One and a half weeks ago I was speaking in our Webinar about the Identity Metasystem and Microsoft's implementation of it (codename "Geneva"). The news was still very fresh - I had just been to Microsoft's Professional Developer's Conference and scrambled to get the presentation together. We had almost 100 participants, and many questions were being asked. I slightly overshot the one hour reserved for my Webinar, but even after 70 minutes, the majority of the participants were still online. I then started answering some more questions, but there were still too many of them. If you missed the webinar from last week: it is available here.
Tomorrow, the 13th of November we're hosting another webinar on the topic, at 10 AM PST/1 PM EST/7 PM CET. I will do this one a bit different, and allocate at least half of the time for questions.
Some of the questions we had last time were:
This seems ok for Consumers, is it relevant for large enterprises?
Absolutely. The Identity Metasystem has several parts, some of them are more relevant for enterprises and other more relevant to consumers. The parts of the Identity Metasystem that are most relevant to enterprises are the whole concepts around claims, trust agreements, secure token services, and of course WS-*. In "Geneva", the components would be the Framework and the Server.
What about using Claims on non-Microsoft platforms?
An excellent question, and one that definitely warrants a longer explanation than this one here. I am definitely going to talk about this topic some more tomorrow. Microsoft has now with "Geneva" released the first full implementation of the Identity Metasystem. There is no such complete implementation available for Java or for other non-Microsoft systems, but many parts of it already exist on other systems too.
Let me step back for a minute and state that the "Identity Metasystem" is a "system of systems" - it's a methodology, and uses many building blocks, such as SAML security tokens, WS-* and public key infrastructure. Many, if not most of these building blocks already exist on other systems. Major vendors such as Oracle, Sun and others offer interoperability with the Identity Metasystem, and some aspects of a development framework (albeit proprietary at this point) in their access management products.
Would you include "Geneva" in an Identity Management architecture today?
I would most definitely plan for it in an architecture, and especially make developers aware of the framework. Keep in mind that "Geneva" is still in beta, and the final release will only be next year. But that doesn't mean that one should hold off including it in the plans, and preparing for it. In fact, for those who really don't want to wait, Microsoft has a "Technology Adoption Program" that will support users that want to adopt the technology now. Microsoft's "Geneva" implementation of the Identity Metasystem is all about manageing Identity in an easier and safer way. That will be important in the long run not just for cost savings, but also as one of the key elements in the transition of IT departments from a cost centre to a strategic asset. Does the last sentence sound like just another pompous example of lofty analyst-speak? ;-) Think again. The cost of handling identity in today's enterprise environments are significant. It reminds me of the mid eighties, when most office software (Wordstar, Lotus 1-2-3, and even Microsoft Word in its first incarnations as a MS-DOS program) were shipped with one or two floppy disks full of printer drivers. That's right - different native printer drivers for each program! How much time was invested by every software vendor to enable the same thing (printing) all over again? How much time was saved when operating systems such as MacOS and Windows (and probably others) implemented a "printing framework" that could just be harnessed by whatever programmer wrote applications for that operating system? The identity metasystem is an important piece in the puzzle to make IT easier and more agile. So I couldn't think of any reasons not to consider the Identity Metasystem, and "Geneva" on a Windows environment). This is all standards-based, interoperable and open!
What is the timeline for "Geneva"?
According to Microsoft, the RTM (final release) will be available in second half of 2009.
What protocols does "Geneva" use? WS-Trust and SAML 2.0? If both protocols are possible, is claim transformation between those protocols possible?
The current beta release of "Geneva" supports SAML 2.0, but apparently there are some current limitations in the beta that will soon be overcome - I need to confirm this but as far as I remember from PDC, it seemed that the current beta of "Geneva" Server will work as a SAML 2 IdP (Identity Provider), but not yet as a SP (Service Provider) - but again, this is just a temporary limitation in the beta and should be available soon. Claims transformation is one of the key points of "Geneva" server, and yes - the transformation between the protocols is definitely one of the uses foreseen.
What about compatibility of Zermatt now, and "Geneva" framework in the future?
A difficult question to answer. Officially, "Geneva" framework is still in beta. "Zermatt" was release several months ago, so it has even matured a bit before "Geneva" was released. This is the first Geneva beta, not yet architecturally or functionally complete, and Microsoft is seeking directional feedback. Microsoft invites developers, architects and other interested parties to learn about the software, experiment in labs, and send feedback. Having said this, from a protocol standpoint there will be compatibility since the protocols are mature. There may of course be some evolution in the "Geneva" framework that may be backward incompatible. My personal guess is that if at all, they'd be minor. However I think it is likely that the framework will incorporate new functionality. Then again I have no crystal ball, and even if I had, I wouldn't know how to use it :-)