In an earlier posting, I wrote about Microsoft Identity Roadmap.
I now want to look at Microsoft's cloud-based identity offerings in greater detail. These include:
- Microsoft Live Identity Services
- The Live Identity Framework (an SDK)
- The Microsoft Federation Gateway (a Live service)
- The .NET Access Control Service
Microsoft Live Identity Services is a successor to "Passport." This is the Windows Live-maintained identity services of Windows Live, as opposed to the federated identity services (more below) of Windows Live.
The Live Identity Framework is the cloud-based, Windows Azure (see Microsoft's Windows Azure - An OS for the Cloud) analogue of the on-premise, Windows Server "Geneva" Framework. (see Microsoft Identity Roadmap - On-premise for more details). They are both Microsoft Visual Studio Software Development Kits (SDKs). It is not clear in what ways they differ. Today, a developer would employ the Live Identity Framework when writing a Windows Azure application for deployment in the cloud under Windows Live, and the "Geneva" Identity Framework when writing a Windows Server application for on-premise, or remotely hosted, Windows Server deployment.
The Microsoft Federation Gateway is in production now. It is a cloud-based Security Token Service (STS) that has four major roles:
- To provide authentication and authorization services to Windows Live Online offerings such as Dynamics CRM Online, Exchange Online, SharePoint Online, etc.
- To provide authentication and authorization services to cloud-based, Windows Azure applications that employ the Live Identity Framework.
- To employ Live Identity Services (also in production now) as its source of authentication and authorization data and policies.
- To interface to other compliant STSs, both: to provide them with access to Live Identity Services authentication and authorization data and policies, and to provide access to remote authentication and authorization data and policies accessed via remote STSs, such as a "Geneva" server, a Microsoft Services Connector, or a third-party on-premise (see Microsoft Identity Roadmap - On-premise for more details), or cloud-based, STS.
.NET Access Control Services (ACS) is currently employed by Microsoft in its .NET Services, and available externally as a Community Technical Preview (CTP). An initial external beta will be available in 1H 2009. There is currently no release date! It is a Windows Azure-based STS whose role is to provide access control services (authentication + authorization) to:
- Microsoft-provided, Windows Azure-based services (using the Live Identity Framework)
- Customer-provided, Windows Azure-based applications (using the Live Identity Framework)
- Customer-provided, Windows Server-based applications (using the "Geneva" Identity Framework)
The first two run in the Windows Live cloud; the latter runs on-premise, or on a remotely hosted Windows Server.
In time, one would expect the .NET ACS to be available for deployment on-premise, but Microsoft remains mute on this beyond the following statement by Kim Cameron: "You might wonder – is there a version of ACS I can run on-premises? Not today, but these capabilities will be delivered in the future through 'Geneva.'"
For users who wish to deep dive into any of these offerings, the following PDC 2008 presentations are available online:
- Identity: Roadmap for Software + Services
- Identity: Live Identity Services Drilldown
- Identity: Connecting Active Directory to Microsoft Services
- .NET Services: Access Control Service Drilldown
- .NET Services: Access Control In the Cloud Services
... Nick Shelness