Menu
Microsoft: Active Directory's future is identity

Microsoft: Active Directory's future is identity

Active Directory would become standard corporate access mechanism

Microsoft on Tuesday laid out a vision for Active Directory in which it will take on a major role in pushing out user identity data to applications and securing collaboration between users.

"We are moving from being a directory provider to an identity provider," said Stuart Kwan, director of program management for identity and access at Microsoft, during the second day keynote at the annual NetPro Directory Experts Conference.

He said the benefit for corporate users would be a standard user access mechanism that would benefit application development, access management and allow companies to more easily spread their identity systems.

Kwan concluded that Active Directory was so close to fulfilling its original goals as a trusted directory service for corporate users that it was time to look ahead and envision the next set of challenges.

The new challenges, Kwan said, will put the directory in a key role in Microsoft's Identity Metasystem, a model for distributed identity architecture. Coupled with an emerging technology called Security Token Service ( STS ), which handles the exchange of identity data, Microsoft envisions an architecture that pushes identity data out to applications that know how to interpret and act upon that data.

Today, applications typically pull user access data from the directory to determine a user's access rights. The push model not only affords network efficiencies but more easily ties identity and application development, puts less stress on the directory, provides more flexibility in defining a user and their rights and gives the ability to federate identity with those outside the corporate network.

Kwan said the push mechanism would be similar to the way group membership data for a user is automatically included in today's Kerberos authentication process.

In the future, identity data coming from the directory would be transformed by the STS gateway into a properly formatted "claim" or a set of claims about the user and his access rights.

"Claims transformation is the logic that takes incoming data about people in the organization and turns it into claims that are needed by the application," said Kwan.

He says the relationship between the directory and the STS means the application knows in advance the kind of data it will be getting. And that means claims can come from inside or outside the organization.

"Now the application knows the claim sets and knows the claims and can be prepared when those claims interact with it," said Kwan.

Then Kwan took his vision even further saying IT could delegate to leaders in corporate business units the claims they would trust, including those coming from outside the organization.

"Knowledge workers would control the trusts and be held accountable," he said. The delegated model would allow for all sorts of new ways to securely collaborate on documents, he said.

Kwan said users could start to explore his vision using the current version of Active Directory Federation Services along with .Net 3.0 technologies Windows CardSpace and Windows Communication Foundation.

A new version of ADFS, slated to ship after Longhorn Server, will add a new set of .Net APIs that will help users build tools to better examine claims coming from end-users.

Kwan said the Identity Metasystem model would eventually provide even more capabilities including role-based access control, the combination of roles and business processes, the ability for new claims such as location, and even more advanced authorization capabilities.

But he said the beauty of it all is that it builds on the directory infrastructure many companies have been rolling out and perfecting for years.

"This is not about throwing anything out," Kwan said.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: ARN Emerging Leaders Think Tank, Sydney (+40 photos)

IN PICTURES: ARN Emerging Leaders Think Tank, Sydney (+40 photos)

Twenty-one industry leaders came together with ARN staff for an Emerging Leaders Think Tank, held at The Bottle Shop in Sydney​. The aim of the planning session was to develop a compelling program for high potential leaders in the Australian ICT industry.​ Over two hours of strong debate a core line of thought evolved which will form the basis of the Emerging Leaders Forum to be held on May 17 in Sydney. Photos by MARIA STEFINA.

IN PICTURES: ARN Emerging Leaders Think Tank, Sydney (+40 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments