One and a half weeks ago I was speaking in our Webinar about the Identity Metasystem and Microsoft’s implementation of it (codename “Geneva”). The news was still very fresh – I had just been to Microsoft’s Professional Developer’s Conference and scrambled to get the presentation together. We had almost 100 participants, and many questions were being asked. I slightly overshot the one hour reserved for my Webinar, but even after 70 minutes, the majority of the participants were still online. I then started answering some more questions, but there were still too many of them. If you missed the webinar from last week: it is available here.

Tomorrow, the 13th of November we’re hosting another webinar on the topic, at 10 AM PST/1 PM EST/7 PM CET. I will do this one a bit different, and allocate at least half of the time for questions.

Some of the questions we had last time were:

This seems ok for Consumers, is it relevant for large enterprises?

Absolutely. The Identity Metasystem has several parts, some of them are more relevant for enterprises and other more relevant to consumers. The parts of the Identity Metasystem that are most relevant to enterprises are the whole concepts around claims, trust agreements, secure token services, and of course WS-*. In “Geneva”, the components would be the Framework and the Server.

What about using Claims on non-Microsoft platforms?

An excellent question, and one that definitely warrants a longer explanation than this one here. I am definitely going to talk about this topic some more tomorrow. Microsoft has now with “Geneva” released the first full implementation of the Identity Metasystem. There is no such complete implementation available for Java or for other non-Microsoft systems, but many parts of it already exist on other systems too.

Let me step back for a minute and state that the “Identity Metasystem” is a “system of systems” – it’s a methodology, and uses many building blocks, such as SAML security tokens, WS-* and public key infrastructure. Many, if not most of these building blocks already exist on other systems. Major vendors such as Oracle, Sun and others offer interoperability with the Identity Metasystem, and some aspects of a development framework (albeit proprietary at this point) in their access management products.

Would you include “Geneva” in an Identity Management architecture today?

I would most definitely plan for it in an architecture, and especially make developers aware of the framework. Keep in mind that “Geneva” is still in beta, and the final release will only be next year. But that doesn’t mean that one should hold off including it in the plans, and preparing for it. In fact, for those who really don’t want to wait, Microsoft has a “Technology Adoption Program” that will support users that want to adopt the technology now. Microsoft’s “Geneva” implementation of the Identity Metasystem is all about manageing Identity in an easier and safer way. That will be important in the long run not just for cost savings, but also as one of the key elements in the transition of IT departments from a cost centre to a strategic asset. Does the last sentence sound like just another pompous example of lofty analyst-speak? Think again. The cost of handling identity in today’s enterprise environments are significant. It reminds me of the mid eighties, when most office software (Wordstar, Lotus 1-2-3, and even Microsoft Word in its first incarnations as a MS-DOS program) were shipped with one or two floppy disks full of printer drivers. That’s right – different native printer drivers for each program! How much time was invested by every software vendor to enable the same thing (printing) all over again? How much time was saved when operating systems such as MacOS and Windows (and probably others) implemented a “printing framework” that could just be harnessed by whatever programmer wrote applications for that operating system? The identity metasystem is an important piece in the puzzle to make IT easier and more agile. So I couldn’t think of any reasons not to consider the Identity Metasystem, and “Geneva” on a Windows environment). This is all standards-based, interoperable and open!

What is the timeline for “Geneva”?

According to Microsoft, the RTM (final release) will be available in second half of 2009.

What protocols does “Geneva” use? WS-Trust and SAML 2.0? If both protocols are possible, is claim transformation between those protocols possible?

The current beta release of “Geneva” supports SAML 2.0, but apparently there are some current limitations in the beta that will soon be overcome – I need to confirm this but as far as I remember from PDC, it seemed that the current beta of “Geneva” Server will work as a SAML 2 IdP (Identity Provider), but not yet as a SP (Service Provider) – but again, this is just a temporary limitation in the beta and should be available soon. Claims transformation is one of the key points of “Geneva” server, and yes – the transformation between the protocols is definitely one of the uses foreseen.

