CHICAGO – The end game for corporate identity architectures is an "identity bus" that off-the-shelf applications can plug into in order to authenticate users and provide access control, according to Microsoft.

Stuart Kwan, director of program management for identity and access for Microsoft, used his keynote address at NetPro's Directory Access Conference (DEC) to say that work building identity platforms is far from over and to explore where it might end.

"What is the finish line?" Kwan asked. "It is when you are able to take off-the-shelf applications and plug them right into the identity system and go. When we reach that point we are largely done with identity. It does not seem as far off as you might think."

Kwan said what is needed are "transformers," places where data contained within "claims" about a user can be into changed into different formats depending on an application's need. Kwan said the transformers would be able to handle such things as Kerberos, X.509 certificates and assertions based on SAML.

Claims are a set of statements that identify a user and provide specific information. Applications use them to make decisions on who gets access, who can retrieve content or who can complete transactions.

Claims can come from Active Directory, LDAPv3 based directories, application specific databases and new user-centric identity models such as LiveID, OpenID and InfoCard systems including Microsoft's CardSpace and Novell's Digital Me. (Compare identity management products.)  

"Transformers allow us to fold, spindle and mutilate the data in any way we want. It lets us adapt to the infrastructure without completely destroying the applications," Kwan said.

Microsoft is adopting a claims-based authentication model and its first examples will come with Rights Management Server and SharePoint Server.

Kwan said the key will be standards and interoperability and said protocols from the WS-star stack, including WS-Trust, will be key for success. He said the future may include new protocols for exchanging data.

He pointed to a number of transformers that Windows users have access to today: the meta-directory and a first-generation security token service (STS) that is part of Active Directory Federation Services (ADFS).