Realising the identity metasystem
It's perhaps unsurprising, given all the brouhaha surrounding
Microsoft's claims that open source software infringes on 235 of its patents (which incidentally I take to be largely 'sabre rattling' from Redmond in the face of the implications of the GPLv3 for its deal with Novell, as discussed in
the Risk Factors of the latter's recent 10-K filing), that
some recent news regarding the Redmond company's very positive collaboration with the open source community has not received the attention it deserves.
The news in question concerns a series of announcements the company made at last week's
Interop conference in Las Vegas. These announcements, as the title of the post suggest, all revolve around Microsoft's vision for an Internet-scale, interoperable
identity metasystem and range from additions to the
Open Specification Promise (OSP) through to support for OpenLDAP with
Microsoft's Identity Lifecycle Manager.
So, what did they announce? First, Microsoft is
making the Identity Selector Interoperability Profile available under the OSP to enhance interoperability in the identity metasystem for client computers using any platform. An individual open source software developer or a commercial software developer can build its identity selector software and pay no licensing fees to Microsoft, nor will it need to worry about future patent concerns related to the covered specifications for that technology In other words, third parties are free to build the equivalent of Microsoft's CardSpace, following the likes of the
Higgins project, Ian Brown's Apple
Safari Plug-In and Chuck Mortimore's
Firefox Identity Selector. This is important not only because it extends the reach of CardSpace-like capabilities beyond Windows but also because it facilitates the consistent user experience (I know because I have used CardSpace, the Safari Plug-In and the Firefox Identity Selector) which helps to reduce errors and misunderstanding by users.
Second, Microsoft
is starting four open source projects that will help Web developers support information cards, the primary mechanism for representing user identities in the identity metasystem. These projects will implement software for specifying the Web site’s security policy and accepting information cards in Java for Sun Java System Web Servers or Apache Tomcat or IBM’s WebSphere Application Server, Ruby on Rails, and PHP for the Apache Web server. An additional project will implement a C Library that may be used generically for any Web site or service. These implementations will complement the existing ability to support information cards on the Microsoft® Windows® platform using the Microsoft Visual Studio® development environment.Or, to put it another way, doing for back end servers what the first announcement is doing for the front-end: enabling web sites and enterprises running a wide variety of web server infrastructure to support authentication using CardSpace and the other identity selectors.
The cyncical amongst you might be forgiven for thinking that these two announcements are just Microsoft paying lip service to interoperability.
This post should help to allay your concerns: at the Internet Identity Workshop earlier in May the Open Source Identity Selector (OSIS) group demonstrated interoperability amongst 5 identity selectors, 11 relying parties (the party relying on authentication to prove an identity), 7 identity providers (the party asserting the identity), 4 types of identity token (the mechanism for conveying the identity assertion), and 2 authentication mechanisms. Also, on the same day as the Microsoft press release, Internet2
announced plans to extend
Shibboleth, a federated web single sign-on solution based on SAML that is widely used amongst educational institutions, to support CardSpace and compatible identity selectors.
The third piece of news from Redmond last week, concerned the new
Identity Lifecycle Manager product and is thus primarily focussed behind the firewall. Microsoft is going to be working with KERNEL Networks and Oxford Computer Group to enable bi-directional synchronisation of identity data between
OpenLDAP, an open source implementation of the ubiquitous directory standard, and Microsoft's Active Directory. Identity Lifecycle Manager already supports a wide range of the commonly-deployed identity data repositories so I think this move is primarily in the "playing well with open source" category - but valuable nonetheless.
These announcements are further evidence that the likes of
Kim Cameron, Microsoft's chief identity architect, and
Mike Jones, the company's Director of Identity Partnerships, have been working hard to foster the relationships and commitment (both from Microsoft and third parties) required to help make the identity metasystem a reality. That reality is too important for the results of those efforts to be diluted by political shenanigans around patents and GPLv3.
Labels: CardSpace, Higgins, identity, Microsoft, SAML, Shibboleth
