Menu
Microsoft: Active Directory's future is identity

Microsoft: Active Directory's future is identity

Active Directory would become standard corporate access mechanism

Microsoft on Tuesday laid out a vision for Active Directory in which it will take on a major role in pushing out user identity data to applications and securing collaboration between users.

"We are moving from being a directory provider to an identity provider," said Stuart Kwan, director of program management for identity and access at Microsoft, during the second day keynote at the annual NetPro Directory Experts Conference.

He said the benefit for corporate users would be a standard user access mechanism that would benefit application development, access management and allow companies to more easily spread their identity systems.

Kwan concluded that Active Directory was so close to fulfilling its original goals as a trusted directory service for corporate users that it was time to look ahead and envision the next set of challenges.

The new challenges, Kwan said, will put the directory in a key role in Microsoft's Identity Metasystem, a model for distributed identity architecture. Coupled with an emerging technology called Security Token Service ( STS ), which handles the exchange of identity data, Microsoft envisions an architecture that pushes identity data out to applications that know how to interpret and act upon that data.

Today, applications typically pull user access data from the directory to determine a user's access rights. The push model not only affords network efficiencies but more easily ties identity and application development, puts less stress on the directory, provides more flexibility in defining a user and their rights and gives the ability to federate identity with those outside the corporate network.

Kwan said the push mechanism would be similar to the way group membership data for a user is automatically included in today's Kerberos authentication process.

In the future, identity data coming from the directory would be transformed by the STS gateway into a properly formatted "claim" or a set of claims about the user and his access rights.

"Claims transformation is the logic that takes incoming data about people in the organization and turns it into claims that are needed by the application," said Kwan.

He says the relationship between the directory and the STS means the application knows in advance the kind of data it will be getting. And that means claims can come from inside or outside the organization.

"Now the application knows the claim sets and knows the claims and can be prepared when those claims interact with it," said Kwan.

Then Kwan took his vision even further saying IT could delegate to leaders in corporate business units the claims they would trust, including those coming from outside the organization.

"Knowledge workers would control the trusts and be held accountable," he said. The delegated model would allow for all sorts of new ways to securely collaborate on documents, he said.

Kwan said users could start to explore his vision using the current version of Active Directory Federation Services along with .Net 3.0 technologies Windows CardSpace and Windows Communication Foundation.

A new version of ADFS, slated to ship after Longhorn Server, will add a new set of .Net APIs that will help users build tools to better examine claims coming from end-users.

Kwan said the Identity Metasystem model would eventually provide even more capabilities including role-based access control, the combination of roles and business processes, the ability for new claims such as location, and even more advanced authorization capabilities.

But he said the beauty of it all is that it builds on the directory infrastructure many companies have been rolling out and perfecting for years.

"This is not about throwing anything out," Kwan said.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Upcoming

Slideshows

IN PICTURES: Windows 10 Sydney launch

IN PICTURES: Windows 10 Sydney launch

Tech lovers and party-goers alike headed down to Mrs Macquarie's Chair to be part of the world-first Windows 10 Launch Party. The night featured a presentation by Microsoft Australia managing director, Pip Marlow, DJs, live demonstrations and digital artistry by Lister.

IN PICTURES: Windows 10 Sydney launch
In Pictures: User guide to Windows 10

In Pictures: User guide to Windows 10

If you’re going for an immediate upgrade to Windows 10 from your Windows 7 or Windows 8/8.1 computer, this guide will get you up to speed as quickly as possible.

In Pictures: User guide to Windows 10

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments