Microsoft prepares move on ID management

Microsoft is working on restructuring its identity management platform, adding services directly into the operating system with an eye toward lessening users' current integration chores.

The biggest additions would be folding Microsoft's Identity Integration Server (MIIS) - a separate product and cornerstone for Microsoft's identity platform - into Windows to add services such as provisioning and password management. The operating system already includes Active Directory, another foundation of Microsoft's identity platform.

The sources said Microsoft was developing new workflow technology for the operating system that would be used to orchestrate the provisioning and other identity services across multiple systems.

According to observers, Microsoft's intent was to centralise some identity services and make it easier to deploy its identity platform by reducing the amount of integration end-users must do and giving developers one point where they can tie their applications to the identity platform.

They also suggest Microsoft hopes to build a cohesive package around its enterprise identity platform, Web services development tools and standards support, and personalised identity services it is creating in its forthcoming Longhorn operating system, set to begin shipping in 2006.

Microsoft officials would not comment on their future plans for the identity platform.

The restructuring comes as Microsoft is battling rivals IBM, Sun and others who have put together tightly integrated identity suites at a time when identity management has become a corporate hot button.

While the MIIS change is not set in stone, it would dramatically change the capabilities of the operating system. For example, the integration would let users reset passwords across all Microsoft and other platforms from their Windows desktops. Today, users deploy MIIS or purchase third-party software to handle those services.

The catch is that while corporate users would get the provisioning engine in the operating system, they would have to buy the connectors to link the operating system capabilities to other platforms including directories, databases and applications such as Lotus Notes and SAP.

Microsoft's chief software architect, Bill Gates, referred to MIIS in his keynote address last week at the RSA Conference in San Francisco as a key element of the vendor's identity strategy.

"You go to one place, and that information is propagated in the right way across the different places it should be," he said.

Microsoft is also planning to add workflow services in the operating system, most likely with Longhorn, using a technology under development called Windows Orchestration Engine (WinOE). Work to include WinOE in MIIS and other Microsoft software is already underway.

While all this integration could be years down the road, it dovetails with identity services Microsoft is set to release by year-end in the next version of Windows Server, dubbed R2.

R2 includes Active Directory Federation Services (ADFS), which lets user identity information one company supplies be used to gain access on partner networks.

ADFS will eventually provide the Web single sign-on capabilities that Microsoft's identity platform currently lacks, and it is the foundation of the company's adoption of Web services security protocols in Windows, such as WS-Federation and the Security Assertion Markup Language (SAML).

The federation services will intersect with personalised identity services Microsoft is developing, including a revival of Passport with a focus on corporate users, sources say.

Passport was Microsoft's first pass at developing a single sign-on service, but bugs, privacy concerns and dwindling support caused its demise.

Sources claim Microsoft is developing an MIIS connector to synchronise Passport with corporate directories. The idea is that companies could set up their own Passport hubs to store their user information without any Microsoft involvement and use ADFS to federate their hub with their partners' Passport hubs.

Personalisation would be rounded out using the client-side Identity System and Information Card being developed for Longhorn. The Information Card technology is the exact opposite of Passport's design in that users are in control of their personal information and how it is shared.

The cards could be used in peer-to-peer relationships, including validating email senders, or as a single sign-on control. The cards also could secure access control and communication between a user and a company, and between departments or organisations.

Microsoft plans to tie the Identity System into its larger Web Services-based federated identity initiatives.

The vendor hopes to make the cards cross-platform, but critics say the key will be if Microsoft supports other federation standards, including the SAML and the Liberty Alliance's similar user-centric identity model.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about CornerstoneHISIBM AustraliaLiberty AllianceMicrosoftRSASAP Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Fontana

Latest Videos

More videos

Blog Posts