Microsoft sells ID mgmt. plan

SAN FRANCISCO - Microsoft last week laid out a model for a distributed identity infrastructure designed to simplify access to corporate resources and protect user privacy across the Internet.

The model begins with a seven-point conceptual representation of digital identity that Microsoft has been discussing with industry experts, including the open source community, for a month. Last week, Microsoft released a description of its Identity Metasystem architecture, which adheres to the conceptual representation. The company also said it was readying client, server and development tools for users to build an open and extensible identity system based on Web services protocols that is compliant with the Metasystem outline.

The goal is to provide users with the means to join, or federate, their identity systems internally and across the Internet regardless of the platforms they run on or technology they use for identity, including Kerberos, X.509 and the Security Assertion Markup Language (SAML).

"The trick is to build a framework that all these security systems can work in," says John Shewchuk, CTO of distributed systems for Microsoft. "It's mainframe, it's Java, it's everything."

Observers and critics applaud Microsoft for stimulating open discussion with its "Seven Laws of Identity," a manifesto published last month on the blog of Microsoft Directory Architect Kim Cameron that lays out the dynamics of digital identity.

"The industry would be a better place if we can build on these laws," says Pamela Dingle, a consultant with Nulli Secundus. "This is a beginning."

But there isn't universal appeal for Microsoft's implementation of the Identity Metasystem, described in a white paper published last week.

The Metasystem, in essence, is a network layer that carries all identity traffic regardless of protocol or format, much like TCP/IP carries traffic regardless of underlying network protocols such as Ethernet, frame relay or X.25.

In the Metasystem, when identity data reaches its destination, a software-based translator turns the data into the format needed to access a particular resource. The Metasystem defines certain requirements such as ways to express identity; negotiate the exchange of identity data; establish trust between network nodes; and integrate disparate identity token formats such as Kerberos tickets, X.509 certificates or SAML assertions.

Microsoft says users can plug their access control infrastructures and corporate applications into this identity architecture without rewriting any code.

The rub is that the proposed Metasystem implementation relies on WS-Trust and other Web services protocols created by Microsoft and IBM, a factor critics say could be a showstopper until those protocols are submitted to a standards body.

"I'm real interested to see if they can do any-to-any integration," says Dave Miller, chief security officer for Covisint, best known for creating an integration hub for the automotive industry. "IBM tends to support what they write and Microsoft is even worse. They support their stuff first and everyone else's never."

Microsoft's planned Metasystem implementation revolves around a variety of tools: the company's new technology called Info Card that lets users aggregate their identity information and control its release; a middleware technology under development called Indigo; Active Directory and the Microsoft/IBM controlled slate of Web services protocols, including WS-Trust, WS-Secure Conversation, WS-SecurityPolicy and WS-MetadataExchange.

"It's a brave new world with a whole set of specifications that have been developed outside the real world - at least outside of our real world," says Bob Morgan, senior technology architect at the University of Washington and a member of the steering committee for the Shibboleth federated identity project for Internet2.

While IBM announced support for WS-Trust in last week's release of Tivoli Federated Identity Manager, other big-name players are holding off.

"As soon as WS-Trust gets submitted to a standards organization, Sun will aggressively pursue implementing the standard in our solutions," says Sara Gates, vice president of identity management for Sun.

IBM's Tony Nadalin, co-author of WS-Trust, says the specification along with WS-Secure Conversation is likely to be submitted to a standards body in the next three to four months.

Microsoft is balancing its work on those protocols, a strategy Microsoft officials say was blessed last month by Bill Gates, the company's chief software architect.

WS-Trust is being used as the foundation for what Microsoft calls Security Token Service (STS), lightweight gateways for servers and clients that negotiate the exchange of security tokens, such as Kerberos or SAML, and that can translate tokens into different formats. IBM is backing the same STS model.

The key is STS can be used to integrate newer systems that rely on SAML with older systems that might use Kerberos or mainframe security architectures. The model is relevant internally and for secure access control between partners on the Internet.

Last week, Microsoft demonstrated at the Digital ID World conference a Win32 file sharing application using standard Windows authentication and STS technology to accept other security tokens for user authentication.

Start-up Ping Identity is working on developing STS versions for Java-based clients and servers.

On the desktop, STS is part of Info Cards, which holds various forms of user identity stored locally in user repositories such as directories. Users can aggregate personal data into what Microsoft calls "claims," which contain only the information needed to access certain resources.

"This is not the son of Passport," Cameron says, referring to Microsoft's failed attempt to create an identity system for the Internet.

On the server side, STS is deployed in front of resources as an access control point. Those resources can be configured to talk only to an assigned STS so only clients with approved security tokens - users or other servers - can gain access.

Active Directory also can be used as an STS, and Microsoft officials said a version of the directory tuned for that capability is a possibility. The forthcoming Active Directory Federation Services, due to ship by year-end, will be the first step toward integrating identities in the directory.

Microsoft officials did not lay out a time table for delivery of all the pieces to build an infrastructure that adheres to its Identity Metasystem model. Indigo and Info Cards are expected to be a part of Longhorn.

Learn more about this topic

The Laws of Identity

Paper by Kim Cameron, Microsoft identity architect.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

IT Salary Survey: The results are in