Microsoft Wednesday released a beta of its most important tool to date for helping developers build applications that can plug into the company's Identity Metasystem and provide what amounts to a re-usable identity service for securing network resources.
Code-named Zermatt, the tools are a new extension to the .Net Framework 3.5 that helps developers more easily build applications that incorporate a claims-based identity model for authentication/authorization. Claims are a set of statements that identify a user and provide specific information such as title or purchasing authority.
The model, developed by Microsoft but garnering industry support, uses standard protocols such as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML).
The final release of Zermatt is expected by year-end.
The technology not only eases development of claims-aware applications, but should also benefit IT by making it easier to deploy, manage and secure applications, according to Microsoft.
It is the first time Microsoft has so directly written its sizeable development army into its Identity Metasystem, plan, which was outlined first in 2005 and defines a distributed identity architecture for multi-vendor platforms.
Claims, which are part of the architecture, are used by systems to make such decisions as who gets access, who can retrieve content or who can complete transactions.
Data contained in the claims can come from Active Directory, LDAPv3-based directories, application-specific databases and new user-centric identity models such as LiveID, OpenID and InfoCard systems including Microsoft's CardSpace and Novell's Digital Me.
Zermatt is specific to developing Windows-based applications, but Microsoft officials say clones of the technology could be developed to write applications that run on any platform.
And given the standards nature of the Identity Metasystem, those applications could plug into the same identity services as Zermatt-developed applications.
Key to the claims-based model is something called a Security Token Service (STS), lightweight gateways for servers and clients that negotiate the exchange of security tokens, such as Kerberos or SAML, and that can translate tokens into different formats depending on an application's needs.
"The model is that when a user arrives at the applications, they bring claims that they fetched from an STS ahead of time," says Stuart Kwan, director of program management for identity and access for Microsoft. "Zermatt is one part of building apps that can more easily plug into your environment. You use Zermatt so [applications] can use the STS in your environment."
In fact, a network would have multiple STS nodes. Those nodes will eventually include Active Directory, which will have an STS built into the directory's Federation Services in the next version slated to ship sometime after 2008.
Microsoft will use the new Federation Services capabilities, Zermatt and STS technology to build toward its ultimate goal of an "identity bus." The nirvana of the idea is that off-the-shelf applications could plug into the bus in order to authenticate users and provide access control.
Kwan says Zermatt also can be used to build an STS that would run on top of custom built stores of user data.
He says Zermatt could be used to build applications that accept information from CardSpace, the user-centric identity system in Vista and XP.
"If you want to do that in .Net today there is a lot of protocol code you have to write yourself," he says. Kwan says the first place where usage of the claims-based model will happen is with cloud services.
Microsoft announced prices for its hosted Microsoft Online Services earlier this week, but Kwan did not have any specific details on claims-based support for those cloud services. He also said there were no details on what Microsoft applications would adopt the claims-based model, although last year
Venkey Veeraraghavan, senior program manager lead for Office SharePoint Server, says Microsoft would adopt the claims-based model to replace the collaboration server's current authentication system because claims are more flexible and designed for heterogeneous identity environments.
"Another area of interest with the most immediate gain is for customers with [service-oriented] architectures that are hammering out what security model they should be using," Kwan says.