[Log In] []

Exploring the science and magic of Identity and Access Management
Thursday, May 23, 2024

Identity Provisioning Systems vs. Meta-Directories

Author: Mark Dixon
Wednesday, May 25, 2005
6:05 am

Yesterday, I was contacted via


Curt Monash
, President of

Monash Information Services
and frequent editorialist at


Curt posed a question that spurred a bit of investigation on my part: “Are identity management systems running off of what we would regard as full metadirectory capability, or are they more limited? I know Sun was in the metadirectory game with mixed success.”

I’ll share with you the thoughts I shared with Curt. With the caveat that I do not have in-depth technical expertise in meta-directories, let me offer a few insights. I thank my colleague Nick Crown for assisting in this response. I have focused my comments on the

Sun Java System Identity Manager
(Sun IdM), rather than attempting to make architectural statements about other similar products.

The current Sun IdM product is a provisioning system; meta-directories are synchronization engines. The Sun IdM product has the capability to perform as a synchronization engine, but the opposite is not necessarily true.

A classic meta-directory is based on a join engine that aggregates and consolidates information that has been transferred or retrieved from several connected directories or other repositories. Such a system is designed to synchronize at the attribute level, with limited logic imposed in the synchronization process. The Sun IdM product is based on an Identity provisioning engine, which can synchronize at the attribute level, but more importantly, manages and synchronizes whole Identities. While an Identity can be described as a collection of attributes, this higher level of abstraction allows the Sun IdM system to perform additional business logic that would be difficult to achieve in a pure meta-directory solution.

The Sun IdM system takes synchronization a step further by allowing business logic and workflows to be inserted into the synchronization process. At the heart of the system is an engine that cannot only do simple synchronization, but more intelligent processes as well. The Sun IdM product can therefore provide additional capabilities beyond what is normally expected from a synchronization system, namely user provisioning, password management, delegated administration, user self service, auditing and reporting.

The Sun IdM system also differs from meta-directories in that it manages references to Identities on different repositories, rather that maintaining a consolidated repository of all objects and associated attributes. This “Virtual Identity” capability enables scalability and ease of operation beyond traditional meta-directory architectures.

Sun’s decision to end sales of the Sun One Meta-Directory product was coincident with the acquisition of Waveset, with its Lighthouse product, which has since evolved into the Sun IdM product. Sun stated, “More and more of our provisioning and meta-directory customers are seeking to manage all facets of identities – from accounts to profile data to identity attributes – and are looking to do this with a single solution. Sun has listened to its customers and is introducing a single solution to provide all of this identity management function. In addition customers have the benefit of a single deployment, a single set of connectors to your enterprise applications and directories and a single vendor to work with. We believe this reduces the total cost of ownership for customers by reducing the number of products to be deployed and maintained in your environment.”


2 Responses to “Identity Provisioning Systems vs. Meta-Directories”

    Following the publication of this blog entry, I was contacted by Aldo Casteneda, who maintains a wiki entitled

    A History of Digital Identity
    . He subsequently drew from this blog entry to create an entry about

    Sun Identity Manager
    in his wiki. (Scroll down to read the article.)

    It is also posted in his


    Comment by Mark Dixon on May 31, 2005 at 7:52 pm

    lovly site

    Comment by foli on November 23, 2005 at 6:46 am

Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.