Making Good on the Promise of IdMaaS

21.06.2012 by Craig Burton

As a follow up to Microsoft’s announcement of IdMaaS, the company announced the — to be soon delivered — developer preview for Windows Azure Active Directory (WAAD). As John Shewchuk puts it:

The developer preview, which will be available soon, builds on capabilities that Windows Azure Active Directory is already providing to customers. These include support for integration with consumer-oriented Internet identity providers such as Google and Facebook, and the ability to support Active Directory in deployments that span the cloud and enterprise through synchronization technology.

Together, the existing and new capabilities mean a developer can easily create applications that offer an experience that is connected with other directory-integrated applications. Users get SSO across third-party and Microsoft applications, and information such as organizational contacts, groups, and roles is shared across the applications. From an administrative perspective, Windows Azure Active Directory provides a foundation to manage the life cycle of identities and policy across applications.

In the Windows Azure Active Directory developer preview, we added a new way for applications to easily connect to the directory through the use of REST/HTTP interfaces.

An authorized application can operate on information in Windows Azure Active Directory through a URL such as:‘’)

Such a URL provides direct access to objects in the directory. For example, an HTTP GET to this URL will provide the following JSON response (abbreviated for readability):

{ “d”:  {
 "Manager": { "uri":"'User...')/Manager" },
 "MemberOf": { "uri":"'User...')/MemberOf" },
 "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19",
 "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19",
 "ObjectType": "User",
 "AccountEnabled": true,
 "DisplayName": "Ed Blanton",
 "GivenName": "Ed",
 "Surname": "Blanton",
 "JobTitle": "Vice President",
 "Department": "Operations",
 "TelephoneNumber": "4258828080",
 "Mobile": "2069417891",
 "StreetAddress": "One Main Street",
 "PhysicalDeliveryOfficeName": "Building 2",
 "City": "Redmond",
 "State": "WA",
 "Country": "US",
 "PostalCode": "98007" } 

Having a shared directory that enables this integration provides many benefits to developers, administrators, and users. If an application integrates with a shared directory just once—for one corporate customer, for example—in most respects no additional work needs to be done to have that integration apply to other organizations that use Windows Azure Active Directory. For an independent software vendor (ISV), this is a big change from the situation where each time a new customer acquires an application a custom integration needs to be done with the customer’s directory. With the addition of Facebook, Google, and the Microsoft account services, that one integration potentially brings a billion or more identities into the mix. The increase in the scope of applicability is profound. (Highlighting is mine).

Now that’s What I’m Talking About

There is still a lot to consider in what an IdMaaS system should actually do, but my position is that just the little bit of code reference shown here is a huge leap for usability and simplicity for all of us. I am very encouraged. This would be a major indicator that Microsoft is on the right leadership track to not only providing a specification for an industry design for IdMaaS, but also is on well on its way to delivering a product that will show us all how this is supposed to work.


The article goes on to make commitments on support for OAuth, Open ID Connect, and SAML/P. No mention of JSON Path support but I will get back to you about that. My guess is that if Microsoft is supporting JSON, JSON Path is also going to be supported. Otherwise it just wouldn’t make sense.

JSON and JSON Path

The API Economy is being fueled by the huge trend of accessibility of organization’s core competence through APIs. Almost all of the API development occurring in this trend are based of a RESTful API design with data being encoded in JSON (JavaScript Object Notation).  While JSON is not a new specification by any means, it is only in the last 5 years that JSON has emerged as the preferred — in lieu of XML — data format. We see this trend only becoming stronger.

JSON Path is to JSON what XPath is to XML. The following table shows a simple comparison between XPath and JSONPath.






the root object/element


the current object/element

. or [ ]

child operator


parent operator


recursive descent




attribute access. JSON structures don’t have attributes
[ ]

[ ]

subscript operator. XPath uses it to iterate over element collections and predicates. For JSON it is the native array operator.



Union operator in XPath results in a combination of node sets. JSONPath allows alternate names or array indices as a set.


[start:end:step] array slice operator

[ ]


applies a filter (script) expression
n/a () script expression
() n/a grouping in XPath


As an industry, we are completely underwater in getting our arms around a workable — distributed and multi-centered identity management metasystem — that can even come close to addressing the issues that are already upon us. This includes the Consumerization of IT and its subsequent Identity explosion. Let alone the rise of the API Economy. No other vendor has come close to articulating a vision that can get us out of the predicament we are already in. There is no turning back.

Because of the lack leadership (the crew that killed off Information Cards)  in the past at Microsoft about its future in Identity Management, I had completely written Microsoft off as being relevant. I would have never expected Microsoft to gain its footing, do an about face, and head in the right direction. Clearly the new leadership has a vision that is ambitious and in alignment with what is needed. Shifting with this much spot on thinking in the time frame we are talking about (a little over 18 months) is tantamount to turning an aircraft carrier 180 degrees in a swimming pool.

