News
Microsoft and Federated Identities: The Road to Single Sign-On
Single sign-on. Symbolically at least, it may be a kind of grail for IT staffers
who today need to administer thousands of user accounts -- often a jumble of weakly-related
identities stored in a dizzying variety of directory management systems in different
environments.
Corporate end users have an average of about 16 separate passwords that they
need to remember, according to a 2003 Gartner survey of more than 300 enterprises.
"Some vertical industries will have higher numbers of passwords because they
have more internal applications, but between one and two dozen is a good [ballpark
figure]," says Earl Perkins, analyst in Gartner's security and privacy group.
Additionally, those passwords are often stored and managed via dozens of different
identity management systems in different locations, making user account administration
on an enterprise basis a living nightmare.
Single sign-on, or SSO as it's often called, seems like a simple-enough concept.
Log onto one computer and you're effectively logged into all of the systems
you have permission to access, everywhere. No more remembering all those different
passwords for users, meaning fewer calls to the help desk with password reset
requests.
From an IT manager's point of view, however, that is still mostly a dream.
Today, an employee might leave and, while the human resources department's system
may know that, the information may not have made its way into the main network
directory -- or, likely, into multiple directory systems.
But that is changing.
The arrival of Windows Server 2003 Release 2 (R2), due out by the end of the
year, will bring with it long-awaited capabilities to let Active Directory integrate
with other identity management systems through Web Services. Indeed, the aim
of providing what's termed Active Directory Federation Services (ADFS) in R2
is to facilitate a shift from proprietary identity management schemes to one
built around Web Services, and ultimately making Web SSO a reality.
"[Customers asked us] Why can't we use Active Directory for our non-Windows
environments such as Unix," says Michael Stephenson, Microsoft director of product
management for identity and access management within the Windows Server organization.
"We listen to our customers."
Microsoft Identity Integration Server
Single sign-on is already a reality for some users as long as they work within
a single, often proprietary environment, which is seldom the case. Therefore,
the universe of identity management and directory systems is still very much
islands in the stream when it comes to SSO.
Microsoft recognized the problem several years ago. It had accomplished dominance
on corporate desktops worldwide and its servers were finally making headway,
gradually penetrating data centers that already had non-Microsoft systems in
place.
So in 1999, while it was still readying Active Directory for its debut in Windows
2000, the company acquired ZoomIT for its metadirectory, which became Microsoft
Metadirectory Services. Now known as Microsoft Identity Integration Server 2003
(MIIS), it provides SSO and account management features to connect with other
identity systems. This is made possible via "agents" that handle protocol translation
between Active Directory and the other systems.
MIIS 2003 Enterprise Edition provides identity integration and directory synchronization,
account provisioning and de-provisioning, and password synchronization and management
for a laundry list of identity systems and applications that require authentication,
according to Microsoft documents. These include Active Directory Application
Mode (ADAM), IBM Directory Server, Novell eDirectory, SunONE/iPlanet Directory,
and X.500 systems, among others. It also supports Lotus Notes and Domino, Microsoft
Exchange 5.5, PeopleSoft, SAP, SQL Server, Oracle, and IBM DB2.
Additionally, French third-party developer Kernel Networks said in July that
it will deliver an OpenLDAP (Lightweight Directory Access Protocol) management
agent for MIIS 2003 by the end of the year. The agent will provide connectivity
for applications that exchange identity information between MIIS and OpenLDAP
2.x-based directories.
Solutions like MIIS are still complex and inflexible, however. Customers want
a simpler way to bring all of their identify systems together. Additionally,
MIIS doesn't address Web applications. That's where ADFS comes in.
Active Directory Federation
"One of the things that customers want to do is to let their users get access
to information outside their organizations or to let external users have access
to internal information," says Microsoft's Stephenson.
Microsoft documents describe ADFS as "a new feature of Active Directory that
. . . uses the WS-* architecture to provide an open model for Web SSO to Web
applications in internet-facing scenarios." A Microsoft spokeswoman expanded
on that, saying that ADFS "enables customers to provide their users with single
sign-on across multiple Web applications including applications that are managed
by partners -- commonly referred to as Federation."
Based on the WS-Federation and WS-Security standards, the idea of ADFS is to
tear down the barriers to single sign-on across enterprise boundaries as well
as boundaries between separate identity management systems via the use of Web
Services and eXtensible Markup Language (XML).
Using a standardized, human-readable language -- XML -- to describe the services
that Active Directory and any other XML-enabled directory provide as Web Services,
enables a common means of communication between dissimilar systems that is much
simpler to build and maintain than more proprietary approaches.
Indeed, that's the point of federation. The idea is to create a single point
of authentication and authorization for a mixed operating system environment,
even while allowing non-Microsoft networks to co-exist in the IT environment.
In a federated trust relationship, identities and their associated credentials
are still stored, owned, and managed separately from resources, according to
Microsoft documents. Each individual member of the federated trust relationship
continues to manage its own identities but is also capable of securely sharing
and accepting identities and credentials from the sources of other members of
the federated trust relationship.
WS-Federation was originally created by IBM, Microsoft, BEA Systems, RSA Security
and VeriSign, who announced it two years ago. It is one of the WS-Security specifications.
