult to write an adapter for ILM2 that translates from SPML. This will be a fun pet project when the beta arrives.
  • On its own ILM2 is pretty exciting, but combined with other Microsoft identity activities (CardSpace, WS-*, ADFS, Identity Metasystem, etc) I am really excited about the potential.

Kim's throne speech:

  • claims, claims, claims - becoming increasingly important, we should start thinking a lot more in terms of claims as opposed to AuthN, AuthZ
  • "legonic systems" will become more pervasive to the point where rigid systems will become irrelevant. To me this means a platform for identity will be readily available and simple for application developers to use, as opposed to baking identity into the application


  • we should see a service pack towards the end of this calendar year, including Vista support for the CLM client among other things. E12 support might also be in there.
  • The CLM MA bridges the gap between the MIIS sync cycle and CLM long running workflows.

Creating XMAs - Jeff Bohren (BMC)

  • the password management interface in MIIS today does not provide configParams
    A solution to this would be to stuff the configParams into the connectTo as an XML string. I have another solution, it doesn't require duplicating the configParam data but it isn't for the faint of heart at design time.
  • SSH can be made easier using a .NET library at
  • BMC employs an agent approach for asynchronous scenarios such as event-based deltas and password notifications (they call it the delta cache I think). Blockade took the same approach with their host management agents.
  • L18N testing for internationalization is important
  • Jeff uses the DOM in his XMAs. this makes navigation simple but performance must be an issue on larger systems

System Reporting Services and MIIS - Brad Turner (MIIS MVP)

  • Brad released the Community Reporting Pack 2007 - cool!
  • CRP can be used by anybody, pretty much out of the box
  • Some cool features can be added, like export detail reporting (how many samAccountNames were updated last week?)

Group Based Provisioning - Markus and Mike (Microsoft)

  • Excellent walkthrough of the challenge and the design decisions
  • Markus had a really good slide showing the scope of reference attribute mappings (CS-CS, MV-MV, CS-CS)
  • Neat solution for getting memberOf onto the MV person object without sucking at performance
  • I'm not sold on bit vectors yet, but agree they improve performance. Just not sure the added complexity is worth it