RealTime IT News

Microsoft Moving From Passport to InfoCard

Microsoft is throwing its weight into the work of unifying a growing patchwork of different identity management protocols for Web services.

Call it the latest lessons learned from what not to do with its .Net Passport identity management system. Passport, which was bedeviled by proprietary platform and security issues, is all but defunct.

Now, with the latest beta1 release candidates of the Indigo and Avalon development platforms for Web services and next-generation graphics subsystems, Microsoft is loosing a new and improved version of its Identity Metasystem Architectural Diagram.

The platform would serve as a kind of home for its InfoCard single sign-on identity management system. The InfoCard system helps trading partners and Web services providers know just who it is they're dealing with on the Web, no matter what platform the services are using.

Analysts repeatedly carp that Web services, or the ability for Web sites and applications to interact and conduct our business for us, are doomed without an industry-wide agreement on single sign-on protocols. That's one reason Microsoft faced blistering criticism about its Windows-based .Net Passport identity management system.

Amid mounting concerns about security due to a rash of issues in its Windows operating system and IE browser, Microsoft has been phasing out Passport in order to make way for the InfoCard.

"Any of the problems on the Internet today, from phishing attacks to inconsistent user experiences, stems from the patchwork nature of digital identity solutions that software makers have built in the absence of a unifying and architected system of digital identity," the company said in a May white paper about InfoCard.

"An identity metasystem, as defined by the Laws of Identity, would supply a unifying fabric of digital identity, utilizing existing and future identity systems, providing interoperability between them, and enabling the creation of a consistent and straightforward user interface to them all. Basing our efforts on the Laws of Identity, Microsoft is working with others in the industry to build the identity metasystem using published WS-* protocols that render Microsoft's implementations fully interoperable with those produced by others."

The InfoCard system needs five key components:

  • A way to represent identities using claims
  • A means for identity providers, relying parties, and subjects to negotiate
  • An encapsulating protocol to obtain claims and requirements
  • A means to bridge technology and organizational boundaries using claims transformation
  • A consistent user experience across multiple contexts, technologies, and operators

    The metasystem is integrated with Indigo, which is the code name for Microsoft's programming model for building Web services that can interoperate with other, non-Microsoft platforms. It also would integrate with Avalon, the code name for a unified presentation subsystem for Windows.

    Using a markup language called XAML, Avalon features a faster display engine that can render the same or similar interface on different screens, and consists of a display engine plus a managed-code framework. Microsoft says Avalon unifies how Windows creates, displays and manipulates documents, media and user interfaces.

    It enables developers and designers to create visually interesting, differentiated user experiences that Microsoft says can improve customer experience.

    As Microsoft has said, by combining the functionality of existing Microsoft distributed application technologies (ASMX, .NET Remoting, .NET Enterprise Services, Web Services Enhancements and System.Messaging), Indigo delivers a single development framework that aims to improve developer productivity and reduce organizations' time to market.

    Now, as Microsoft gathers feedback on how well the Indigo platform performs with Web services test runs among trading and business partners, it will also test how its identity management system performs within the next-generation Web services frameworks.

    The feedback could be critical. Interoperable single sign-on is a key piece of the Web services puzzle, and one that Web standards bodies are trying to achieve.

    The results, provided they are largely positive, could help push Web services adoption, thanks to Microsoft's industry influence. Another group working on identity management protocols is the Liberty Alliance, the Sun Microsystems-led initiative started as an alternative to Microsoft's .NET and Passport digital identity management systems. Liberty has thrown its support to OASIS, whose SAML (Security Assertion Markup Language) 2.0 spec is gaining wider adoption in the industry.

    Microsoft is a member of the Web Services Interoperability (WSI) Organization, another industry group that promotes Web services interoperability across platforms, operating systems and programming languages. OASIS members and other working groups have said they are optimistic that the WSI will also build in support for SAML 2.0 as Liberty Alliance has.

    Microsoft said its architecture for the identity metasystem, called WS-* Web Services, is supposed to provide greater user control and flexibility. For example, users decide how much information they disclose, to whom and under what circumstances, thereby enabling them to better protect their privacy, which would rely on strong two-way authentication of identity providers and relying parties, the white paper explained.

    In addition, the InfoCard is more flexible about how the personal information is stored. Microsoft said it could be via an online identity provider service of the user's choice, on the user's PC or in other devices such as secure USB keychain storage devices, smartcards, PDAs, and mobile phones.

    Perhaps most important, the system helps extend the reach of existing identity systems, another way of saying it would be interoperable with other Web services platforms.

    ZapThink analyst Ronald Schmelzer applauded Microsoft's second foray into federated identity.

    "The idea is sound, given that companies are starting to move to federated, rather than single-technology centralized, identity management systems," Schmelzer said.

    "It will necessarily face competition from technologies like Liberty Alliance, but there are still very few products, if any, that implement Liberty Alliance on the desktop client, and so Microsoft has a distinct advantage. However, like Passport, we will have to see what that uptake is like on digital identity and security products offered by Microsoft."

    The beta1 "RC" release supports Visual Studio 2005 Beta2 and the .NET Framework 2.0 beta 2. In addition, Microsoft also offered an updated WinFX software development kit (SDK), including documentation, samples and tools available for this release. The beta release works with Windows XP and Windows Server 2003.