IDM Means Integration

Identity management is in the very principle a special application of integration techniques. It is naive to expect that the identity management will get deployed in a green-field environment without any applications that do real work. Identity management is just a supporting technology, not a "core business" technology. Therefore identity management must deal with several existing data stores. Such data stores may be inconsistent. Or more exactly, as the practice clearly shows, such stores are inconsistent in vast majority of cases. While in theory it is possible to choose a single source of truth, in practice it is seldom possible. Also there are concerns about systems that just cannot follow the single source of truth principle from operational, performance or entirely non-technological reasons (e.g. warranties). For more details see this paper.

Therefore integration is a necessary part of overwhelming majority of non-trivial identity management solutions. The identity management system cannot rely on a single source of information. Quite the contrary. Primary responsibility of the identity management system is management of identities. And as identities relate to a non-formal real world ("realspace"), they just cannot be easily formalized in the IT world ("cyberspace"). The responsibility of the identity management system is to manage the resulting situation, which usually mean managing the chaos.

The midPoint system is in principle an integration system. It has some domain-specific knowledge about identity management (see below), but in general it deals with inconsistencies of data stored in various location with a different lifetimes and dynamics. The goal of midPoint is to provide infrastructure for a practical solution. We are looking for a solution that can resolve an existing problem, not for a problem that will match a "nice" solution. For that we need to know where the primary problem is.