What? Not Oracle / CA / IBM? Nope. Facebook. When you think about what the process of identity management, what Facebook has accomplished with it’s Facebook Connect is one of the largest and most successful identity federation systems out there.

When you look at the Facebook Connect model as an end-user, it seems that it’s just a federated login model that has been highly adaptable and is in use on thousands (hundreds of thousands most likely) of websites all around the world.

If you’re unfamiliar with Facebook Connect, then you’ve been living under a rock. FBC lets users log into third party websites and applications with authentication being done against a users Facebook account. With what could arguably be considered the worlds largest user population for a social infrastructure, they did what Microsoft failed to do with Microsoft Passport. There are a few others that are also tapping into this federated authentication, namely Twitter and MySpace.

Why are they successful?

Two reasons. The first is that most social users on the Internet already have a Facebook (or Twitter / MySpace) account. The second is that people are fed up with filling out registration forms for every site they go to. It took way too long, but finally, web developers figured out that more people are likely to sign up with their site if they don’t have to fill in a registration form.

What’s under the hood, and how is this Identity Management?

From the end-user, it looks more like a federated model. But, in federation, the user repository exists in both locations. With FBC, the users obviously do not already exist on the website that is allowing users to login with it. From the developer’s point of view, once a user has successfully authenticated with Facebook, and authorize the website access to their account for FBC, the website owner can extract user details from Facebook and store it locally. Almost all of a users private data can be extracted and then stored locally. Think of it kind of like a on-demand provisioning system on an alert based model.

The part that interests me the most is this last detail. With web developers able to extract and store the users details (with authorization), and a record of what is stored on external sites on the Facebook side, we have what very closely resembles an Identity Management provisioning model that’s standard deployment across the board. What Facebook doesn’t do, is know of all the resources that a user can be provisioned to and write custom connectors to provision data into. Instead, they have created what is commonly used in higher education deployments, called Account Claiming.

Account Claiming is when a user that already exists needs to get their user ID and password for their account in a new Identity Management system and then have their accounts provisioned / synchronized between the Identity System and their provisioned resources.

So, Facebook is provisioning (on a request model) user accounts to probably hundreds of thousands of applications, all around the world, in all forms of data models. This is AWESOME! There are two things that I think could come of this that would revolutionize Facebook identity management and Enterprise Identity Management. Both are learned from the other.

Facebook’s future in Identity Management is with the development and implementation of a “push” provisioning system to all the end resources (web applications). How? Easy! Once a user has authenticated and authorized a web application, the web app then returns a response that tells the Facebook service whether or not it has a specific web service URL for push notifications and what data fields it is storing. This web response will adhere to the standard FBML (Facebook Markup Language…their API) for accepting the sent data. Facebook will then store this URL and fields in the table associated to the authorized application for FBC. Here’s where the magic happens! When a user updates their Facebook profile page (say a last name change), it then touches all the authorized applications and if a valid URL is registered and has a matching field of stored data, a web service call is sent to it the URL and the receiving website would then update it’s data. Bam! You now have a full-on user provisioning system, with a single identity and a single source of truth, and it’s all maintained by the end-user.

From the flip-side, Enterprise Identity Management can take a note from Facebook on how it’s provisioning users into the end resources. Instead of writing custom connectors or adapters for every system in the market and that are all proprietary to each vendors solution. What would be a utopian world, would be that all these large, enterprise applications, build in hooks that will function the way FBC works. The hooks can talk to a standardized identity API format. This format will then be recognizable by all identity management tools. I can already hear everyone laughing and saying how it’ll never happen, but I disagree. Identity Management is implemented, in one form or another in pretty much all the major enterprise companies, government agencies, and higher educational institutions. What I’m getting at, is that it’s not new technology anymore. This should tell the developers of large enterprise applications to start working on a standard (something like SAML). SPML is close, and could become what I’m talking about, but still has a lot of work to catchup with Facebook. Enterprise developers completely ignore the end-user and ease-of-use when it comes to things like this. SPML is a start, but it’s only the foundation. It should be built up all the way to a standard button is used across the board, and the functionality is the same across all applications so that users, no matter what identity system or company their at, know exactly what it does.

