Microsoft’s Bold Plans For Open Security Architecture
Wednesday, October 29, 2008
Microsoft Tuesday will unveil an open identity platform code-named Geneva that extends to the cloud and includes development tools, gateway technologies and provides long-awaited support for the SAML 2.0 protocol. Microsoft also will announce support for the OpenID protocol, which means Microsoft’s LiveIDs can be used to access Web sites that support OpenID. The identity platform’s foundation is the claims-based access model and Security Token Service (STS) technology that Microsoft has been developing over the past few years as part of its industry effort to create a single identity system based on standard protocols. Geneva is made up of the Geneva Server, formerly called Active Directory Federation Services 2.0; Geneva CardSpace Client, a smaller and faster version of the identity client now available with Vista; and the Geneva Framework, which was formerly code-named Zermatt. Also part of the platform is the Microsoft Service Connector, the Microsoft Federation Gateway and the .Net Access Control Service, which are designed to create a sort of identity backbone and connection to the cloud. The company plans to have the whole of the Geneva family of identity software and services rolled out by the second half of 2009. “There is no pressure to use Microsoft components,” said Kim Cameron, identity architect for Microsoft. “All aspects of Geneva are standard across the industry. This helps you build an identity backbone and get into the identity era.”
The goal is to create a standards-based way to share “claims” and to connect with cloud-based services from Microsoft or other providers. Claims are a set of statements that identify a user and provide specific information such as title or purchasing authority. Geneva will let companies with Active Directory extend it to create single sign-on between local network resources and cloud services. In addition, developers will have tools to easily incorporate standards-based identity into the applications they build and IT will have choice in the identity services they roll out. Geneva Server is an STS that augments Active Directory and installs on a domain controller or a server on the network. It supports WS-Federation, WS-Trust and the SAML 2.0 protocol. Microsoft previously only supported the SAML 2.0 token…..The STS handles the exchange of claims and is part of Microsoft’s MetaSystem model for a distributed identity architecture…..The Geneva Framework is an extension to the .Net Framework 3.5 that helps developers more easily build applications that incorporate a claims-based identity model for authentication/authorization. The framework and the STS technology are building toward Microsoft’s ultimate goal of an “identity bus.” The nirvana of the concept is that off-the-shelf applications could plug into the bus in order to authenticate users and provide access control. Microsoft also plans to create an identity backbone using the Microsoft Federation Gateway (MFG), which would run as part of its cloud-services platform Azure, which it announced Monday. Geneva Server or third-party STS gateways could connect to MFG, which would provide identity services to cloud applications such as Exchange, SharePoint and SQL Server. Developer services also would be securely accessed via MFG. Cameron pointed out that MFG is not LiveID, which has some 400 million users, but will support it. He said MFG is in production, but a release data has not been set. Also part of the identity platform is the Microsoft Service Connector (MSC), a fixed- function gateway that lets users connect Active Directory with the Microsoft Federation Gateway. MSC, which will be a free download, is a lightweight version of the Geneva Server. MSC is in a community technology preview (CTP) now with a beta and final release slated for the first half of next year. Also on the docket is .Net Access Control (NAC), which will become a service on the Azure cloud platform. NAC is an STS that takes in authentication claims and outputs authorization claims based on a set of rules that can be defined via a management portal. The service lets users create and maintain rules and integrates with the Federation Gateway. Microsoft also plans a version of NAC that users can run internally.