At the Professional Developers Conference this week Microsoft is announcing the beta release of “Geneva”, the codename for its new claims based access platform.  This platform helps developers and IT professionals simplify user access to applications and other systems with an open claims-based model.  “Geneva” helps developers to externalize user authentication and identity processing from application code by using claims that are obtained with pre-built security logic that is integrated with .NET tools.  “Geneva” helps IT professionals to efficiently deploy and manage new applications by reducing user account management, promoting a consistent security model, and facilitating seamless collaboration across departmental, organizational and vendor boundaries.  User access benefits include shortened provisioning lead times, reduced accounts, passwords and logins, and enhanced privacy support.  “Geneva” implements the Identity Metasystem vision for open and interoperable identity, and includes built-in support for standard federated identity protocols.

A fundamental goal of “Geneva” is to extend the reach of its predecessor, Active Directory Federation Services, and provide a common identity programming model for developers of both web applications and web services.  To maximize interoperability with clients and servers from other vendors, it supports the WS-Trust, WS-Federation and SAML 2.0 protocols.  To maximize administrative efficiency “Geneva” automates federation trust configuration and management using the new harmonized federation metadata format (based on SAML 2.0 metadata) that was recently adopted by the WSFED TC.

WS-Trust is provided to support Information Card based Identity Selectors from third parties, as well as Windows CardSpace.  WS-Federation is required to maintain interoperability with existing federations being operated by government agencies, military organizations and business enterprises around the world.  “Geneva” support for SAML 2.0 was added in direct response to customer requests for increased cross-platform interoperability.  The benefits that are expected to accrue to customers, and the industry at large, are best summarized by Scott Cantor who is one of the key contributors to the SAML 2.0 standard and a Senior Systems Developer at the Ohio State University.

As a Shibboleth and OpenSAML project developer, and a deployer of the Shibboleth software at The Ohio State University, I’m excited and gratified that Microsoft is implementing the SAML 2.0 Web SSO profile in its upcoming products. Throughout the life of the Shibboleth project, and my work on the SAML 2.0 standard, our goal has been to leverage open standards to foster broad interoperability in federated identity within the higher education community and between it and its many commercial and non-commercial partners. Microsoft is clearly one of those critical partners, and as a key technology supplier, its support for the SAML standard reflects an understanding of our community’s needs and goals, and will expand the scope and impact of our efforts.

Our users will benefit by obtaining access to the broadest potential set of federated applications and services, and our worldwide community will benefit from the opportunity to deploy Microsoft’s identity solutions with the knowledge that they will interoperate with Shibboleth. Microsoft’s willingness to listen to our requirements and suggestions demonstrates a commitment to real-world compatibility. I look forward to continuing the dialog with Microsoft as we drive further interoperability in the use of federation metadata to scale and simplify both SAML 2.0 and WS-Federation deployments.

 

This session was delivered by Ian Bailey (Director of Application Architecture, Office of the CIO, Provence of British Columbia, Canada) at Digital ID World in San Francisco.  A compelling session in its own right, it was also the coming out party for the BC Identity Management Architecture Project.

The provincial government leadership has taken a bold step to provide better outcomes for BC citizens through the use of online services and advanced identity management technology, such as Information Cards.  They organized a working group of government agencies and vendors to define an architecture that will enable critical, online access to services provided by the government and the broader public sector, while protecting the privacy of BC citizens.  The website spells out the scope and vision of the project.

The Office of the Chief Information Officer (OCIO) for the Province of British Columbia, with the advice and counsel of an executive committee of Broader Public Sector (BPS) Chief Information Officer’s (or equivalent), and key industry leaders have collaborated to develop an architecture that would enable an identity management service for the government and the BC BPS.

The goal of this project is to develop an identity management architecture to enable interoperation across a diverse range of public sector organizations and their service providers using multiple vendors’ technology solutions.

I have had the privilege to participate in this project. It has been an exhilirating experience to work with peers from so many BC government agencies and leading vendors in the identity management space. In addition to Ian, I especially want to congratulate Dave Nikolejsin (CIO) and Peter Watkins (Executive Director, Office of the CIO) for their vision and energy. And I want to thank Dick Hardt (CEO, Sxip Identity) for leading us in the development of a Claims Based Identity Management Architecture that I personally believe will become a model for governments and the broader public sector everywhere. This quote from the introduction of the Architecture Document should explain my enthusiasm.

Over the past three decades, the British Columbia Provincial Government and Broader Public Sector (BPS) organizations have invested heavily in the automation of business processes. Much of this investment has taken place only to meet a single organization’s unique local needs. It was usually done with limited consideration towards building interoperable cross-organizational information architecture.

To achieve the broader goals of the Province and improve service delivery, a mechanism must be created to securely share information between organizations and systems. An important piece of this mechanism is the development of common cross-organizational standards for interoperable identity management.

This is a complex issue to resolve when one considers the spectrum of public and private sector stakeholders involved: policy, management and administrative issues; privacy and security requirements for the management of access to information; and the various technologies in place. Compounding this architectural challenge is the fact that the Information Technology industry does not have an inclusive “off the shelf” solution. This project will require the British Columbia public sector to work with industry to build upon existing international standards in the development of a business and technology architecture to meet the secure information sharing needs of the BPS.

There is so much more I would like to share with you about this project. It is a profound endorsement of the industry wide convergence on Information Card technology and the underlying WS-* protocols and web services architecture. However, I have to catch another plane. So let me leave you with the knowledge that the BC government has also announced that they are taking the next step and moving the Identity Management Architecture Project from concept to reality. In his session, Ian described a pilot project that is expected to get underway this year.