So all you IdM developers (Oracle, IBM, CA, Novel, etc)… listen to the people! Users know Single Identity Infrastructure. Users know Federation. Users know Account Claiming. Take what Facebook is doing and run with it. It works, and people use it, and it’s easy!

What do you think about Facebook / Twitter / MySpace / OpenID Identity Systems? Do you think enterprise provisioning apps should take a lesson?

.: Adam

Last week I flew to San Francisco to attend an Oracle Business Intelligence Enterprise Edition (OBIEE) training class.

Going into it, I had only a minimal and very high-level understanding as to what the programs capabilities were. After the series of lectures and lab examples that we have run through, I can easily see why companies would want to / need to implement this.

OBIEE has some amazing capabilities for compiling all sorts of data and dump it out into highly configurable reports. In just a short amount of time, I had connected it to an Oracle database, and built out the business layers and presentation layers of the OBIEE product. A little bit of explanation was needed, mainly on the admin tool functionality, but after that, it was pretty straight forward.

We focused a lot of our time learning all the individual pieces of the product and what all the features are in the suite. The level of customization that you can do from a simple point-and-click interface is impressive. The user interface is also a level above most Oracle products that I have to use.

Everyone in the class, except for myself and my business partner, didn’t show up for the last day because they already finished through the labs and figured that’s all there was to it. We spent the last day with a one-on-one with the instructor and grilled him about all the little nuances of the product that are undocumented “features” (read…quirks that will drive you nuts when you encounter them). I think that was probably the most beneficial part of the instruction. We now have an upper-hand on the product than a lot of other people, even some of those that already have a couple installation under their belt. Even more important, I now have a new friend and direct line to a lead Oracle OBIEE developer / implementor. That is priceless when going through an installation on a client’s site. I don’t mind opening tickets for support. But nothing shows a client that you’re the best guy for the job when a problem arises during implementation, and you call a lead developer for the product on his cell phone and get an answer directly. That’s what I call true expert support.

I really wish we had gone through an installation workshop rather than a configuration workshop. I have yet to run through an install of this product, but after speaking with the instructors, I have a feeling it’s not going to be terribly easy. There is some documentation around the setup procedures, but like most of Oracle’s documentation, it’s more of a guideline than an instruction manual.

For almost every Oracle product I have ever installed, I wind up spending a couple days (normally a full weekend) just trying to get it installed and running successfully. During this long and arduous process, I build out step-by-step runbooks that I will then use for subsequent installations, either for my own Virtual Machines or on client sites. Of course these runbooks get more defined as I do more installations and learn new tricks.

Looks like I’m going to have to build out a new one for OBIEE =)

Anyway, it’s an excellent reporting tool and is ridiculously flexible and would be a CXO’s dream come true for instant snap-shots on their company’s health. It’s allows for delegated administration and multiple levels / types of dashboard reporting so that each department of a corporation or institution can create, manage, and run their own customized reports.

If you are a chief-level individual in your corporation or institution and you can get an *instant* report on everything your company is doing with a push of a button (I’m not exaggerating on this either), you need this. Just have someone come in and demo it for you. When you see it hook up to a couple of your data sources and churn out a couple reports that tell you exactly what your profit margin is, and drill down to the exact products or services that are your loss-leaders / etc, you’ll understand where I’m coming on this.

I’m also kind of curious to see what I can do when I combine OBIEE and OIM with attestation. Since Oracle Identity Manager runs all off an Oracle Database backend, I’m going to connect OBIEE directly to it (with a read-only account of course), and generate some SOX reports or user provisioning status reports. I’m excited to see how bad ass I can make Oracle Identity Manager reporting using Oracle Business Intelligence as the reporting display tool. Once I figure out all the tables and fields to tack onto, I will totally scrap OIM’s reporting completely.

Next week, I will be going down to Redwood City (Oracle HQ) for training on Oracle Entitlements Server. I’m interested to see how I can implement this with conjunction with the rest of the Oracle IDM Suite.

.: Adam