Microsoft: Active Directory's future is identity

Microsoft: Active Directory's future is identity

Active Directory would become standard corporate access mechanism

Microsoft on Tuesday laid out a vision for Active Directory in which it will take on a major role in pushing out user identity data to applications and securing collaboration between users.

"We are moving from being a directory provider to an identity provider," said Stuart Kwan, director of program management for identity and access at Microsoft, during the second day keynote at the annual NetPro Directory Experts Conference.

He said the benefit for corporate users would be a standard user access mechanism that would benefit application development, access management and allow companies to more easily spread their identity systems.

Kwan concluded that Active Directory was so close to fulfilling its original goals as a trusted directory service for corporate users that it was time to look ahead and envision the next set of challenges.

The new challenges, Kwan said, will put the directory in a key role in Microsoft's Identity Metasystem, a model for distributed identity architecture. Coupled with an emerging technology called Security Token Service ( STS ), which handles the exchange of identity data, Microsoft envisions an architecture that pushes identity data out to applications that know how to interpret and act upon that data.

Today, applications typically pull user access data from the directory to determine a user's access rights. The push model not only affords network efficiencies but more easily ties identity and application development, puts less stress on the directory, provides more flexibility in defining a user and their rights and gives the ability to federate identity with those outside the corporate network.

Kwan said the push mechanism would be similar to the way group membership data for a user is automatically included in today's Kerberos authentication process.

In the future, identity data coming from the directory would be transformed by the STS gateway into a properly formatted "claim" or a set of claims about the user and his access rights.

"Claims transformation is the logic that takes incoming data about people in the organization and turns it into claims that are needed by the application," said Kwan.

He says the relationship between the directory and the STS means the application knows in advance the kind of data it will be getting. And that means claims can come from inside or outside the organization.

"Now the application knows the claim sets and knows the claims and can be prepared when those claims interact with it," said Kwan.

Then Kwan took his vision even further saying IT could delegate to leaders in corporate business units the claims they would trust, including those coming from outside the organization.

"Knowledge workers would control the trusts and be held accountable," he said. The delegated model would allow for all sorts of new ways to securely collaborate on documents, he said.

Kwan said users could start to explore his vision using the current version of Active Directory Federation Services along with .Net 3.0 technologies Windows CardSpace and Windows Communication Foundation.

A new version of ADFS, slated to ship after Longhorn Server, will add a new set of .Net APIs that will help users build tools to better examine claims coming from end-users.

Kwan said the Identity Metasystem model would eventually provide even more capabilities including role-based access control, the combination of roles and business processes, the ability for new claims such as location, and even more advanced authorization capabilities.

But he said the beauty of it all is that it builds on the directory infrastructure many companies have been rolling out and perfecting for years.

"This is not about throwing anything out," Kwan said.

ARN Survey on MSPs
ARN needs to profile the Managed Service Provider (MSP) in YOU!, so please spare a moment and TAKE THE MSP SURVEY NOW

Follow Us

Join the ARN newsletter!

Error: Please check your email address.



IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)

IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)

Klikon Solutions held a Charity Golf Day out at Macquarie Links in Sydney to help raise money for charities Ronald McDonald House and Save our Sons. ARN was onhand in blistering 39 degree conditions to witness all the worm burners first hand. Pictures by Allan Swann

IN PICTURES: Klikon Solutions Charity Golf Day (+51 images)
IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images)

IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images)

Exclusive Networks, in conjunction with LogRhythm and FireEye, held an event to focus on fighting cybercrime with disruptive technologies at the Hayden Orpheum Theatre in Sydney. As part of the 007 - Spectre film theme, guests were invited to attend in their best James Bond attire. Pictures by Allan Swann

IN PICTURES: Exclusive Networks - 007 Spectre night (+18 images) is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments