If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Enterprise Architecture: Thought Leadership: Thoughts on CardSpace and Java
I’ve not been very active recently due to a whole combination of things and I’m still working my way through a huge backlog of RSS posts. I was going to wait until I’d got closer to the present day before really commenting on anything, but that could take forever and, frankly, this post by James McGovern really caught my attention for a couple of reasons.
I work with both CA SiteMinder and Oracle Access Manager which James mentions (along with products from Ping Identity and others) which will be impacted by the use of Cardspace, plus when describing it to a colleague earlier the question of how it will affect web authentication mechanisms (including single-sign on and traditional federation) was raised.
CardSpace itself has the potential to be disruptive to a good proportion of what I’d term the “Enterprise Identity Management” space - those occupied by the large vendors (including CA, Oracle, HP & Sun) and could become a de facto standard for web authentication. Like any disruptive technology the important thing is to find a way to adjust and take advantage of changes in the market.
When looking at CardSpace there are three components to think about - the client (identity selector and browser plugin), and two servers? - service provider (SP) and identity provider (IdP). Traditionally clients have been given away in order to sell the server components and this will obviously continue - the clients will be (and ARE) included in the OS and browser, which leaves the only way to make money from this to be with the servers.
As James comments - the plan is to make the service provider components easy to embed in any web application. Code obviously exists for .NET, there’s an Apache module and Java will be along soon - there’s still an opportunity for the enterprise providers (and those of us who sell and implement their products 
). There’s obviously a lot of logic to be implemented about which provider’s cards will be accepted, which attributes are requested (and which are mandatory!) - wrapping this in a nice, easy to use UI and combining with centralised authentication and session management with policy enforcement will be one way that evolution can occur in web access control systems.
The biggest area where enterprise identity management systems will be able to take advantage of this change in paradigm, of course, will actually be in taking on the role of card issuer/identity provider - an area where there has (so far) being the least amount of sample code and deployment advice, but conversely there are greater complexities to deal with as adoption becomes more widespread. The role of identity provider will be key for adoption of the technology.
No matter what the technology there are? aspects of producing a secure web application interface that, in many cases, are best handled by a specialised security product that can abstract and centralise them - authentication, directory connectivity and session management are difficult to handle and this is the reason why products such as SiteMinder, Oracle Access Manager and Ping Login exist (and the reason why consultants exist).
Loading ...