For October, Novell is planning widespread availability of a new edition of
its iChain security appliance. The new iChain will be Novell’s first step
toward complying with the emerging Liberty Alliance industry specs around
the exchange of identity management information. Generally speaking, users
and analysts applaud Novell’s overarching vision for identity management and
provisioning. Some raise questions, though, over how long it will really
take Novell to fulfill its long-term roadmap.
Novell publicly rolled out two interrelated projects – codenamed Saturn and
Destiny – at the Burton Group Catalyst Conference last summer. In Saturn,
Novell expects to use Liberty Alliance 1.0 specs for exchanging identity
management between companies, extending the idea of single sign-on to Web
sites operated by multiple organizations.
Destiny expands this notion of “federated trust” into several other areas,
including “dynamic identity,” intelligent infrastructure, and the use of
Web services for identity management.
“Dynamic identity is about the context in which you find the identities,”
said Ed Poole, Novell’s director of product management for provisioning,
during a subsequent interview. A specific end user might be given one
“identity” and set of access rights in a systems administrators’ group, and
an entirely different “identity” in a corporate managers’ group, for
“More interestingly, you’ll also be able to coordinate
identities,”according to Poole. Novell is looking, too, at ways of using
identity info to “make inferences about security,” he added.
In Novell’s concept of “intelligent infrastructure,” network managers will
be able to forego a separate policy engine. Instead, the directory will
evolve into something that’s able “to make intelligent decisions about data
and relationships based on rules.”
A UDDI server, mentioned as part of the Destiny announcement, is not, in
fact, a separate server, according to Poole. Rather, UDDI is already built
into the Novell eDirectory.
The new iteration of iChain will be the first to comply with Liberty
Alliance 1.0 and SAML. “We’ve already introduced (the product) to early
adopters, and we will make it more generally available in October,” Poole
“We’ll be bringing out components over the next 18 months. Over time,
they’ll be pulled together into a common framework,” he pledged.
By and large, network managers are very intrigued, but not yet entirely
convinced. The Liberty Alliance-enabled iChain “sounds good on paper,”
according to Sean Welsh, one enterprise user. “‘White paper’ statements
always sound good, though. I need to see an actual product before I can say
much more about it,” added Welsh, an administrator in Mount Sinai NYU’s
Core Engineering Distributed Systems Infrastructure.
“I’ve heard loosely about Saturn and Destiny, but I don’t know how Novell
is planning to package them at this point. Those things keep changing all
the time, anyway. I’m kept well entertained by what I have right now,” said
Andy Konecny, a systems engineer at Canadian-based systems integrator
“Federated management seems to make sense,” he observed. “Ideally,
technology will provide mechanisms for requiring ‘true identities’ for
access across multiple Web sites, just as passports are required for
gaining access into other countries. Right now, a lot of sites would let
you pretend to be just about anyone – although if you claimed to be Bill
Gates, for instance, somebody might notice!”
“PKI and federated management are two mechanisms that are slices of the
solution. More than technology will be required, though,” he predicted. “A
lot of political stuff will need to happen, too. How are organizations
going to determine which other organizations they should trust?”
Cate Quirk, an analyst for AMR Research, thinks administrators will get a
lot of mileage our of end-to-end identity management. As Quirk sees it,
directory services, provisioning, and access management are all pieces
underneath the larger umbrella of identity management. “We’ll have to see
how useful this really is, though, when Saturn and Destiny become actual
products,” she acknowledged.
The cause of the Liberty Alliance is well served by announcements from big
players like Novell and IBM, according to the analyst. Meanwhile, though,
larger vendors are facing growing competition from smaller specialists. For
instance, security vendors such as Netegrity and RSA have both started
stepping into identity management.
Similarly, Roberta Witty, an analyst for Gartner Group, cites increasing
convergence in the identity management space from product categories that
include directory services; enterprise single sign-on; password
synchronization and reset; extranet access management; and content and
application delivery portals.
Meanwhile, neither Wells nor Konecny is beta testing the new edition of
iChain. Both, however, seem mainly satisfied with the Novell products
they’re using. “Large enterprises get to do the bleeding-edge stuff with
Novell Consulting. Then VARs like us get the technology, after it’s been
turned into products,” Konecny noted.
Recently, though, Ainsworth used DirXML to synchronize Novell,
ActiveDirectory, and Exchange directories for a small property management
firm. The customer was upgrading its mail system from cc:Mail.
“DirXML is getting easy to install and use. We didn’t even have to do any
XML programming,” the SI maintained.
Mount Sinai, on the other hand, has been working with Novell Consulting for
a total of about seven months on a couple of projects. First, eight
internal staffers collaborated with the consultants on a huge tree
restructuring, made necessary by X.500 naming errors committed by earlier
members of Mount Sinai’s IT organization.
Then, in a single sign-on project, they used DirXML for integration between
eDirectory; BEA Systems’ WebLogics portal; Citrix Metaframe; and Netegrity
SiteMinder. Windows 2000/NT users can now rely on the same IDs and
passwords for accessing their desktop and network-based applications.
“Access to clinical applications has been extended beyond Metaframe to a
remote access VPN. This will enable our lab facilities to sell to outside
medical interests. We’ve also greatly improved our log-in speeds and
ability to deliver to fat clients. At the same time, we’ve reduced our
reliance on IPX, and we are now about six months away from being able to do
away with IPX all together,” contended Wells.
Wells hopes, though, that identity management will eventually give
application developers the ability to support the graduated levels of
security needed for HIPAA compliance, without needing to do separate coding
for each application.
For its part, Novell might ultimately move beyond the plans mapped out in
its Destiny roadmap. One possibility is a “viewer,” for looking at users’
identities from various perspectives, according to Poole.
Poole pointed to a current project at Microsoft, codenamed Polyarchy.
“Polyarchy lets you look at the different identities in an organization in
different ways. There’s an organizational view and a geographic view, for
example. This is an interesting type of approach that we certainly think
has some value.”