Microsoft and Federated Identities: The Road to Single Sign-On

Single sign-on. Symbolically at least, it may be a kind of grail for IT staffers who today need to administer thousands of user accounts -- often a jumble of weakly-related identities stored in a dizzying variety of directory management systems in different environments.

Corporate end users have an average of about 16 separate passwords that they need to remember, according to a 2003 Gartner survey of more than 300 enterprises. "Some vertical industries will have higher numbers of passwords because they have more internal applications, but between one and two dozen is a good [ballpark figure]," says Earl Perkins, analyst in Gartner's security and privacy group.

Additionally, those passwords are often stored and managed via dozens of different identity management systems in different locations, making user account administration on an enterprise basis a living nightmare.

Single sign-on, or SSO as it's often called, seems like a simple-enough concept. Log onto one computer and you're effectively logged into all of the systems you have permission to access, everywhere. No more remembering all those different passwords for users, meaning fewer calls to the help desk with password reset requests.

From an IT manager's point of view, however, that is still mostly a dream. Today, an employee might leave and, while the human resources department's system may know that, the information may not have made its way into the main network directory -- or, likely, into multiple directory systems.

But that is changing.

The arrival of Windows Server 2003 Release 2 (R2), due out by the end of the year, will bring with it long-awaited capabilities to let Active Directory integrate with other identity management systems through Web Services. Indeed, the aim of providing what's termed Active Directory Federation Services (ADFS) in R2 is to facilitate a shift from proprietary identity management schemes to one built around Web Services, and ultimately making Web SSO a reality.

"[Customers asked us] Why can't we use Active Directory for our non-Windows environments such as Unix," says Michael Stephenson, Microsoft director of product management for identity and access management within the Windows Server organization. "We listen to our customers."

Microsoft Identity Integration Server

Single sign-on is already a reality for some users as long as they work within a single, often proprietary environment, which is seldom the case. Therefore, the universe of identity management and directory systems is still very much islands in the stream when it comes to SSO.

Microsoft recognized the problem several years ago. It had accomplished dominance on corporate desktops worldwide and its servers were finally making headway, gradually penetrating data centers that already had non-Microsoft systems in place.

So in 1999, while it was still readying Active Directory for its debut in Windows 2000, the company acquired ZoomIT for its metadirectory, which became Microsoft Metadirectory Services. Now known as Microsoft Identity Integration Server 2003 (MIIS), it provides SSO and account management features to connect with other identity systems. This is made possible via "agents" that handle protocol translation between Active Directory and the other systems.

MIIS 2003 Enterprise Edition provides identity integration and directory synchronization, account provisioning and de-provisioning, and password synchronization and management for a laundry list of identity systems and applications that require authentication, according to Microsoft documents. These include Active Directory Application Mode (ADAM), IBM Directory Server, Novell eDirectory, SunONE/iPlanet Directory, and X.500 systems, among others. It also supports Lotus Notes and Domino, Microsoft Exchange 5.5, PeopleSoft, SAP, SQL Server, Oracle, and IBM DB2.

Additionally, French third-party developer Kernel Networks said in July that it will deliver an OpenLDAP (Lightweight Directory Access Protocol) management agent for MIIS 2003 by the end of the year. The agent will provide connectivity for applications that exchange identity information between MIIS and OpenLDAP 2.x-based directories.

Solutions like MIIS are still complex and inflexible, however. Customers want a simpler way to bring all of their identify systems together. Additionally, MIIS doesn't address Web applications. That's where ADFS comes in.

Active Directory Federation

"One of the things that customers want to do is to let their users get access to information outside their organizations or to let external users have access to internal information," says Microsoft's Stephenson.

Microsoft documents describe ADFS as "a new feature of Active Directory that . . . uses the WS-* architecture to provide an open model for Web SSO to Web applications in internet-facing scenarios." A Microsoft spokeswoman expanded on that, saying that ADFS "enables customers to provide their users with single sign-on across multiple Web applications including applications that are managed by partners -- commonly referred to as Federation."

Based on the WS-Federation and WS-Security standards, the idea of ADFS is to tear down the barriers to single sign-on across enterprise boundaries as well as boundaries between separate identity management systems via the use of Web Services and eXtensible Markup Language (XML).

Using a standardized, human-readable language -- XML -- to describe the services that Active Directory and any other XML-enabled directory provide as Web Services, enables a common means of communication between dissimilar systems that is much simpler to build and maintain than more proprietary approaches.

Indeed, that's the point of federation. The idea is to create a single point of authentication and authorization for a mixed operating system environment, even while allowing non-Microsoft networks to co-exist in the IT environment.

In a federated trust relationship, identities and their associated credentials are still stored, owned, and managed separately from resources, according to Microsoft documents. Each individual member of the federated trust relationship continues to manage its own identities but is also capable of securely sharing and accepting identities and credentials from the sources of other members of the federated trust relationship.

WS-Federation was originally created by IBM, Microsoft, BEA Systems, RSA Security and VeriSign, who announced it two years ago. It is one of the WS-Security specifications.

