Microsoft outlines identity management roadmap

Microsoft last week laid out the roadmap for its identity management platform, including federation services that will ship next year and eventually provide Web single sign-on features.

Editor’s Note: Dave Kearns is traveling this week. In place of his regular newsletter, we bring you an identity management news story from within the pages of Network World.

Microsoft last week laid out the roadmap for its identity management platform, including federation services that will ship next year and eventually provide Web single sign-on features.

Formerly codenamed TrustBridge, the technology is now called Active Directory Federation Service (ADFS), Microsoft said. It will ship next year as part of the Windows Server 2003 Update, codenamed R2, and allow users to federate identities between corporate boundaries.

Federation lets an identity credential issued by one company be used for access to a partner’s network.

“ADFS will be one of the biggest splashes in the identity management space we make this year,” says Levon Esibov, group program manager for directory and identity services.

ADFS will become the cornerstone of Microsoft’s adoption of Web services security protocols on the Windows platform, supporting authentication and authorization services between disparate systems and across corporate boundaries.

ADFS will eventually provide the Web single sign-on capabilities that Microsoft’s identity platform currently lacks. Those capabilities are now provided by third-party partners including Netegrity, Oblix and Open Network. Before Microsoft can claim single sign-on capabilities, however, support for Web services protocols, such as the Security Assertion Markup Language (SAML), must be prevalent across vendors’ identity products.

ADFS will support WS-Security, an OASIS standard, as well as protocols Microsoft is developing along with its partners such as WS-Trust, WS-Policy, WS-Secure Conversation, WS-Federation, WS-Authorization and WS-Privacy.

Last week, Microsoft unveiled its Web Services Enhancements 2.0, a package for developers that includes those same protocols.

Microsoft’s work on federation protocols is in competition with work being done by the Liberty Alliance, which is using SAML as the foundation for a federated identity framework. Microsoft officials say they plan to eventually interoperate with the Liberty specifications.

The ADFS enhancements are the leading edge of a series of incremental upgrades to Microsoft’s identity management platform, which revolves around Active Directory, Active Directory Application Mode and Microsoft Identity Integration Server (MIIS).

The roadmap includes the next version of MIIS, which will ship next year. MIIS 3.5 includes a feature called “declarative provisioning,” which will eliminate the need to write provisioning scripts, user self-service features, and audit reporting. It also will establish the server as an application platform.

The biggest change is that MIIS 3.5 for the first time will eliminate the requirement that users deploy the server with the aid of consultants.

Before the 3.5 release, Microsoft will ship Service Pack 1 for MIIS later this year. It will include a set of new management agents for connecting to identity and other data stores. Today, MIIS has some 20 connectors. The service pack will add password synchronization capabilities, a management agent SDK for building custom agents and will incorporate workflow and approval features.

The identity roadmap also stretches to Longhorn server, which is slated to ship in 2007. Microsoft will add manageability enhancements to Active Directory and a digital ID service called Identity System, which will provide users with a portable identity that can be used with consumer and Web services.