Microsoft is working on a series of upgrades to its directory and identity technologies in the coming months, with the goal of creating a service-based identity platform.
It is leaving itself plenty of wiggle room, saying that upgrades for Active Directory and client-based features such as Federation Services, CardSpace, Identity Lifecycle Manager and claims-based access control will come in 2008 "plus". If the company follows its stated development plans to release a minor upgrade to the server every two years, the "plus" would be 2010.
However, the upgrades to the directory and identity platform would be anything but minor, and the presence of the claims-based access control features points to the fact that Microsoft would like to see identity become more of a simple service and less of a complex infrastructure companies are forced to build and maintain.
Microsoft is already using claims-based access for SharePoint and Rights Management Server. Claims are a set of statements that identify a user and provide specific information. The claims are read by applications to make decisions on who gets access, who can retrieve content or who can complete transactions.
Recently, at NetPro's Directory Experts Conference, Microsoft expanded on its idea to create a set of identity pieces that snap together via standard protocols and provide what the company referred to at the time as an "identity bus".
The bus would move claims and be available for applications to plug into in order to take advantage of security and access control features. The bus could live on either side of the firewall and would have many places on the network where "transformers" could accept and dispense claims in many different formats.
Some experts believe Microsoft plans to head straight towards building such a services infrastructure and bypass the current behind-the-firewall approach to identity.
"I think their real aim is to skip this whole generational identity and access issue and go straight for the services goal," says Earl Perkins, an analyst with Gartner. "By doing this they will be positioned for the consumer space and the extranet, and they can show up to compete with Google and already have security and identity. So this platform is not ready yet, but in 24 months it will be closer to reality."
Perkins says the services platform could be adapted within organisations by having integration experts such as the Oxford Computing Group, which specialises in Microsoft identity and access management technologies, build what companies need internally.
"It still seems to me that a lot of different [Microsoft product] teams are in play, there are a lot of different ideas as how to move identity forward within Microsoft," says James Booth, director of the Oxford Computing Group. "They are still trying to figure it out themselves."
The services idea, however, is not far-fetched. Just last year, Microsoft CEO Steve Ballmer said at the company's annual partner conference that every piece of Microsoft's shrink-wrapped software would have a services element, and he mentioned Active Directory by name.
Joe Long, general manager of the connected identity and directory at Microsoft, isn't quite that blunt.
"My team is focused on delivering products that solve enterprise problems," says Long. But he says the ultimate goal is to reduce complexity, and he showed a new management interface and a PowerShell script-driven automated tool for setting up federation that will ship during the 2008 "plus" timeframe. Active Directory Federation Service (ADFS) 2.0, also slated for that timeframe, is where Microsoft plans to begin shifting from a web single sign-on model to more of a pluggable platform for applications.
"We want to make it so you can take these products, install them, and take advantage of them without having to work two months, two years, 10 years with a developer or integrator to get it to work," Long says.
Microsoft has also detailed its concept of an identity bus that would be a plug-and-play service for applications needing to authenticate and authorise users.
Stuart Kwan, director of program management for identity and access for Microsoft, says the bus will feature "transformers", places where data contained within "claims" would be translated into different formats depending on an application's need. Kwan says the transformers could handle such things as Kerberos, X.509 certificates and assertions based on the Security Assertion Markup Language (SAML). Claims can come from Active Directory, LDAPv3-based directories, application-specific databases and new user-centric identity models such as LiveID, OpenID and InfoCard systems, including Microsoft's CardSpace and Novell's Digital Me.
"Transformers allow us to fold, spindle and mutilate the data in any way we want. It lets us adapt to the infrastructure without completely destroying the applications," Kwan says.
In addition to the services angle, Microsoft says it is revisiting its stand on key protocols it does not support, which could prove critical to the success or failure of a services-based platform.
The protocols include the entire SAML 2.0 specification, Service Provisioning Markup Language and Extensible Access Control Markup Language.
"Microsoft has introduced an interoperability promise, and we are trying to understand the ramifications of that," says Long. "Hopefully we can make a commitment one way or the other in the next few months."