One and a half weeks ago I was speaking in our Webinar about the Identity Metasystem and Microsoft’s implementation of it (codename “Geneva”). The news was still very fresh – I had just been to Microsoft’s Professional Developer’s Conference and scrambled to get the presentation together. We had almost 100 participants, and many questions were being asked. I slightly overshot the one hour reserved for my Webinar, but even after 70 minutes, the majority of the participants were still online. I then started answering some more questions, but there were still too many of them. If you missed the webinar from last week: it is available here.

Tomorrow, the 13th of November we’re hosting another webinar on the topic, at 10 AM PST/1 PM EST/7 PM CET. I will do this one a bit different, and allocate at least half of the time for questions.

Some of the questions we had last time were:

This seems ok for Consumers, is it relevant for large enterprises?

Absolutely. The Identity Metasystem has several parts, some of them are more relevant for enterprises and other more relevant to consumers. The parts of the Identity Metasystem that are most relevant to enterprises are the whole concepts around claims, trust agreements, secure token services, and of course WS-*. In “Geneva”, the components would be the Framework and the Server.

What about using Claims on non-Microsoft platforms?

An excellent question, and one that definitely warrants a longer explanation than this one here. I am definitely going to talk about this topic some more tomorrow. Microsoft has now with “Geneva” released the first full implementation of the Identity Metasystem. There is no such complete implementation available for Java or for other non-Microsoft systems, but many parts of it already exist on other systems too.

Let me step back for a minute and state that the “Identity Metasystem” is a “system of systems” – it’s a methodology, and uses many building blocks, such as SAML security tokens, WS-* and public key infrastructure. Many, if not most of these building blocks already exist on other systems. Major vendors such as Oracle, Sun and others offer interoperability with the Identity Metasystem, and some aspects of a development framework (albeit proprietary at this point) in their access management products.

Would you include “Geneva” in an Identity Management architecture today?

I would most definitely plan for it in an architecture, and especially make developers aware of the framework. Keep in mind that “Geneva” is still in beta, and the final release will only be next year. But that doesn’t mean that one should hold off including it in the plans, and preparing for it. In fact, for those who really don’t want to wait, Microsoft has a “Technology Adoption Program” that will support users that want to adopt the technology now. Microsoft’s “Geneva” implementation of the Identity Metasystem is all about manageing Identity in an easier and safer way. That will be important in the long run not just for cost savings, but also as one of the key elements in the transition of IT departments from a cost centre to a strategic asset. Does the last sentence sound like just another pompous example of lofty analyst-speak? Think again. The cost of handling identity in today’s enterprise environments are significant. It reminds me of the mid eighties, when most office software (Wordstar, Lotus 1-2-3, and even Microsoft Word in its first incarnations as a MS-DOS program) were shipped with one or two floppy disks full of printer drivers. That’s right – different native printer drivers for each program! How much time was invested by every software vendor to enable the same thing (printing) all over again? How much time was saved when operating systems such as MacOS and Windows (and probably others) implemented a “printing framework” that could just be harnessed by whatever programmer wrote applications for that operating system? The identity metasystem is an important piece in the puzzle to make IT easier and more agile. So I couldn’t think of any reasons not to consider the Identity Metasystem, and “Geneva” on a Windows environment). This is all standards-based, interoperable and open!

What is the timeline for “Geneva”?

According to Microsoft, the RTM (final release) will be available in second half of 2009.

What protocols does “Geneva” use? WS-Trust and SAML 2.0? If both protocols are possible, is claim transformation between those protocols possible?

The current beta release of “Geneva” supports SAML 2.0, but apparently there are some current limitations in the beta that will soon be overcome – I need to confirm this but as far as I remember from PDC, it seemed that the current beta of “Geneva” Server will work as a SAML 2 IdP (Identity Provider), but not yet as a SP (Service Provider) – but again, this is just a temporary limitation in the beta and should be available soon. Claims transformation is one of the key points of “Geneva” server, and yes – the transformation between the protocols is definitely one of the uses foreseen.

What about compatibility of Zermatt now, and “Geneva” framework in the future?

A difficult question to answer. Officially, “Geneva” framework is still in beta. “Zermatt” was release several months ago, so it has even matured a bit before “Geneva” was released. This is the first Geneva beta, not yet architecturally or functionally complete, and Microsoft is seeking directional feedback. Microsoft invites developers, architects and other interested parties to learn about the software, experiment in labs, and send feedback. Having said this, from a protocol standpoint there will be compatibility since the protocols are mature. There may of course be some evolution in the “Geneva” framework that may be backward incompatible. My personal guess is that if at all, they’d be minor. However I think it is likely that the framework will incorporate new functionality. Then again I have no crystal ball, and even if I had, I wouldn’t know how to use it

TUESDAY, March 4th. Chicago, back to freezing temperatures.

