Microsoft: Active Directory's future is identity

Active Directory would become standard corporate access mechanism

Microsoft on Tuesday laid out a vision for Active Directory in which it will take on a major role in pushing out user identity data to applications and securing collaboration between users.

"We are moving from being a directory provider to an identity provider," said Stuart Kwan, director of program management for identity and access at Microsoft, during the second day keynote at the annual NetPro Directory Experts Conference.

He said the benefit for corporate users would be a standard user access mechanism that would benefit application development, access management and allow companies to more easily spread their identity systems.

Kwan concluded that Active Directory was so close to fulfilling its original goals as a trusted directory service for corporate users that it was time to look ahead and envision the next set of challenges.

The new challenges, Kwan said, will put the directory in a key role in Microsoft's Identity Metasystem, a model for distributed identity architecture. Coupled with an emerging technology called Security Token Service ( STS ), which handles the exchange of identity data, Microsoft envisions an architecture that pushes identity data out to applications that know how to interpret and act upon that data.

Today, applications typically pull user access data from the directory to determine a user's access rights. The push model not only affords network efficiencies but more easily ties identity and application development, puts less stress on the directory, provides more flexibility in defining a user and their rights and gives the ability to federate identity with those outside the corporate network.

Kwan said the push mechanism would be similar to the way group membership data for a user is automatically included in today's Kerberos authentication process.

In the future, identity data coming from the directory would be transformed by the STS gateway into a properly formatted "claim" or a set of claims about the user and his access rights.

"Claims transformation is the logic that takes incoming data about people in the organization and turns it into claims that are needed by the application," said Kwan.

He says the relationship between the directory and the STS means the application knows in advance the kind of data it will be getting. And that means claims can come from inside or outside the organization.

"Now the application knows the claim sets and knows the claims and can be prepared when those claims interact with it," said Kwan.

Then Kwan took his vision even further saying IT could delegate to leaders in corporate business units the claims they would trust, including those coming from outside the organization.

"Knowledge workers would control the trusts and be held accountable," he said. The delegated model would allow for all sorts of new ways to securely collaborate on documents, he said.

Kwan said users could start to explore his vision using the current version of Active Directory Federation Services along with .Net 3.0 technologies Windows CardSpace and Windows Communication Foundation.

A new version of ADFS, slated to ship after Longhorn Server, will add a new set of .Net APIs that will help users build tools to better examine claims coming from end-users.

Kwan said the Identity Metasystem model would eventually provide even more capabilities including role-based access control, the combination of roles and business processes, the ability for new claims such as location, and even more advanced authorization capabilities.

But he said the beauty of it all is that it builds on the directory infrastructure many companies have been rolling out and perfecting for years.

"This is not about throwing anything out," Kwan said.