I am stunned, pleased and can’t wait to see what happens next.

Reference Links

Identity Management as a Service — Original blog post by Kim Cameron

Reimagining Active Directory for the Social Enterprise (Part 1) — John Shewchuk’s post about Windows Azure Directory

Microsoft is Finally Being Relevant — My response to the announcement of IdMaaS

Reimagining Active Directory for the Social Enterprise (Part 2) — Shewchuk’s follow up post

The API Economy — KuppingerCole publication

Freedom of Choice != Your Choice of Captor

10.06.2012 by Craig Burton

Earlier this week I posted a first-look analysis of Microsoft’s Cloud-based Identity Metasystem (IDMaaS).In that analysis I stated:

Microsoft is not only doing something innovative — but profoundly innovative.

On June 7, Nishant Kaushik (Chief Architect at Identropy) wrote on his blog (How Do Governance Controls fit into IDMaaS?):

I’ll be honest, I’m having a little trouble seeing what is so innovative about WAAD itself. How is the fact that becoming an Office 365 customer automatically gives you an AD in the cloud that you can build/attach other Azure applications to that differentfrom Oracle saying that deploying a Fusion Application will include an OUD based identity store that the enterprise can also use for other applications?

I’m not going to address the question about governance controls as I think Dave Kearns — my colleague at KuppingerCole — addressed this matter nicely already.

Why is Microsoft’s Vision of IDMaaS so Profoundly Innovative?

Nishant must not have read my post very carefully. In my explanation of why Microsoft’s vision for IDMaaS is so profound, he failed to notice that I never once mentioned WAAD (Windows Azure Active Directory) or Office 365. There is a reason for that. I am not applauding Microsoft’s — or any other vendor’s — implementation of IDMaaS.

What is so profound about this announcement is that Microsoft is following Kim Cameron’s directives for building a Common Identity Framework for the planet, not just for a vendor.

In 2009 Kim Cameron, Reinhard Posch and Kai Rannenberg wrote Proposal for a Common Identity Framework: A User-Centric Identity Metasystem.

In section 5.4 of that document, the authors spell out the requirement for customer Freedom of Choice.

Freedom of Choice

Freedom of choice for both users and relying parties refers to choice of service operators they may wish to use as well as to the interoperability of the respective systems.

This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece. I posit that the Microsoft vision is so profound because it is built on a definition of Freedom of Choice that fits the above description and not where the customer is free to choose a particular captor.

And so I state again:

Freedom of Choice != Your Choice of Captor

Microsoft’s vision has changed the playing field. Any vendor building IDMaaS that is not meeting the Freedom of Choice requirements defined here is no longer in the game. That is profoundly innovative because this is truly a vision that benefits everyone — but mostly the customer.

LinkedIn Hacked—More Reason for IdM in the Cloud

07.06.2012 by Craig Burton

On June 6, 2012 LinkedIn was hacked and user accounts — names and passwords — were compromised.


Follow LinkedIn’s advice on addressing the matter.

There are just two things I want to say about this.

1. Service Providers should build hardened systems up-front

Any service provider that has a security architecture that stores names and passwords on a server somewhere has an unacceptable system design.

There is simply NO excuse for letting this happen — EVER.

LinkedIn management is acting like hashing and salting passwords is some new thing that they are all over as a result of the compromise.

This is silly, hashing and salting should have happened in the first place, not as an afterthought.

2. One More Reason for IDMaaS

If LinkedIn was using IDMaaS for its Identity Management instead of its own “yet-another-funky-id-system” — it would not be standing knee deep in PR feces with egg on its face.

This is because the designers of IDMaaS services are specialized in Identity and security. That is all they do. No social connecting, no email or friending. Just managing Identity in the cloud.

Specialized core services for all of your systems design in the cloud fits in with best practices of good systems design. It is just too expensive and hard for every company to have the required expertise to design hardened systems in today’s IT environment.


The sooner we can start building on an Identity Metasystem design, the better.

Even scarier than LinkedIn being hacked — you can almost guarantee that many other cloud-based services you are using have a similar “yet-another-funky-id-system” design for IdM.

Scarier still — these systems probably won’t get fixed until they are compromised.

What I would like to see First from IDMaaS

06.06.2012 by Craig Burton


Kim Cameron and John Shewchuk jointly rolled out Microsoft’s vision of Identity Management (IDMaaS) as a Service and then Microsoft’s implementation of that vision as Windows Azure Active Directory (WAAD). I posted first impressions. Kim Cameron responded.

This morning over coffee I was gesturing through Zite — the iPhone and iPad personal publishing review app. There was my blog post in the headlines.
I realize that Zite personalizes the headlines so probably no one else saw that, but that seemed pretty cool.


Anyway, it got me to thinking what kind of things I would like to have access to in WAAD to see if it is going to work and meet some of the tough requirements.

Keeping it simple, here is what I came up with.

