News

Microsoft Unveils Identity Framework

Microsoft releases "Geneva" and Live Identity Services as the first pieces of its identity-management roadmap.

• By Jeffrey Schwartz
• 11/15/2008

As Microsoft prepares to deliver its newly unveiled cloud-based services centered on the Windows Azure platform and Live Framework, the company released its identity-management roadmap at last month's Professional Developers Conference (PDC) in Los Angeles. Microsoft uses a claims-based model for accessing systems that may reside in any number of data centers, among multiple parties or in cloud services. At PDC, the company released the first test bits of the offering, many of which are slated for release by the end of next year.

Claims-based identity assigns attributes to an individual-such as an e-mail address or Social Security number-that are issued by a security token service (STS). STS allows systems and applications to share information in a secure transaction with corresponding systems.

Microsoft's software, code-named "Geneva" (formerly known as "Zermatt"), and Live Identity Services look to fulfill the ambitious goal of allowing developers to easily build federated identity management into their apps.

"What we're trying to achieve here is one identity model that puts users firmly in control of their identities," said Kim Cameron, Microsoft's chief architect of identity and a Microsoft distinguished engineer, speaking at PDC. "The goal is: You write a pure application once [and] you run it anywhere, in any kind of deployment scenario."

Geneva Software Stack
On the software side, Geneva consists of three core components: the Geneva Server, an STS that manages user access and distributes and transforms claims; Geneva CardSpace, which lets developers build client-based authentication; and Geneva Framework, a set of .NET-based class libraries and SDKs. The Geneva Server is integrated with Microsoft Active Directory as well as Windows CardSpace, which accepts and receives digital tokens that allow users to control their digital identities.

A new version of Windows CardSpace will offer improved performance and a smaller footprint and will be tuned to work with the Geneva Server, which in addition to supporting Active Directory is compatible with Web services standards including the Security Assertion Markup Language (SAML) 2.0, WS-Federation and WS-Trust.

Vittorio Bertocci, a senior architect evangelist at Microsoft, demonstrated a federated SAML-based link between Geneva and a site based on IBM's Tivoli Federated Identity Manager. Bertocci told attendees it took less than five hours to make it work.

Live Identity Services
The services-based counterpart to Geneva will consist of three core components: Live Identity Services, the Microsoft Federation Gateway (MFG) and .NET Access Control Service.

The MFG is a backbone that will connect Geneva-or competing STSes that may have other directory services or user databases-via Active Directory to Azure and hosted applications such as SharePoint and Exchange, and developer services such as .NET Services and SQL Services, according to Cameron.

The MFG is in production now, and Microsoft has released a community technology preview (CTP) of the Microsoft Service Connector, a fixed-function server that connects Active Directory to the MFG. A full beta is planned for the first half of next year.

Tying Geneva to the Cloud
Microsoft also announced software that will extend Geneva into its cloud-based services: the Microsoft Service Connector, a fixed-function server that connects Active Directory into the MFG.

Also on the services side, Microsoft announced the .NET Access Control Service, which allows individuals to control their identities. It consists of a portal, a client API and the STS. Cameron described the service as a next-gen STS.

"It takes in authentication claims and puts out authorization decisions," he said. "You put your rules in there about who can access what."

If Microsoft can deliver on that promise, that would make life a lot easier for Joe Christopher, vice president at HealthStream Inc., a Nashville, Tenn.-based company that provides both education and research for hospitals nationwide via the Internet.

"Today there's a lot of custom glue," Christopher said in an interview at PDC right after hearing Cameron's presentation. "There's a lot of plumbing that's built manually by our site, a third-party site, and it requires a lot of working out data exchanges and working out how do we keep those up to date in real time."

Live ID Will Work with OpenID Microsoft will let the 460 million users of its Live ID service use their credentials to log in to any site that supports the OpenID 2.0 standard. Kim Cameron, Microsoft's chief architect of identity and a Microsoft distinguished engineer, announced the plan during a session focused on Microsoft's roadmap for identity services at the Professional Developers Conference in Los Angeles. OpenID shows promise as a de facto authentication standard that transfers existing URIs into an account that can be used at sites that support OpenID access. Among those that support it are AOL, Flickr, Technorati, Wordpress and Yahoo!, according to the OpenID Foundation. That means you'll be able to use your Live ID credentials to log in to those and other OpenID sites. For example, if you have a My Yahoo! account, you'll be able to use your Live ID to log into it. Microsoft joined the OpenID Foundation earlier this year and had indicated ultimate support was planned in Live ID. An OpenID Provider beta is available now, and the company plans to release the final version by the end of next year. -J.S..