Bridging the Federation Gap
At Microsoft's TechEd Europe 2005 in July, the company announced that two third-party
developers -- Centrify and Vintela -- are working on ADFS agents that will enable
Linux and Java-based identity systems to federate with and be managed through
Active Directory.
"We deliver Active Directory clients for Unix and Linux," says Tom Kemp, CEO
of Mountain View, California-based Centrify. "The piece [that was] missing is
this whole Web single sign-on and federated identify."
Centrify is readying an update to its DirectControl suite that provides an
ADFS Web SSO agent for Web-based applications running on non-Microsoft Web platforms
such as Apache, and J2EE application servers like IBM WebSphere and BEA WebLogic
as well as open source JBoss. The company plans to ship its update to DirectControl
soon after Microsoft's release of R2, Kemp says.
Similarly, Lindon, Utah software developer Vintela, recently acquired by Quest
Software, also plans to provide ADFS support for Java environments in Active
Directory via its Vintela Single Sign-on for Java (VSJ) product.
"[ADFS] is giving customers the ability to pick the best of breed applications
and get access to the underlying infrastructure so they don't have to throw
the baby out with the bath water," says Jackson Shaw, vice president of product
marketing for Vintela.
Until February of this year, Shaw worked at Microsoft as a product manager
for Active Directory working on MIIS. Vintela, he says, will add ADFS support
in VSJ towards the end of the year.
Both Centrify and Vintela are already players in the market for SSO products
that hook non-Microsoft environments into Active Directory. So aren't they a
little nervous that Microsoft will eventually come after their niches?
That's unlikely, say developers and analysts -- at least for the foreseeable
future. In fact, the two firms' say that their product lines complement Microsoft's
ADFS initiative by providing key pieces of the connection on the Linux, Java
and Unix side, rather than compete with it.
"Our software extends Active Directory to non-Microsoft environments [so that]
you get single sign-on so we are entirely complementary to what Microsoft does,"
says Kemp.
And, given recent history, directly supporting Linux and Java from Active Directory
is anathema to Microsoft. So that makes Vintela and Centrify fairly safe.
"Microsoft isn't going to want to have a product that runs on a competing platform,"
says Al Gillen, research director for system software at analysis firm IDC.
It's more complex than that for Microsoft, of course. The company may want
to crush Linux and Java completely, but it is pragmatic where customers' business
is concerned. Microsoft officials understand that customers want interoperability
among identity systems, so the company will promote the Web Services stack,
but won't go so far as actually providing the connection from the other side,
say long-time industry observers.
"[Customers tell us] We can't have multiple directory environments because
the cost is too high," Gillen says. "I think this is [a compromise position
because] Microsoft has run into barriers to entry into the data center and directory
interoperability is part of it."
"The whole notion of extending the Active Directory ecosystem is a good one,"
agrees John Enck, vice president in server and directory strategies at researcher
Gartner. "Microsoft has no credibility in those areas so they need someone to
support that."
"What customers are looking for is to simplify their directory infrastructure,"
Enck adds. "If I'm a global enterprise, I've going to have a lot of systems
in there [not just Windows]."
ADFS: A Work in Progress
However, as Enck says, don't look for ADFS to solve "the problems of world
peace" any time soon. It's a work in progress with a long schedule.
For one thing, the version of ADFS to debut in R2 does not support the federation
specifications that Microsoft and Sun co-developed over the past year in order
to enable federation between Microsoft's and Liberty Alliance's identity management
systems.
Somewhat confusingly, those specifications are named Web Single Sign-On Interoperability
Profile and Web Single Sign-On Metadata Exchange Protocol. Support for them
is coming later. "[These specifications] are not supported in the R2 release
of ADFS, but will be supported in a future release of Windows," Microsoft's
spokeswoman said in an e-mail, though she gave no dates for its availability.
The two joint specifications will ultimately enable browser-based Web SSO between
security domains that use Liberty's Identity Federation Framework (ID-FF) and
WS-Federation.
In addition, the version of ADFS coming in R2 will not support Simple Object
Access Protocol-based (SOAP) "active" interactions with applications at the
outset. Initially, it will only support Hypertext Transfer Protocol-based (HTTP)
"passive" interactions such as browser-based requests for identity authentication.
So will ADFS will make MIIS obsolete?
"Absolutely not," says the Microsoft spokeswoman. "Even if there was a 100
percent usage of these Web Services standards across all applications and systems,
there is still a need for the capabilities provided by MIIS." That's particularly
true with legacy systems. In that light, she says that coming updates to MIIS
are still on track. MIIS SP2 is due out in 2006, and a major upgrade code-named
"Gemini" is due out in 2007.
But as Web Services become increasingly popular for open communications and
the majority of system vendors add it into their products, the writing seems
to be on the wall.
"MIIS can perform many of these functions today and we are making future investments
to further automate these tasks for our customers," the spokeswoman adds. "MIIS
is basically the solution we are looking at today [while] ADFS is the vision
moving forward."
"MIIS is about helping customers deal with what they have today [while] ADFS
is our solution moving forwards," says Stephenson. "Our vision is that, over
time, Web Services platforms will be adopted and you'll be able to get SSO on
all of these various systems without having to do any heavy lifting."