What about compatibility of Zermatt now, and “Geneva” framework in the future?

A difficult question to answer. Officially, “Geneva” framework is still in beta. “Zermatt” was release several months ago, so it has even matured a bit before “Geneva” was released. This is the first Geneva beta, not yet architecturally or functionally complete, and Microsoft is seeking directional feedback. Microsoft invites developers, architects and other interested parties to learn about the software, experiment in labs, and send feedback. Having said this, from a protocol standpoint there will be compatibility since the protocols are mature. There may of course be some evolution in the “Geneva” framework that may be backward incompatible. My personal guess is that if at all, they’d be minor. However I think it is likely that the framework will incorporate new functionality. Then again I have no crystal ball, and even if I had, I wouldn’t know how to use it

This has been an intense week at PDC 2008 – the first one ever for me. I’m sure it won’t be my last!

If you’ve followed our Kuppinger Cole news, you may have seen my article about Microsoft’s Geneva announcement. I was very excited about this announcement, because of the importance of the identity metasystem for the future. Microsoft clearly putting its money where its mouth is and fully jumping onto the bandwagon of a fully interoperable, open claims-based identity metasystem. This is not just interesting if you run Microsoft software. This has a profound and positive impact on our industry as a whole.

I am holding a Webinar today (Friday morning in the Americas=afternoon in Europe, Middle East, Africa) to put all of this into what I think is the proper perspective and outlining why I think this is such a big deal, why this is relevent for you and how you can profit from this. You are all cordially invited!

http://www.kuppingercole.com/events/n40030

I am at Netpro’s Directory Expert Conference in Chicago this week, and very excited to be here! I’m keeping my eyes and ears wide open for the latest tech and trends around Microsoft AD and Identity Management, and also participating at an experts panel this afternoon. Knowing that DEC is an action-packed event, I came a day early, and it was well worth it. Sunday’s ramp-up to DEC 2008 was a pre-conference workshop on Microsoft Identity Lifecycle Manager (ILM) 2 beta, Certificate Lifecycle Manager (CLM), Active Directory Federation Services (ADFS) and Active Directory Rights Management Service (ADRMS). It was a hands-on lab experience given by David Lundell from the Oxford Computer Group, who did a brilliant job putting it together.

Microsoft’s vision is to have Directory Services in the centre of a comprehensive infrastructure that supports Identity Lifecycle Management, Strong Authentication, information protection and federation. Harnessing the tools presented in this workshop, one can see where this is going. Although some of the components (specifically ILM 2) are still in beta and not expected to be released until the “second half of 2008”, the picture may still be a bit rough and blurred, but one can see that it will be quite a beautiful one, once completed.

I was particularly impressed by Certificate Lifecycle Manager (CLM), an add-on to ILM that facilitates string authentication, specifically in the area of smart cards. It seems that Microsoft has managed to add significant value to an area that is often notoriously difficult for many enterprises to implement. Starting with an abstraction layer to the underlying card’s hardware stack to a comprehensive lifecycle implementation, CLM supports the full work-flow of the whole lifecycle of issuance, PIN reset, revocation and retirement. Self service is of course part of the offering and is streamlined for efficient and secure management from initial issuance to retirement and secure recycling. Just like the Dot Net Factory, Microsoft is harnessing the new Windows Workflow Foundation for all of its workflow management. For data flow, uses its MIIS meta-directory technology.

Just before the session closed, Microsoft’s Bobby Gill gave us a “sneak peak” of some additional features of ILM 2 beta 3 “hot off the disk” that he compiled a few hours ago. It is obvious that many significant enhancements are still being made, and Microsoft is very actively involved with its beta partners to collect their feedback and make improvements before the official ILM 2 is released.

Back to keeping my eyes and ears open, and I shall be back soon with some more news from DEC 2008!