TUESDAY, March 4th. Chicago, back to freezing temperatures.

Microsoft’s Stuart Kwan kicked off the second day with his keynote address where he spoke about an “identity bus”, where off-the shelf applications can plug in for all their authentication and access control needs. It was exciting to hear this from Microsoft. The concept is actually not even that new – Phil Windley wrote about this in his book “Digital Identity. But it’s great to see that Microsoft seems fully committed to (several selected) open standards (most of them likely to start with the letters W and S) and interoperability, and assuming that this stays that way, I agree with Stuart that “it does not seem as far off as you might think”. His vision is that claims, or “assertions” in SAML-speak, are the core of identity data within the bus that can be transformed into different formats depending on application needs. Somehow I had a quick excursion down memory lane during the end of the presentation to a place in time a few years ago when I was briefly involved in a project for a large service provider who had deployed two web application environments. One of them was called the “Microsoft Environment” and the other one was called the “Open Environment”. I remember that they had quite a challenge getting identity management to work across both environments at that time. So in future, that unnamed company will just have one “Open environment” that includes all the Microsoft web applications as well.

Later on in the exhibition area I took a closer look at the latest virtual directory server product that had just been announced a day previously by a company called “Optimal IDM”. I was given a comprehensive tour by chief software architect Nada Dickerson who graciously let me monopolise her for an extended period (I couldn’t help it, coming from the virtual directory space, this really peaked my interest). Optimal IDM has deployed identity management solutions over several years and has run into the same types of issues over and over again, which led them to develop their virtual directory product. The product is specialised to handle three specific “modes”. The first mode is called “Union Mode” and aggregates unique entries from multiple containers into a virtual consolidated view. The other two modes are variants of this, and add join rules. Object Precedence Mode can be used to specify which back-end has the precedence when the same object exists in multiple back-ends. Attribute Precedence Mode can additionally join attributes from the same object in multiple backends so that the returned object contains data from all objects of the same name. This is essential the “shadow joiner” or “data augmentation” feature found in competing products. Optimal IDM has developed their virtual directory product entirely with .NET technology and believes this to be a competitive advantage over other virtual directories.

Even before the conference, I had already earmarked the slot at 11 AM for Pamela Dingle’s presentation entitled “Hanging Out in the CardSpace Kitchen”. I hadn’t met Pamela before, but read some of her excellent material on the subject. It turned out exactly as I had hoped – an excellent, educational and lively presentation from *the* authority on CardSpace (apart from Microsoft’s Kim Cameron, of course). She also made the connection clear between Microsoft’s implementation, Project Bandit and Project Higgins. Microsoft’s Brian Puhl chimed in at the end to give an excellent scenario on how CardSpace can be used to work around some tricky legal issues in federated environments.

I remembered Dave Kearns mentioning in one of his posts from way back when that when Pamela Dingle presented on CardSpace at one of the Digital ID World conferences, she had Microsoft employees clamoring to ask questions. Well they didn’t do this time, but I certainly did. I met Pamela again that night in Centrify’s hospitality suite at a virtual bowling tournament on a Wii. Both Pamela and I were new to the Wii and immediately noticed that it even offers its own variety of “InfoCards” in the way of avatars (pictures) of the participants that our host configured for us.

Another highlight was the BoF (birds of a feather session) on ADFS that I attended. Stuart Kwan and Brian Puhl were there as well, and shared some interesting details on why we actually need to use claims and can’t just instead stick additional identity information in a Kerberos token (some applications would just choke on that), as well as throw around some ideas on how home realm discovery could be used in an environment where multiple federation protocols are used. Then suddenly we were all deep into CardSpace again. Stuart also offered a very interesting opinion how internal security tokens might look like in a hypothetical, futuristic Windows version. Unfortunately I had to run out because I had an appointment, but I think the BoF ran well over its allocated time – definitely another DEC highlight.

Against good judgement and to the bewilderment of my bowling buddies at the Centrify hospitality suite, I decided to forego the invitation to Oxford Computer Group’s party featuring a band called “Hairbanger’s Ball” and instead head off to early retirement for the day. In hindsight this was not the smartest thing to do, because it must have been a real blast, and overall the particular session in the morning that I wanted to attend was cancelled. Well, I’ll know better next time!

MONDAY, March 3rd, Chicago (surprisingly warm).

