Google desparately need to implement Identity Management

I’m a really really happy user of lots of Google services. I have my own domain linked to Google Apps For Your Domain (GAFYD). I use Google Docs. I’ve been a GMail user before. I put pictures I want to share on Picasa. May contacts are in Google Contacts. Some of my appointments are shared through Google Calendar. Of course I jumped on Google Wave immediately…

So, all should be fine, right?


The trouble began when Google Apps For Your Domain became available, and I had to migrate my data over from the old GMail account. I ranted enough about this, so I’ll spare you the repeat.

Ever since I completed that move, I feel like a second class citizen for all services that use Google’s authentication system, and the worst thing is – this is even true for Google’s own services.

Picasa, for example, is not included in Google Apps, so I have to use a different login. That GMail login uses the same email address than Google Apps, but a different password. You can run face recognition, but unfortunately Picasa can not access the Google Apps contacts for names, faces or email invitations – you have to maintain a second set of identities.

I still have my old email account which uses the same email for login, so that makes for all kind of strange confusing messages. I now have two Google Calenders, two Google Docs sites, both completely separate yet under the same email address.

Do you know all those other services that allow you to pull in your contacts from GMail? You probably guessed it – they can’t access my Google Apps account.

It gets even better when you pull Google Wave (they give you _yet another_ email!) and Buzz into the mix – complete confusion guaranteed.

This post has been sitting as a draft for a few weeks, only recently Gina Trapani picked up the issue on Smarterware. They found someone at Google with a half ass explanation, but do come on – there has to be a better way!

“When you add Android into the mix, Contacts get weird. Because, I think, you can add your Google Apps account to Android and not your “vanilla” Google Account. (GT: Yes, this is true.) But, when you sign in to Google Voice on Android, you will need to enter the password (which might be the same) of your vanilla Google Account. BUT, on Android, your Contacts are read from the system’s phone book. Not necessarily the vanilla Google Voice Google Account that has its separate contacts (accessible through the normal Google Voice webapp). Ugh. The “Contacts” issue is by far the most ‘hurting’ in this whole scenario.”

Eh… ok….

An update to the post brimgs it to the point:

“Clearly FREE vanilla Google Accounts get more preference than potentially-paid Google Apps accounts, which doesn’t make a whole lot of sense.”

Welcome to third class citizenship.

What’s your experience with this – how do you make it work for you?

European Identity Conference – Day 2

The second day of EIC is over, and I have to say I’m impressed. I’m feeling a real interest in Identity Management by the participants, that will hopefully turn into real projects and through the feedback loop bring the topic forward.


Today there were a lot of breakout sessions in addition to the keynotes. GRC was added as a topic in many titles, but I have to say this needs more work – I didn’t find much to take away regarding GRC, and some sessions that had “GRC” and “Compliance” in the title mentioned neither.

From a consulting perspective (i.e. real world needs) most of what is discussed here may sound like science fiction to participants. Most customers I’m talking to are busy working on much more mundane issues, namely re-gaining control of the authorizations they created and distributed over the years when words like “GRC” and “Compliance” had not yet been discovered.

More than one session complained about the complexity of todays authorizations (Kim Cameron said something along the lines of “I’m happy that SAP is on the panel to take the heat for this” ;) ), and everybody was ready to take a vow to simplify, many saw XACML as the solution.
This of course completely ignores that the complexity has not been implemented because programmers are too lazy to simplify, but because customers asked for the flexibility to be able to control access in such a granular way.


I will go on a limb and say that if authorizations were easier, applications supported XACML and supported claims, management would not be that much easier for customers. The reason I’m saying this is that I often see customers struggle to define the exact access that should be assigned to employees.

So, a logical step to advance the topic would be to work on processes and best practices to assist in defining access requirements, that can then help to define an authorization structure that can actually be well supported by identity management systems. Right now, we may succeed in speeding up provisioning, but if the mess still remains below the surface, this is not much more than put lipstick on a pig.

European Identity Conference – Day 1

OK, back in the hotel after the first day of this years European Identity Conference in Munich.


My colleagues have a booth on the ground floor presenting SAP’s Compliant Identity Management solution.
This year, I’d say conference attendance is a lot higher than last year. That would also correlate with our experience that Identity Management is getting traction in the market; we’re seeing a lot of interest from customers.


The keynote presentations were reasonably good, I’d count Kim Cameron and Dave Kearns as the most interesting ones, as they are very much forward thinking and not directly product related (at least not with a commercial interest). They also had lots of quotable stuff for my own presentations ;)


Back on the expo floor, I had two interesting encounters.

Next to the bar, a company called “SecurIT” had a batch of Pokens on the counter, and they were nice enough to give me one! A Poken is a small USB device that links to a profile that you can link all your social network identities to. When you meet someone who also has a Poken, you hold the two together as a kind of handshake and your Poken profiles are being exchanged. Let’s see if I can find someone else who has one….

The conference material also had a voucher for another small identification device called the “YubiKey“. This one blew me away – it acts as a USB HID (human interface device) and on the press of a button, it emits a 40 character generated password. That again links to a server that you can implement for your infrastructure which will verify your authentication. The company is called “yubico” and originates from Sweden. Their web site has a free SDK and offers many implementation paths. Integration into SAP Netweaver should be pretty straightforward, maybe that might be an option for some customers. If you’re an SAP developer interested in playing with it, let me know.

All in all, a very exciting day. I met lots of people, and I’m looking forward to networking even more over the next days – after all that’s the best part of taking part in a conference.

The Twitter backchannel is quite active, the hashtag is “#eic”. Let’s see how that develops over the next few days.

European Identity Conference 2009 – May 5th to May 8th


I’ll be spending the rest of this week visiting European Identity Conference 2009 in Munich. I was there last year, and it’s an event worth visiting – a diverse set of great personalities in the identity space, and a perfect opportunity for networking.

I’ll be blogging and twittering (use hashtag “#eic2009”) here, and you can follow more information about the event on EventTrack.


See you there!

CeBIT 2008: Day 1


This is where you’ll find me until sunday (Hall 4).

My last CeBIT was around 1999, in comparison today was quite a slow day. Nethertheless, a very interesting one: my SAP colleagues are very energized, you can feel the buzz. The german chancellor was visiting our stand, all the SAP board members were here as well.

I managed to slip in an hour with Craig (who complained that his blog has a lot less subscribers than mine – go over and subscribe!) which was a lot of fun. This is probably the best part of this event: you get to spend a lot of time with colleagues that you wouldn’t meet otherwise.