(updated with RTW date)
On May 5, Microsoft will RTW (release to Web) Active Directory Federation Services 2.0, a piece the software giant needs to extend Active Directory to create single sign-on between local network resources and cloud services.
Back in October 2008, I was the first reporter to write about the impending arrival of ADFS 2.0, then code-named Geneva, and Microsoft’s plan to storm the identity federation market with its claims-based model. I followed Geneva and wrote about its evolution, including the last nail in the project – support for the SAML 2.0 protocol to go along with Microsoft’s similar protocol WS-Federation.
But what will arrive next week is more of a glass half-full, glass half-empty story, one end-users should closely evaluate.
Half-full. Microsoft validates a market when they move into it with the sort of gusto that is behind ADFS 2.0, a Security Token Service
, even though smaller companies such as Ping have been providing federation technology since 2002. That validation should help IT, HR and others more easily push their federation projects. And more than a few companies should join those, such as Reardon
, already enjoying identity federation and Cloud SSO.
ADFS 2.0 is “free” for Active Directory users, which is a word that resonates with CIOs. And Microsoft has been running ADFS 2.0
on its internal network since May 2009, giving it nearly a year to vet bugs and other issues.
But potential users should look deeper.
Half-empty. ADFS 2.0 was slated to ship a year ago, what were the issues that caused it to slip and have they been corrected?
Microsoft’s support for the full SAML spec is first generation. Late last year was the first time Microsoft participated in and passed an independent SAML 2.0 interoperability test, an eight-day affair put on by Liberty Alliance and Kantara. Ping, which had participated previously, also passed and was part of the testing group with Microsoft.
Microsoft's testing during the event focused on SAML's Service Provider Lite, Identity Provider Lite and eGovernment profiles. The ‘”lite” versions of those are a significant sub-set of the full profiles. Microsoft says it plans to support other SAML profiles based on demand. After the testing, Burton Group analysts said Microsoft had “covered the core bases” for SAML 2.0 support. For some deploying SAML that will be enough, for others it could fall short.
And Microsoft’s SAML implementation will have to interop with third-party service providers, many of which roll their own SAML implementations and won’t have ADFS 2.0 running on their side. There is no shortage of details to address with such one-off integrations.
In addition, ADFS 2.0 is part of a larger identity platform that includes the Windows Identity Foundation (WIF) and Windows Cardspace.
But with this release, Cardspace 2.0 will not roll out with ADFS 2.0, and Microsoft says a Cardspace release “isn’t imminent.” While Cardspace is not widely adopted, it remains an integral part of the user-centric identity package Microsoft has been pushing. When Microsoft rolled out Geneva internally, one of its IT architects told a session at the company’s TechEd conference "Geneva is a lot more than ADFS 2.0.” The client story here is fractured.
The other piece, WIF, is an extension to the .Net Framework 3.5 that helps developers build applications that incorporate a claims-based identity model. While Microsoft has an army of devoted developers, a critical mass of claims-aware applications does not yet exist.
So the bottom line is that ADFS 2.0, despite RTW, and its companion components are still a work in progress. And while the technology will bring awareness to an already active federation market, ADFS 2.0/Geneva still has a ways to go if it wants to be a defining technology.