Is Microsoft’s directory, identity management a service of the future?

Vendor working to build a simple identity infrastructure that applications would plug into for security, access control

Microsoft is working on a series of upgrades to its directory and identity technologies in the coming months with the goal of creating a service-based identity platform.

Microsoft is leaving itself plenty of wiggle room saying that upgrades for such Active Directory and client-based features as Federation Services, CardSpace, Identity Lifecycle Manager and claims-based access control will come in 2008 “plus”. If the company follows its stated development plans to release a minor upgrade to the server every two years, the “plus” would be 2010.

But the upgrades to the directory and identity platform would be anything but minor, and the presence of the claims-based access control features points to the fact that Microsoft would like to see identity become more of a simple service and less of a complex infrastructure companies are forced to build and maintain.

Microsoft is already using claims-based access for SharePoint and Rights Management Server. Claims are a set of statements that identify a user and provide specific information. The claims are read by applications to make decisions on who gets access, who can retrieve content or who can complete transactions.

Moving forward

Microsoft has a road map for upgrading its directory that will likely be completed by the time the R2 version of Windows Server 2008 ships in two years. Microsoft is coy on timing saying only that improvements will come in 2008-plus.
Federation services
ADFS 2, new ease of management and federation capabilities 
Windows LiveID support; Managed InfoCards
Windows CardSpace 2.0 
Identity life-cycle management
ILM 3.0 
Other
Identity and access management programming platform
Support for Office 14 
Claims-based access control 

Last week, at NetPro’s Directory Experts Conference, Microsoft expanded on its idea to create a set of identity pieces that snap together via standard protocols and provide what the company referred to last week as an “identity bus.”

The bus would move claims and be available for applications to plug into in order to take advantage of security and access control features. The bus could live on either side of the firewall and would have many places on the network where “transformers” could accept and dispense claims in many different formats.

Some experts believe Microsoft plans to head straight toward building such a services infrastructure and bypass the current behind-the-firewall approach to identity.

“I think there real aim is to skip this whole generational identity and access issue and go straight for the services goal,” said Earl Perkins, an analyst with Gartner. “By doing this they will be positioned for the consumer space and the extranet, and they can show up to compete with Google and already have security and identity. So this platform is not ready yet, but in 24 months it will be closer to reality.”

Perkins says the services platform could be adapted within enterprises by having integration experts such as the Oxford Computing Group, which specializes in Microsoft identity and access management technologies, build what companies need internally.

“It still seems to me that a lot of different [Microsoft product] teams are in play, there are a lot of different ideas as how to move identity forward within Microsoft,” said James Booth, director of the Oxford Computing Group. “They are still trying to figure it out themselves.”

The services idea, however, is not far-fetched. Just last year, Microsoft CEO Steve Ballmer said at the company’s annual partner conference that every piece of Microsoft’s shrink-wrapped software would have a services element and he called out Active Directory by name.

Last week, Joe Long, general manager of the connected identity and directory at Microsoft, wasn’t quite that blunt.

“My team is focused on delivering products that solve enterprise problems,” said Long. But he said the ultimate goal was to reduce complexity, and he showed a new management interface and a PowerShell script-driven automated tool for setting up federation that will ship during the 2008 “plus” time frame. Active Directory Federation Service (ADFS) 2.0, also slated for that time frame, is where Microsoft plans to begin shifting from a Web single sign-on model to more of a pluggable platform for applications.

“We want to make it so you can take these products, install them, and take advantage of them without having to work two months, two years, 10 years with a developer or integrator to get it to work.”

Microsoft also detailed its concept of an identity bus that would be a plug-and-play service for applications needing to authenticate and authorize users.

Stuart Kwan, director of program management for identity and access for Microsoft, said the bus would feature “transformers,” places where data contained within “claims” would be translated into different formats depending on an application’s need. Kwan said the transformers could handle such things as Kerberos, X.509 certificates and assertions based on the Security Assertion Markup Language (SAML). Claims can come from Active Directory, LDAPv3-based directories, application-specific databases and new user-centric identity models such as LiveID, OpenID and InfoCard systems, including Microsoft’s CardSpace and Novell’s Digital Me.

“Transformers allow us to fold, spindle and mutilate the data in any way we want. It lets us adapt to the infrastructure without completely destroying the applications,” Kwan said.

In addition to the services angle, Microsoft said it is revisiting its stand on key protocols it does not support, which could prove critical to the success or failure of a services-based platform.

The protocols include the entireSAML 2.0 specification, Service Provisioning Markup Language and Extensible Access Control Markup Language.

“Microsoft has introduced an interoperability promise, and we are trying to understand the ramifications of that,” said Long. “Hopefully we can make a commitment one way or the other in the next few months.”

Learn more about this topic

Microsoft to simplify directory management

Microsoft: Future of Active Directory is as identity provider

Identity systems all about making claims

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)