Microsoft is making several important announcements in the identity management area at this week's Professional Developer's conference. What many are eagerly awaiting is the final decision on SAML 2.0 protocol support (the answer to that is yes, and it is available in beta as of today). This however is just one small detail. The real news is that Microsoft's is shifting gears with respect to its Identity and Access strategy and setting the groundwork for the future – by delivering the first beta of an integrated claims-based identity metasystem. And of course, there's a new code name for it too: “Geneva” – an open claims-based platform. Geneva will be the identity platform to enable the cloud services architecture “Windows Azure” that was equally announced this morning at PDC.
Geneva has several components, some of which have been around for a while and are now - with substantial enhancements - bundled under the new platform. The "Geneva Server" is the successor of Active Directory Federation Services (ADFS) with such significant enhancements that it really is much more than "just the next version" of ADFS. The "Geneva framework" is the new name for what Microsoft released as "Zermatt" just a few months ago (see the official announcement and our review of Zermatt). Finally, there's "Cardspace Geneva" - a new version of the Windows Infocards selector.
Geneva Server, the successor to ADFS now supports SAML 2.0 protocol. The current Beta1 supports the ability to post but not yet to receive. The final version will be certified by the Liberty Alliance in the IdP Lite and SP Lite profiles. This will delight many customers, because the previous lack of support for the SAML 2 protocol has been a sticky point that put Microsoft at odds with customers who chose to adapt the more popular SAML 2 over Microsoft's alternative WS-Federation protocol.
Apart from SAML 2 support, Geneva Server comes with many other significant enhancements, many of them based around federation and claims-transformation. What used to be a somewhat tedious job of configuring a federation agreement in ADFS is now greatly simplified in Geneva Server through the addition of metadata features - instead of exhaustive maneuvering in configuration panels, a federation endpoint can be exported and imported instantly through a URL or a file containing metadata. Most importantly, Geneva Server is also no longer "just" a federation identity provider, but a fully fledged secure token service (STS) that can do extensive claims transformation - an important foundation service for the claims-based identity metasystem. Last but not least, Geneva Server can function as a federation hub - translating between multiple federation protocols and standards.
Geneva Framework is the new name for the Zermatt developer framework that we have already covered previously. It enables developers to easily make their application ready for the new claims-based metasystem in several ways. Web applications can make use of claims, secure tokens and policies with just minimal coding (there are several examples that show how to do this with just a few lines of code). Non-web application can similarly be enabled to work with the new claims metasystem as "active clients" and therefore make use of collaboration over traditional security borders; Sharepoint and Rights Management are two excellent examples of how claims are an enabler for collaboration. Thirdly, the Geneva Framework can be used by developers to write their own implementation of a secure token service (STS) - for those that for a particular reason cannot or do not want to use Geneva Server.
The new "Cardspace Geneva" version is a substantial rewrite of the Cardspace selector that Microsoft undertook after gathering experience and feedback from users of the current Cardspace version. Users of Windows Vista received the software with the operating system and only had to turn it on through the configuration panel. Those using previous versions of Windows could download and install Cardspace. That download however turned out to be very large - close to 150 Mb in many cases! The new version can now be downloaded in less than 5 Mb and does not have the same extensive prerequirements as the old Cardspace. Microsoft has also streamlined the user experience of the selector and added support for managed card issuance.
By bundling up these three components of the identity metasystem into code name "Geneva", Microsoft makes the identity metasystem available IT administrators (Geneva Server), developers (Geneva framework) and end users (Cardspace Geneva). There are obvious benefits to adopting the identity metasystem. After all, it is touted to solve many safety issues associated with electronic identity, such as preventing identity theft by countering the threats of phishing and pharming attacks. As collaboration becomes increasingly mainstream in today's business world, the identity metasystem is the technical roadmap to solve the interoperability challenges that arise when identities need to be extended past the traditional security boundaries of departments and organizations. Last but not least users' concern for the privacy of their personal information has not been addressed well enough to keep up with the fast pace of technology in today's Internet society. The identity metasystem here adds the fabric to let users take back control over their identity information through user centric identity.
One of the first large adopters of this technology is Microsoft itself by basing the Azure cloud computing services identity model firmly on this architecture. Microsoft's Azure cloud computing architecture uses claims, and uses the new Microsoft Service Connector (MSC) to connect internal users to the cloud architecture through claim-based federation. Another component of the new cloud architecture, the .NET Access Control Service (ACS) is built on Geneva technology and claims architecture.
At Kuppinger Cole we appreciate the fact that Microsoft is making a serious effort to enable the adoption of the identity metasystem, and we find the Geneva offering substantial. True - there is still much work ahead, and the current version is still an early beta with some features still to be expected in the final first release. The fact that support for the SAML 2 protocol was finally added - after much initial reluctance - is an important step to reassure customers and others in the identity space that Microsoft is really serious about its commitment to open standards and interoperability. This cannot have been an easy choice for Microsoft, and we are pleased by the fact that Microsoft did the right choice and clearly shows that it is willing to put its money where its word is.
Microsoft has made a large effort around its identity strategy with many significant announcements made this year. The pace has increased sharply from previous years, and fundamental changes in direction have been made - specifically around interoperability, collaborations with other vendors in the industry and openness. Kuppinger Cole will be closely following Geneva and its progress, as well as the identity metasystem's continued adoption.