Microsoft Moving From Passport to InfoCard

Microsoft is throwing its weight into the work of unifying a growing patchwork of different identity management protocols for Web services.

Call it the latest lessons learned from what not to do with its .Net
Passport
identity management system. Passport, which was bedeviled by
proprietary platform and security issues, is all but defunct.

Now, with the latest beta1 release candidates of
the Indigo and Avalon development platforms for Web services and
next-generation graphics subsystems, Microsoft is loosing a new and improved
version of its Identity Metasystem Architectural Diagram.

The platform would
serve as a kind of home for its InfoCard single sign-on identity management
system. The InfoCard system helps trading partners and Web services
providers know just who it is they’re dealing with on the Web, no matter
what platform the services are using.

Analysts repeatedly carp that Web services, or the ability for Web sites
and applications to interact and conduct our business for us, are doomed without an industry-wide agreement on single sign-on protocols.
That’s one reason Microsoft faced blistering criticism about its Windows-based .Net Passport
identity management system.

Amid mounting concerns about security due to a rash of
issues in its Windows operating system and IE browser, Microsoft has been
phasing out Passport in order to make way for the InfoCard.

“Any of the problems on the Internet today, from phishing attacks to
inconsistent user experiences, stems from the patchwork nature of digital
identity solutions that software makers have built in the absence of a
unifying and architected system of digital identity,” the company said in a
May white paper about InfoCard.

“An identity metasystem, as defined by the Laws of Identity, would supply
a unifying fabric of digital identity, utilizing existing and future
identity systems, providing interoperability between them, and enabling the
creation of a consistent and straightforward user interface to them all.
Basing our efforts on the Laws of Identity, Microsoft is working with others
in the industry to build the identity metasystem using published WS-*
protocols that render Microsoft’s implementations fully interoperable with
those produced by others.”

The InfoCard system needs five key components:

  • A way to represent identities using claims
  • A means for identity providers, relying parties, and subjects to
    negotiate
  • An encapsulating
    protocol to obtain claims and requirements
  • A means to bridge technology and
    organizational boundaries using claims transformation
  • A consistent user
    experience across multiple contexts, technologies, and operators

    The metasystem is integrated with Indigo, which is the code name for
    Microsoft’s programming model for building Web services that can
    interoperate with other, non-Microsoft platforms. It also would integrate
    with Avalon, the code name for a unified presentation
    subsystem for Windows.

    Using a markup language called XAML, Avalon features a faster display
    engine that can render the same or similar interface on different screens, and consists of a display engine plus a managed-code framework. Microsoft says Avalon unifies
    how Windows creates, displays and manipulates documents, media and user
    interfaces.

    It enables developers and designers to create
    visually interesting, differentiated user experiences that Microsoft says
    can improve customer experience.

    As Microsoft has said, by combining the functionality of existing
    Microsoft distributed application technologies (ASMX, .NET Remoting, .NET
    Enterprise Services, Web Services Enhancements and System.Messaging),
    Indigo delivers a single development framework that aims to improve
    developer productivity and reduce organizations’ time to market.

    Now, as Microsoft gathers feedback on how well the Indigo platform
    performs with Web services test runs among trading and business partners, it will
    also test how its identity management system performs within the
    next-generation Web services frameworks.

    The feedback could be critical. Interoperable single sign-on is a key piece of the Web
    services puzzle, and one that Web standards bodies are trying to achieve.

    The results, provided they are largely positive, could help push Web
    services adoption, thanks to Microsoft’s industry influence. Another
    group
    working on identity management protocols is the Liberty Alliance, the Sun
    Microsystems-led initiative started as an alternative to Microsoft’s
    .NET and Passport digital identity management systems. Liberty has thrown
    its support to OASIS, whose SAML (Security Assertion Markup Language) 2.0
    spec is gaining wider adoption in the industry.

    Microsoft is a member of the Web Services Interoperability (WSI)
    Organization,
    another industry group that promotes Web services interoperability across
    platforms, operating systems and programming languages. OASIS members and
    other working groups have said they are optimistic that the WSI will also
    build in support for SAML 2.0 as Liberty Alliance has.

    Microsoft said its architecture for the identity metasystem, called WS-*
    Web Services, is supposed to
    provide greater user control and flexibility. For example, users decide how
    much information they disclose, to whom and under what circumstances,
    thereby enabling them to better protect their privacy, which would rely on
    strong two-way authentication of identity providers and relying parties, the
    white paper explained.

    In addition, the InfoCard is more flexible about how the personal
    information is stored. Microsoft said it could be via an online identity provider service
    of
    the user’s choice, on the user’s PC or in other devices such as secure
    USB keychain storage devices, smartcards, PDAs, and mobile phones.

    Perhaps most important, the system helps extend the reach of existing
    identity systems, another way of saying it would be interoperable with other
    Web services platforms.


    ZapThink analyst Ronald Schmelzer applauded Microsoft’s second foray into federated identity.


    “The idea is sound, given that companies are starting to move to federated, rather than single-technology centralized, identity management systems,” Schmelzer said.


    “It will necessarily face competition from technologies like Liberty Alliance, but there are still very few products, if any, that implement Liberty Alliance on the desktop client, and so Microsoft has a distinct advantage. However, like Passport, we will have to see what that uptake is like on digital identity and security products offered by Microsoft.”

    The beta1 “RC” release supports Visual Studio 2005 Beta2 and the .NET
    Framework 2.0 beta 2. In addition, Microsoft also offered an updated WinFX
    software development kit (SDK), including documentation, samples and tools available for this release.
    The beta release works with Windows XP and Windows Server 2003.

  • News Around the Web