Bridging the Federation Gap

At Microsoft's TechEd Europe 2005 in July, the company announced that two third-party developers -- Centrify and Vintela -- are working on ADFS agents that will enable Linux and Java-based identity systems to federate with and be managed through Active Directory.

"We deliver Active Directory clients for Unix and Linux," says Tom Kemp, CEO of Mountain View, California-based Centrify. "The piece [that was] missing is this whole Web single sign-on and federated identify."

Centrify is readying an update to its DirectControl suite that provides an ADFS Web SSO agent for Web-based applications running on non-Microsoft Web platforms such as Apache, and J2EE application servers like IBM WebSphere and BEA WebLogic as well as open source JBoss. The company plans to ship its update to DirectControl soon after Microsoft's release of R2, Kemp says.

Similarly, Lindon, Utah software developer Vintela, recently acquired by Quest Software, also plans to provide ADFS support for Java environments in Active Directory via its Vintela Single Sign-on for Java (VSJ) product.

"[ADFS] is giving customers the ability to pick the best of breed applications and get access to the underlying infrastructure so they don't have to throw the baby out with the bath water," says Jackson Shaw, vice president of product marketing for Vintela.

Until February of this year, Shaw worked at Microsoft as a product manager for Active Directory working on MIIS. Vintela, he says, will add ADFS support in VSJ towards the end of the year.

Both Centrify and Vintela are already players in the market for SSO products that hook non-Microsoft environments into Active Directory. So aren't they a little nervous that Microsoft will eventually come after their niches?

That's unlikely, say developers and analysts -- at least for the foreseeable future. In fact, the two firms' say that their product lines complement Microsoft's ADFS initiative by providing key pieces of the connection on the Linux, Java and Unix side, rather than compete with it.

"Our software extends Active Directory to non-Microsoft environments [so that] you get single sign-on so we are entirely complementary to what Microsoft does," says Kemp.

And, given recent history, directly supporting Linux and Java from Active Directory is anathema to Microsoft. So that makes Vintela and Centrify fairly safe.

"Microsoft isn't going to want to have a product that runs on a competing platform," says Al Gillen, research director for system software at analysis firm IDC.

It's more complex than that for Microsoft, of course. The company may want to crush Linux and Java completely, but it is pragmatic where customers' business is concerned. Microsoft officials understand that customers want interoperability among identity systems, so the company will promote the Web Services stack, but won't go so far as actually providing the connection from the other side, say long-time industry observers.

"[Customers tell us] We can't have multiple directory environments because the cost is too high," Gillen says. "I think this is [a compromise position because] Microsoft has run into barriers to entry into the data center and directory interoperability is part of it."

"The whole notion of extending the Active Directory ecosystem is a good one," agrees John Enck, vice president in server and directory strategies at researcher Gartner. "Microsoft has no credibility in those areas so they need someone to support that."

"What customers are looking for is to simplify their directory infrastructure," Enck adds. "If I'm a global enterprise, I've going to have a lot of systems in there [not just Windows]."

ADFS: A Work in Progress

However, as Enck says, don't look for ADFS to solve "the problems of world peace" any time soon. It's a work in progress with a long schedule.

For one thing, the version of ADFS to debut in R2 does not support the federation specifications that Microsoft and Sun co-developed over the past year in order to enable federation between Microsoft's and Liberty Alliance's identity management systems.

Somewhat confusingly, those specifications are named Web Single Sign-On Interoperability Profile and Web Single Sign-On Metadata Exchange Protocol. Support for them is coming later. "[These specifications] are not supported in the R2 release of ADFS, but will be supported in a future release of Windows," Microsoft's spokeswoman said in an e-mail, though she gave no dates for its availability. The two joint specifications will ultimately enable browser-based Web SSO between security domains that use Liberty's Identity Federation Framework (ID-FF) and WS-Federation.

In addition, the version of ADFS coming in R2 will not support Simple Object Access Protocol-based (SOAP) "active" interactions with applications at the outset. Initially, it will only support Hypertext Transfer Protocol-based (HTTP) "passive" interactions such as browser-based requests for identity authentication.

So will ADFS will make MIIS obsolete?

"Absolutely not," says the Microsoft spokeswoman. "Even if there was a 100 percent usage of these Web Services standards across all applications and systems, there is still a need for the capabilities provided by MIIS." That's particularly true with legacy systems. In that light, she says that coming updates to MIIS are still on track. MIIS SP2 is due out in 2006, and a major upgrade code-named "Gemini" is due out in 2007.

But as Web Services become increasingly popular for open communications and the majority of system vendors add it into their products, the writing seems to be on the wall.

"MIIS can perform many of these functions today and we are making future investments to further automate these tasks for our customers," the spokeswoman adds. "MIIS is basically the solution we are looking at today [while] ADFS is the vision moving forward."

"MIIS is about helping customers deal with what they have today [while] ADFS is our solution moving forwards," says Stephenson. "Our vision is that, over time, Web Services platforms will be adopted and you'll be able to get SSO on all of these various systems without having to do any heavy lifting."