Microsoft’s Stuart Kwan kicked off the second day with his keynote address where he spoke about an “identity bus”, where off-the shelf applications can plug in for all their authentication and access control needs. It was exciting to hear this from Microsoft. The concept is actually not even that new – Phil Windley wrote about this in his book “Digital Identity. But it’s great to see that Microsoft seems fully committed to (several selected) open standards (most of them likely to start with the letters W and S) and interoperability, and assuming that this stays that way, I agree with Stuart that “it does not seem as far off as you might think”. His vision is that claims, or “assertions” in SAML-speak, are the core of identity data within the bus that can be transformed into different formats depending on application needs. Somehow I had a quick excursion down memory lane during the end of the presentation to a place in time a few years ago when I was briefly involved in a project for a large service provider who had deployed two web application environments. One of them was called the “Microsoft Environment” and the other one was called the “Open Environment”. I remember that they had quite a challenge getting identity management to work across both environments at that time. So in future, that unnamed company will just have one “Open environment” that includes all the Microsoft web applications as well.

Later on in the exhibition area I took a closer look at the latest virtual directory server product that had just been announced a day previously by a company called “Optimal IDM”. I was given a comprehensive tour by chief software architect Nada Dickerson who graciously let me monopolise her for an extended period (I couldn’t help it, coming from the virtual directory space, this really peaked my interest). Optimal IDM has deployed identity management solutions over several years and has run into the same types of issues over and over again, which led them to develop their virtual directory product. The product is specialised to handle three specific “modes”. The first mode is called “Union Mode” and aggregates unique entries from multiple containers into a virtual consolidated view. The other two modes are variants of this, and add join rules. Object Precedence Mode can be used to specify which back-end has the precedence when the same object exists in multiple back-ends. Attribute Precedence Mode can additionally join attributes from the same object in multiple backends so that the returned object contains data from all objects of the same name. This is essential the “shadow joiner” or “data augmentation” feature found in competing products. Optimal IDM has developed their virtual directory product entirely with .NET technology and believes this to be a competitive advantage over other virtual directories.

Even before the conference, I had already earmarked the slot at 11 AM for Pamela Dingle’s presentation entitled “Hanging Out in the CardSpace Kitchen”. I hadn’t met Pamela before, but read some of her excellent material on the subject. It turned out exactly as I had hoped – an excellent, educational and lively presentation from *the* authority on CardSpace (apart from Microsoft’s Kim Cameron, of course). She also made the connection clear between Microsoft’s implementation, Project Bandit and Project Higgins. Microsoft’s Brian Puhl chimed in at the end to give an excellent scenario on how CardSpace can be used to work around some tricky legal issues in federated environments.

I remembered Dave Kearns mentioning in one of his posts from way back when that when Pamela Dingle presented on CardSpace at one of the Digital ID World conferences, she had Microsoft employees clamoring to ask questions. Well they didn’t do this time, but I certainly did. I met Pamela again that night in Centrify’s hospitality suite at a virtual bowling tournament on a Wii. Both Pamela and I were new to the Wii and immediately noticed that it even offers its own variety of “InfoCards” in the way of avatars (pictures) of the participants that our host configured for us.

Another highlight was the BoF (birds of a feather session) on ADFS that I attended. Stuart Kwan and Brian Puhl were there as well, and shared some interesting details on why we actually need to use claims and can’t just instead stick additional identity information in a Kerberos token (some applications would just choke on that), as well as throw around some ideas on how home realm discovery could be used in an environment where multiple federation protocols are used. Then suddenly we were all deep into CardSpace again. Stuart also offered a very interesting opinion how internal security tokens might look like in a hypothetical, futuristic Windows version. Unfortunately I had to run out because I had an appointment, but I think the BoF ran well over its allocated time – definitely another DEC highlight.

Against good judgement and to the bewilderment of my bowling buddies at the Centrify hospitality suite, I decided to forego the invitation to Oxford Computer Group’s party featuring a band called “Hairbanger’s Ball” and instead head off to early retirement for the day. In hindsight this was not the smartest thing to do, because it must have been a real blast, and overall the particular session in the morning that I wanted to attend was cancelled. Well, I’ll know better next time!