AD FS 2.0 shipped on May 5, 2010.  Why am I just getting around to blogging about it now you might ask.  Hmm.  Spend some vacation time in Paris with my wife … or come out of blog retirement?  But hey, “Better late than never, right?” 

As you can see from the date of my last post, I don’t like to take up your time unless I believe it’s really worth your while.  In November 2008 I moved from product development into an architectural role, working with governments on how to utilize federated, claims-based identity to ensure the safe, online delivery of public services to citizens.  But before I moved on I made you a promise that AD FS 2.0 would deliver SAML 2.0 protocol support. 

Last September AD FS 2.0 passed the Liberty Alliance SAML interoperability testing for our original design goals with flying colours.  Now all the fit and finish is done, and you too can experience the IdP Lite and SP Lite Operational Modes from the SAML 2.0 Conformance Specification, plus the eGov 1.5 Profile. 

But wait, there’s more.  AD FS 2.0 supports WS-Trust and WS-Federation too.  And as much as I love ADFSv1 (parental pride you know) … its big brother is so much easier to manage using federation metadata, automatic certificate rollover, and easy farm setup for high availability.  Plus out-of-the-box, AD FS 2.0 offers a policy interface for claims issuance and supports a SQL attribute store as well as Active Directory.  This is one powerful, but Admin-friendly Security Token Service.  I know you’ll find it worth the wait.

I want to congratulate the AD FS Development Team for staying the course, and serving up a job well done!  You can meet some of those heroes here, in several Channel 9 videos where they guide you through the features and capabilities of AD FS 2.0.

Call me sentimental … but when I started to think about writing this post, I immediately flashed on that great Lennon and McCartney song, “With a Little Help from My Friends.” Read on and you’ll see why.

Response to the unveiling of “Geneva” at the PDC last week has been outstanding! If you thought all those blogs about the Identity Metasystem were just talk … this is Microsoft putting its money where its mouth is. Improvements over ADFS and CardSpace v1 are huge. The Microsoft Federated Identity server, framework and client teams have worked long and hard. Every one of them deserves a curtain call with a standing ovation. It was particularly heartwarming to see Pamela’s acknowledgement of the Federated Identity team’s labors and accomplishments.

“Geneva” comprises a rich claims-based access feature set that will deliver on much of the promise of the Identity Metasystem vision. I just want to focus on the SAML 2.0 protocol support in this article. In the hope of being able to submit “Geneva” Server to the Liberty Alliance interoperability testing program, Liberty Interoperable, we have targeted the IdP Lite and SP Lite Operational Modes from the SAML 2.0 Conformance Requirements specification, plus the GSA Profile which is referenced by many governments around the world. That is still a lot of functionality and we had to determine what customers really needed so we could prioritize our development process accordingly. Microsoft did not do this alone. We had a Lot of Help from Our Friends.

We have been working with customers and other vendors for over a year to determine what features of the SAML 2.0 protocol are most commonly deployed. They unanimously agreed that the Web SSO Profile is what matters most. Based on actual customer deployments – augmented by extensive consultation with experts from the Shibboleth community, and precious insights from other vendors, including IBM, Ping Identity, SAP and Sun Microsystems – the SAML 2.0 feature prioritization for “Geneva” Server looks like this (in descending order).

- Web SSO AuthnRequest : HTTP redirect
- Web SSO Response : HTTP POST
- Identity Provider Discovery : Cookie
- Web SSO Response : HTTP Artifact
- Artifact Resolution : SOAP
- Single Logout (IdP-initiated) : HTTP redirect
- Single Logout (SP-initiated) : HTTP redirect
- Enhanced Client/Proxy SSO : PAOS

Patrick Harding, from Ping Identity, provided a most eloquent confirmation of the “Geneva” plan.

Ping Identity has partnered with Microsoft on numerous federated identity initiatives over the last few years – from the early work on WS-Federation to the more recent Information Cards interoperability events. It was extremely gratifying to have Microsoft recognize Ping Identity’s market leading success with SAML 2.0 when they reached out to us to ensure that Microsoft’s SAML 2.0 Web SSO profile implementation in its upcoming products will successfully interoperate with PingFederate.

Microsoft’s support for SAML 2.0 is a watershed moment in the identity management industry as it now allows deployers to focus on the business value of Internet SSO rather than concerning themselves and their business partners with protocol choice. Microsoft’s decision to focus on the IdP Lite, SP Lite and eGov interoperability profiles for SAML 2.0 also matches Ping Identity’s expectations as to what is the minimum bar necessary for deployers to successfully leverage SAML 2.0. I am looking forward to continuing to work with Microsoft to solve the next set of issues that will allow us to further simplify the effort involved in establishing federated identity connections.

Congratulations to all at Microsoft who were involved in enabling SAML 2.0 in Geneva.

We are working our way down the SAML 2.0 feature list above As anyone who has ever developed software knows, code isn’t finished until you test it. And that meant testing “Geneva” Server to prove its interoperability with other implementations. Again, we got a Lot of Help from Our Friends. We owe a huge debt of gratitude to the Shibboleth community (Scott Cantor from The Ohio State University, and Jim Fox from the University of Washington, in particular), IBM (Tony Nadalin, Shane Weeden, Neil Readshaw) and Ping Identity (Patrick Harding, Tom Doyle, Pasha Beneson).

We would not have finished the “Geneva” beta in time for the PDC without this incredible outpouring of help from the community. On behalf of Microsoft I extend our heartfelt gratitude. I guess this shows that the Identity Metasystem is bringing people together, as well as technologies.