Microsoft is throwing its weight into the work of unifying a growing patchwork of different identity management protocols for Web services.
Call it the latest lessons learned from what not to do with its .Net
Passport identity management system. Passport, which was bedeviled by
proprietary platform and security issues, is all but defunct.
Now, with the latest beta1 release candidates of
the Indigo and Avalon development platforms for Web services
next-generation graphics subsystems, Microsoft is loosing a new and improved
version of its Identity Metasystem Architectural Diagram.
The platform would
serve as a kind of home for its InfoCard single sign-on identity management
system. The InfoCard system helps trading partners and Web services
providers know just who it is they’re dealing with on the Web, no matter
what platform the services are using.
Analysts repeatedly carp that Web services, or the ability for Web sites
and applications to interact and conduct our business for us, are doomed without an industry-wide agreement on single sign-on protocols.
That’s one reason Microsoft faced blistering criticism about its Windows-based .Net Passport
identity management system.
Amid mounting concerns about security due to a rash of
issues in its Windows operating system and IE browser, Microsoft has been
phasing out Passport in order to make way for the InfoCard.
“Any of the problems on the Internet today, from phishing attacks to
inconsistent user experiences, stems from the patchwork nature of digital
identity solutions that software makers have built in the absence of a
unifying and architected system of digital identity,” the company said in a
May white paper about InfoCard.
“An identity metasystem, as defined by the Laws of Identity, would supply
a unifying fabric of digital identity, utilizing existing and future
identity systems, providing interoperability between them, and enabling the
creation of a consistent and straightforward user interface to them all.
Basing our efforts on the Laws of Identity, Microsoft is working with others
in the industry to build the identity metasystem using published WS-*
protocols that render Microsoft’s implementations fully interoperable with
those produced by others.”
The InfoCard system needs five key components:
negotiate
protocol to obtain claims and requirements
organizational boundaries using claims transformation
experience across multiple contexts, technologies, and operators
The metasystem is integrated with Indigo, which is the code name for
Microsoft’s programming model for building Web services that can
interoperate with other, non-Microsoft platforms. It also would integrate
with Avalon, the code name for a unified presentation
subsystem for Windows.
Using a markup language called XAML, Avalon features a faster display
engine that can render the same or similar interface on different screens, and consists of a display engine plus a managed-code framework. Microsoft says Avalon unifies
how Windows creates, displays and manipulates documents, media and user
interfaces.
It enables developers and designers to create
visually interesting, differentiated user experiences that Microsoft says
can improve customer experience.
As Microsoft has said, by combining the functionality of existing
Microsoft distributed application technologies (ASMX, .NET Remoting, .NET
Enterprise Services, Web Services Enhancements and System.Messaging),
Indigo delivers a single development framework that aims to improve
developer productivity and reduce organizations’ time to market.
Now, as Microsoft gathers feedback on how well the Indigo platform
performs with Web services test runs among trading and business partners, it will
also test how its identity management system performs within the
next-generation Web services frameworks.
The feedback could be critical. Interoperable single sign-on is a key piece of the Web
services puzzle, and one that Web standards bodies are trying to achieve.
The results, provided they are largely positive, could help push Web
services adoption, thanks to Microsoft’s industry influence. Another
group
working on identity management protocols is the Liberty Alliance, the Sun
Microsystems-led initiative started as an alternative to Microsoft’s
.NET and Passport digital identity management systems. Liberty has thrown
its support to OASIS, whose SAML (Security Assertion Markup Language) 2.0
spec is gaining wider adoption in the industry.
Microsoft is a member of the Web Services Interoperability (WSI)
Organization,
another industry group that promotes Web services interoperability across
platforms, operating systems and programming languages. OASIS members and
other working groups have said they are optimistic that the WSI will also
build in support for SAML 2.0 as Liberty Alliance has.
Microsoft said its architecture for the identity metasystem, called WS-*
Web Services, is supposed to
provide greater user control and flexibility. For example, users decide how
much information they disclose, to whom and under what circumstances,
thereby enabling them to better protect their privacy, which would rely on
strong two-way authentication of identity providers and relying parties, the
white paper explained.
In addition, the InfoCard is more flexible about how the personal
information is stored. Microsoft said it could be via an online identity provider service
of
the user’s choice, on the user’s PC or in other devices such as secure
USB keychain storage devices, smartcards, PDAs, and mobile phones.
Perhaps most important, the system helps extend the reach of existing
identity systems, another way of saying it would be interoperable with other
Web services platforms.
ZapThink analyst Ronald Schmelzer applauded Microsoft’s second foray into federated identity.
“The idea is sound, given that companies are starting to move to federated, rather than single-technology centralized, identity management systems,” Schmelzer said.
“It will necessarily face competition from technologies like Liberty Alliance, but there are still very few products, if any, that implement Liberty Alliance on the desktop client, and so Microsoft has a distinct advantage. However, like Passport, we will have to see what that uptake is like on digital identity and security products offered by Microsoft.”
The beta1 “RC” release supports Visual Studio 2005 Beta2 and the .NET
Framework 2.0 beta 2. In addition, Microsoft also offered an updated WinFX
software development kit (SDK), including documentation, samples and tools available for this release.
The beta release works with Windows XP and Windows Server 2003.