Microsoft Azure Supports Federated IDMicrosoft Azure Supports Federated ID

Microsoft has adopted a "claims-based architecture" in its approach to managing the identities of users in its Azure cloud.

At its Professional Developers Conference in L.A. recently, it announced a Microsoft Identity Platform that invokes the architecture to establish a federated identity for users. A federated identity can be used to provide a single sign on to multiple applications, both in the enterprise and in the cloud.

A federated identity of some type is going to be necessity if there is any prospect of hybrid cloud computing coming into vogue. IT departments that ship part of their workload off to the public cloud will need to be able to allow end users of applications to follow them into the cloud and use them there as well.

Microsoft's claims-based architecture is a more flexible approach to establishing a users' identity, than a straight forward, on-premises Active Directory system. The claims-based architecture can accept digital identifiers from multiple sources, such as LDAP directories, Active Directory, Outlook or Lotus Notes directories, certificates from security services, or a Windows token, said Kim Cameron, Microsoft's chief identity architect, in an interview at the developers conference.

Once a user's identity verifier is supplied, a central brokering authority compares the "claim" to that required by a particular application. If there's a match, use of the application can proceed.

Under a claims-based architecture, retrieving some form of digital identity is not enough, said Cameron. It is just a "claim" to an end user identity until the central broker checks its authenticity and its status to see if it meets the requirements of the application. All forms of identity remain untrusted -- they're treated as claims, not proof -- until the central authority decides they meet the needs of the application, he said.

"In this model, developers don't have to program identity management into the application. It comes to them," said Cameron. He is the former VP of Technology at Zoomit, a Toronto firm acquired by Microsoft in 1999. Zoomit invented meta directories to coordinate identity based on multiple directories and other heterogeneous sources. A security certificate is an identifier, provided an automated check on it shows that the certificate is still active and not expired.

The platform follows WS-Federation, an identity management standard supported by IBM, BMC, Verisign, CA, and the former BEA Systems, now part of Oracle, and the Security Assertion Markup Language standard. While other firms support the federated identity approach, Microsoft's implementation of a claims-based architecture remains its own variation on the specifications.

Both Salesforce.com and GoogleApps employ federated identity management based on the WS-Federation standard, said Gerry Gebel, analyst with the Burton Group.

"It’s not a new concept to have the identity management externalized from the application. It's been a goal of enterprise architects for many years," he said. But not all cloud vendors are going to extend federated identity management services or products in quite the way Microsoft has with its implementation of Microsoft Identity Platform. Amazon.com leaves identity management to the customer beyond a bare-bones, application activation requirement.

"Many software-as-a-service vendors still do identity management in a proprietary manner," where the user identification and authentication is good for only that vendor's online application services.

The supporters of WS-Federation, SAML and other standards are moving toward an online world in which one sign-on will carry the user into the realm of cross-vendor applications, with his identity moving with him.