May 16, 2011

The Federated Provisioning Problem

(Just dumping some projects results on this blog... ) We contributed to a study for SURFnet on identity provisioning in the context of identity federations last year. My colleague Bob Hulsebosch presented about this on TNC11 (fast forward the video stream to 65'46").

Provisioning is the process of providing a set of deployed applications and/or services with updates of end-user identity information. Provisioning takes place, for instance, when new users enter an organization, when new authorization rights are assigned to users, or when they leave the organization (the latter case is usually referred to as deprovisioning).

Provisioning has been recognized as an essential part of the identity management stack. Provisioning drives the other activities that are typically related to identity administration and management. An important driver for provisioning in the more traditional enterprise setting is compliance to rules and regulations. A major obstacle to wider adaptation of provisioning is the lack of widely agreed upon standards.

While provisioning is a non-trivial problem in many enterprise organizations, the problem gets worse still in the setting of identity federations as these involve cross-domain identity communication, and, more recently, dynamic services to enable complex collaboration forms such as virtual organizations. The drivers for adaption of provisioning standards in the world of identity federations may be different from those in the enterprise setting, the problem is equally of more important.

At the same time, some researchers think federation may be part of the solution and introduce so-called just-in-time-provisioning which uses federation-style information interchange standards instead of the more traditional provisioning standards as seen in the enterprise domain.

The report gives a state-of-the-art analysis of provisioning products and standards and of the, still ongoing, federated provisioning debate. It classifies different types of applications and different types of provisioning scenarios in order to come up with a framework, which is helpful when selecting a strategy for dealing with federated provisioning. The results are validated by exploring (at a suitable level of abstraction) a case study on dynamic group management.