Exchanging Identity Data

Our goal of creating consistent sources of identity data, combined with the realities of modern distributed organizations, means that there is not likely to be a centralized source of all identity data. Consequently identities will be exchanged between systems, and we should plan for that as part of our data architecture.

We've discussed XML standards for exchanging identity data in Chapter 6 and 11. SAML is a standard for exchanging assertions about identity, including access-control information and properties of the identity record. SPML is used to exchange identity data for purposes of provisioning identity systems. XrML is used to exchange information about rights for digital resources.

These standards and others like them should be the basis for your data exchange strategy. Don't discount the power of standard exchange formats for your data. Whenever you need to exchange identity data, look first at the external standards that are available and choose one of those. Using an external standard is always preferable to creating proprietary internal standards for several important reasons:

Also remember that many XML-based standards are extensible through namespaces and can probably be adapted to suit your needs even when they don't match exactly.

But, suppose that you can't find an external standard that meets your needs. The two documents we've created so far will help to create your own exchange format. The identity inventory gives the data elements for each identity record in your organization, and the metadata repository gives details, including preferred formats, of the structure for each data element. These two resources can be used to generate XML schema that support the exchange. If the inventory and metadata repository are structured correctly, tools can be bought or written to automatically generate the XML schema. The URL for any exchange schema should be documented in the identity inventory.

When should you avoid XML? XML's biggest drawback is not that it's verbose, although it is; it's the serialization and deserialization of the data in and out of the XML format. To maximize flexibility, you should pay the price of serialization whenever you can afford it, but always under any of the following conditions:

If you do decide to forego XML, the format can still be derived from the data in the inventory and the metadata repository. Be sure to document the exchange format using some agreed upon standard and reference it in the inventory.