Give me Devices and Device Management in the Cloud

Give me a way to put my devices into the cloud and get events from them, manage them, and allow other apps and systems to manage them.

One way to do the whole thing would be to use the Windows Management Instrumentation design and Apples System Profiler.

Both systems are kind of old and have a legacy of issues around them. But that is perhaps the whole point. Make the legacy management namespaces work. Why reinvent them? Just use the moment to fix the inherent problems and move forward. We need a schema for known devices. No sense in creating a new one. Use the namespace we have; despite its complexities and detractors.

Built in to Windows is a management instrumentation framework. It’s called Windows Management Instrumentation. It’s a cool design but old and hard to get to—the rigorous but complicated Common Information Model and SOAP—both keep accessing WMI relatively hard.

The Apple System Profiler is also relatively complicated requires the use of Apples IOKit.

So here it is—give me device registration and management with a RESTful interface and JSON data format.

Here is on step better, when devices raise events, use the evented-api architecture — or an equivalent — and post them to a webhook so other apps can take independent action on the event.

Why Device Management in the cloud would be Cool

The identity explosion is upon us. Cisco recently published a report covered by Network World that predicts there will be 3 times as many devices as people by 2016 (18.9 billion) — I predict this number is conservative. Let’s see if we can securely put the management and profiling identifiers in the cloud, protect privacy, and enable access.

This way we keep things simple and we don’t have to start with people identifiers which tend to get people all worked up. People can readily start to see why device identifiers and claims in the cloud are useful. Other developers can throw in their management expertise and quit spending so much time building identity infrastructure for protection — after all, doing more with less resources is one of the core purposes of IDMaaS.

Do you have a better idea or any request about WAAD? Let me know and I will post it and see how Microsoft responds.

Microsoft is Finally Being Relevant

05.06.2012 by Craig Burton

Surprise surprise. For the last few years it looked as if the battling business units and power struggles within Microsoft had all but rendered the company incapable of doing anything innovative or relevant. But clearly something has happened to change this lack of leadership and apparent stumbling in the dark. Microsoft is not only doing something innovative — but profoundly innovative.

In a dual post by Microsoft’s John Shewchuk and Kim Cameron, the announcement was made about what Kim Cameron alluded to at the KuppingerCole EIC in April — Identity Management as a Service (IDMaaS). This is not trivial, and does not suck. It ROCKS.

Why is Identity Management as a Service a Big Deal

From a technical perspective, the place where innovation really makes a difference is the place where the rubber meets the road — infrastructure. Infrastructure is not only fundamental—as it provides the technical framework and underpinning to support big change — but infrastructure is hard.

It’s also hard to get funded and hard to sell both outside and inside of companies that make infrastructure.

This is because there is little possibility of showing a direct ROI in core infrastructure investment. It takes vision and guts to invest in infrastructure.

Nobody wants to buy identity infrastructure. In fact no one should have to pay for identity infrastructure. It should be ubiquitous, work, and be free to everyone and controlled by no one. Infrastructure at this level is as fundamental as air. You don’t think about it, you don’t buy it; you just breathe it in and out and get on with the details.

Metaphorically, when it comes to the maturity of identity infrastructure today—we are all sucking on thin air from teeny tubes of infrastructure veneer connected to identity silos (Facebook Connect, Twitter, Federated Identity and so on.)

It’s much like the other core suite of protocols of the Internet — like TCP/IP. TCP/IP is free as far as a piece of software goes. No one ever pays for the transport anymore.

So should be the protocols and infrastructure for doing Identity Management.  With this announcement Microsoft is showing that it understands Identity Infrastructure is fundamental to everything in the hybrid world of social-mobile-cloud networking that we are stumbling towards.

Further, Microsoft is making it clear it understands that the current identity provider-centric world we live in now is broken and simply will not work for the future. Significant movement forward from this wretched state requires massive change — which is what Microsoft is proposing.

From a political and business perspective, Kim Cameron’s vision of a ubiquitous Identity Metasystem has somehow prevailed inside Microsoft and is starting to emerge. This is a big deal. Finally a company with lots of talent that has been wallowing from lack of leadership has stepped up and put a stake in the ground about Identity. Bravo!

Everybody else of significance that could be doing something significant with identity infrastructure — Google, Facebook, and Amazon for starters — are trapped in their current business models of trafficking your identity for short term profit. For each of them, the little piece they hold captive of your identity is the product by which they are making money. This is both short sighted and unsustainable.

Microsoft’s plan is much grander. Invest in the hard stuff, solve the really tough identity infrastructure problems across the board—simple, private, and scalable. By taking this high road, Microsoft is betting it can take the leadership role by increasing the size of the pie for other SaaS services and apps that organizations and individuals want and are willing to pay for. Much more visionary that continuing to fight over whatever crumb you can get based on the current broken model.

If Microsoft is allowed to pull this off, it is a good thing.

Read the rest of this entry »

© 2014 Craig Burton, KuppingerCole