none of the usual suspects have products in this area: Sun, Microsoft, Novell. His answer was quick and short: There's not enough services revenue required for these products.
If companies actually implemented consistent authorization, there would be _plenty_ of services required, anyone who has rewritten authZ and security policy in an app knows this. The real issue I suspect is a something a little closer to marketecture. Remember the identity management boom is relatively recent and a lot of it is driven by compliance.
Surprised auditor: "What do you mean you don't know how many people in this directory still work here?"
But you see, our friends at Sun, IBM, et. al. are very motivated to solve this part of the problem. They have connectors that can enable companies to load more user accounts into their systems (most of these guys charge on a per user account basis), so it means more dollars for them, heck they should give these tools away, they would make back the license cost in short order through having more users in their systems. It is the same reason why for years Oracle supported SQLoader to optimize super fast bulk loads _into_ Oracle. Meanwhile they didn't also have SQLUnloader to optimize fast removal of data from Oracle. Funny, that.
Anyhow, XACML is about policy and authorization and companies are perfectly happy if you authZ against _their_ container, their JNDI tree, their whatever. Companies that have other dogs in the hunt are in no way incented to solve this problem. Yet a problem it remains. A company that specialized more enabling technologies that like perhaps Vordel or CA is in a better position to solve this problem than a company that really want to sell you a bigger database/CRM/ECM/whatever. While vendors don't care, it is a big issue for those in companies with their hands on the wheel, which is why we launched a XACML working group at OWASP. The best possible current practice of IDM solves at best 1/2 of the identity problem.