LHA Consulting, Incorporated

So an oldie but a goodie from the Quote Book reared up in an AD FS preso at TEC today, in discussing the potential administrative overhead of performing per-user authorizations in a federated identity environment.  (As opposed to using AD FS claims from the account partner to dictate both AuthN and AuthZ, as is currently the case.)

Specifically, I had an epiphany moment where I realized that, by advocating this approach, you're back to the same level of administrative overhead that currently exists with resource/shadow accounts, even if you're not calling them the same thing and if the accounts in question may or may not be living in AD. (I'm going to refer to these as pointers for the purpose of this post, so as to distinguish them from the current understanding of a shadow account.)

The difference between this model of using pointers for federated authZ, as opposed to the current model of creating AD shadow accounts, is that you've (somewhat)1 solved the problem of deprovisioning - once the account partner's actual account is disabled, the resource partner "pointer" is effectively useless, because it only exists as a reference to the incoming account partner identity.

However, you've still got the problem of provisioning these pointers to begin with - whether this is within AD, Geneva, or wherever. And thus the quote book rides again: "As soon as you deploy a directory service, you have a provisioning problem."2

[1] I say "somewhat", because one assumes that organizations will still want to deprovision/delete these pointers (however the Fed Identity team chooses to implement them at the end of the day) at some point, whether it's to cut down on the number of objects in an ILM metaverse, or just to make the "AuthZ Manager UI" (another made-up thing in my brain that doesn't actually exist yet) look cleaner.

[2] Though I suppose, given that I work for an Identity Management Consultancy, I should be saying that you have a provisioning opportunity that I'd love to help you with. :-)