Single Directory Paradigm

It does not work. More exactly: the deployment of single, unified directory system for identity management purposes in a medium-to-large sized enterprise environment is infeasible. At least in next few years.

I've seen to many failed attempts to implement single directory system. I can understand the motivations, though. I can see the clean architectural intention to "clean-up" the data stores and unite them in one place. That is usually a good thing to do inside a systems. But not necessarily accross different systems.

The most severe problem here is the incosistency of the data:

There are also other issues to consider:

The conslusion is simple: you need directory system, maybe even single directory system, but you will need other tools also. The user provisioning system is the tool that you will most probably need. And unless you have totally crystal-clear enterprise architecture, there is no way around it.

This was one of the points of my presentation at InfoSeCon conference. You may find the complete paper on my "papers" page.