Techie.notepad

Microsoft Identity Roadmap for Software + Services

OK – the Identity Roadmap for Software + Services session at PDC by Kim Cameron and Vittorio Bertocci delivered. And they delivered good! I have a problem with this offering, please read below!

They are the First Two Lines of Every Connected Application are:

1. Who are you?

2. What are you allowed to do?

The solution is to utilize a claims based system. A claim is a statement made about one party about another party. A claim in itself is useless. What is important however is if your app, coded by you, decides to act upon this claim or not. The very simple application of this is validation of claims. Say you shop for alcohol online and need to verify your age. If you could contact your bank and have them claim your age is over 21 and the vendor application decided to accept this statement made by the bank about you for true. Wouldn’t that be nice? And really powerful and really useful? That system exit today!

What we need is an identity meta system that can exchange claims under user control. This is what the Kim, Vittorio and the team behind them have been solving over quite a period of time by now. And now they are done. Basically. There are some more artifacts that need to be released but all in all the generalization is that this is from now on a non-issue. Here is the über simple picture – and I’ve seen earlier attempts to drive home this point so I know this is not easy to explain.

This picture sort of says it all from the end users perspective. When you need to validate something about yourself you ask someone else to vouch for you. And please do it in a secure fashion where I remain in control of what’s going on. What’s frightening is that many scenarios for developers are about as hard to implement as this was to understand!

Especially useful will be the implementations of the two new interfaces IClaimsPrincipal and IClaimsIdentity. These two guys will, once authenticated, attach nicely into Thread.CurrentPrincipal and Thread.CurrentPrincipal.Identity respectively. And the claims transmitted are queryable over LINQ. For a developer it doesn’t get easier than this. “Microsoft have ejected authentication code from your application” – Vittorio Bertocci! Plus you can easily interact with the claims in a standard based fashion.

The new product that is now released to realize these fine ideas is called “Geneva“. It consist of three parts:

• Geneva Framework – A framework SDK for for devs to build identity aware applications.
• Geneva Server – A Security Token Service that implements claims based security that interacts with applications and is able to send claims based on whatever system you have in your organization. Naturally the first one that comes to mind is the AD.
• Windows CardSpace Geneva – A smaller and faster version of the old CardSpace authentication mechanism.

The simple goal of this technology is: “Write first deploy anywhere!“

I have a dare for you dear reader: It’s not that I really want these offerings taken down it’s more that I simply cannot find a problem here. I cannot find any issue with the current identity initiative coming out from Microsoft. Sure they’ve been wrong before (i.e. Passport) but this time round the block I just cannot find a flaw! Personally I feel completely assured that this identity product offering is totally standards based. And  these are open and shared standards that are not only supported by Microsoft. It is totally pluggable with any application that follows the same standards standards - should you want to code it yourself, which I feel is ludicrous. There is no vendor lock-in. Microsoft has learned that lesson well. There is only an open invite to “the Identity Era” - Kim Cameron!

From now on; if you ever implement your own identity logic ever again in any application – you’re a moron! This problem is now solved – all you need to do, and have to do, is learn how to use it. It is as finished and feature complete as the base class libraries – meaning there will be minor augmentations over time but the problem itself is now solved!

Finally : An important announcement is also that CardSpace now fully supports OpenID. I don’t think this is a very new revelation, however I feel that this is a fact that most do not know about. Well now you do. And did you also know that Microsoft now fully support the OASIS standard: SAML 2.0 specification as well? Now you know that too. Windows Live ID committed to OpenID

Cheers,

M.

P.S. Vittorio will be speaking at Øredev this year so if you haven’t come see him there. Today he was simply brilliant!

posted @ Tuesday, October 28, 2008 8:35 AM