I’ve already reported from the pre-conference workshop last Sunday that gave a very good introduction to Identity Lifecycle Manager 2 and Certificate Lifecycle Manager, and Microsoft’s Joe Long kicked off DEC 2008 with his keynote session presenting Microsoft’s vision on Identity Management, and how Active Directory will evolve to meet those needs in the future. Apart from being a good summary on what I had already heard a day before, it highlighted Active Directory being in the centre of Microsoft’s Identity Management ecosystem, surrounded by four cornerstones: Identity Lifecycle Management (ILM), Strong authentication (i.e. smart cards and CLM), data protection (Rights Management) and federation (ADFS). The idea is certainly going in the right direction. It is certain however, that Microsoft leaves many opportunities to be filled by partners that can harness the framework and complement it by filling in the gaps. No surprise of course, that some of these partners were present at DEC, showing off their latest wares.

As expected, many of the sponsors used the opportunity at DEC to announce availability of new products and releases. Netpro, the organisers of the event, went even further and “pre-announced” (announced that they will announce?) an upcoming new release to its ChangeAuditor product, a leader in the Windows auditing space. The upcoming 4.5 release is to feature a new SQL Server module and comprehensive Exchange auditing, including permission change and non-owner mailbox alerting. As companies in this space continuously strive to catch up with the ever-increasing demands of audits, this helps Netpro maintain a competitive edge in the space, as was explained to me by Brad Hibbert, who kindly took the time to brief me on Netpro’s plans. Brad also mentioned that Netpro will release a free tool built on top of Netpro’s SOA architecture that will integrate and extend the native Users and Computers interface. According to Brad, this AD Management tool will add business rules, workflow, and task automation to the ADUC interface. It help tighten security and instill better Idm practices into AD management, without requiring people to change how they manage AD today. The first release is planned to ship in May. Later this year a subsequent release will also provide a web console for AD management with these same capabilities.

Netpro is also planning a script management solution in Q3. This will allow organizations to integrate their custom scripts and batch jobs into an management console that will provide distribution, scheduling, security delegation, auditing and performance statistics. Over time NetPro will also publish its SDK such that other vendors and integrators will be able to extend the architecture to write and snap in additional management tools and utilities. This will make it much easier for many organisations to manage custom tools, scripts and batch jobs written for the purpose of administrating and automating the identity management infrastructure, and definitely tickled my interest. I shall be following up with Brad and share some further insight.

I’ve also taken a closer look at Centrify, after my colleague Martin told me to check them out, and he was right: I was positively impressed after talking to David McNeely, Centrify’s director of product management. He told me how Centrify’s DirectControl product seamlessly integrates Unix, Linux, Mac, Java and web platforms with Microsoft Active Directory. The product goes so far as to extend group policy objects onto those other platforms and allow for delegated administration. Another feature is zoning, which is used for two things: identity mapping from AD to the target system (so that my account “felix” on AD could, for example, be mapped to my Linux account “felixg” on the Linux development system, and to my accont “fga” on the production Solaris servers). Zones can also be used to manage granular access permission on specific sets of machines (like the “sudo” command on many UNIX machines). A second product, DirectAudit, can provide a complete log of everything that a user does on a system – up to the point of being able to replay an individual session like a VCR. Although I can understand the requirement for such a detailed audit on a highly sensitive system, I actually found it kind of scary from an old system administrator’s point of view.

Monday was also the day of the Directory & Identity Experts Panel Discussion, in which I had the privilege of joining Joe Long and Robert DeLuca from Microsoft, Kevin Kampman from the Burton Group, Gil Kirkpatrick from netpro, Laura DiDio from the Yankee Group and Christopher Voce from Forrester. Joshua Hoffman from TechNet magazine chaired the panel and opened up with a few questions before opening the flood gates to the audience. Joe was definitely in the front line of fire, being barraged with many questions with regards to when Microsoft would finally support SAML 2, SPML, virtual directories and other things that Microsoft doesn’t really seem to want to get its hands dirty with, at least at this time. I certainly felt sympathy, but he did a good job of defending Microsoft’s position. I got my share of questions as well. I have to admit that I was a bit nervous in the beginning, and in hindsight might have done a bit better with the first question about where I see OpenID in two years. But I think I did a pretty good job on the other questions of whether LDAP will be replaced by something else, and what needs to be done in order to enable applications for federation. After the expert panel, many lively discussions in the hospitality suites, and their aftermath! A perfect first conference day, and I collapsed happily into federated DreamSpace.