Making Good on the Promise of IdMaaS

The second part of John Shewchuk's blog on Windows Azure Active Directory has been published here.  John goes into more detail about a number of things, focusing on the way it allows customers to hook their Cloud AD into the API Economy in a controlled and secure way.  

Rather than describe John's blog myself I'm going to parrot the blog post that analyst Craig Burton put up just a few hours ago.  I find it really encouraging to see his excitement:  it's the way I feel too, since I also think this is going to open up so many opportunities for innovation, make developing services simpler and make the services themselves more secure and respectful of privacy.  Here's Craig's post:

As a follow up to Microsoft’s announcement of IdMaaS, the company announced the — to be soon delivered — developer preview for Windows Azure Active Directory (WAzAD). As John Shewchuk puts it:

The developer preview, which will be available soon, builds on capabilities that Windows Azure Active Directory is already providing to customers. These include support for integration with consumer-oriented Internet identity providers such as Google and Facebook, and the ability to support Active Directory in deployments that span the cloud and enterprise through synchronization technology.

Together, the existing and new capabilities mean a developer can easily create applications that offer an experience that is connected with other directory-integrated applications. Users get SSO across third-party and Microsoft applications, and information such as organizational contacts, groups, and roles is shared across the applications. From an administrative perspective, Windows Azure Active Directory provides a foundation to manage the life cycle of identities and policy across applications.

In the Windows Azure Active Directory developer preview, we added a new way for applications to easily connect to the directory through the use of REST/HTTP interfaces.

An authorized application can operate on information in Windows Azure Active Directory through a URL such as:

https://directory.windows.net/contoso.com/Users(‘Ed@Contoso.com’)

Such a URL provides direct access to objects in the directory. For example, an HTTP GET to this URL will provide the following JSON response (abbreviated for readability):

{ “d”: {
“Manager”: { “uri”:”https://directory.windows.net/contoso.com/Users(‘User…’)/Manager” },
“MemberOf”: { “uri”:”https://directory.windows.net/contoso.com/Users(‘User…’)/MemberOf” },
“ObjectId”: “90ef7131-9d01-4177-b5c6-fa2eb873ef19″,
“ObjectReference”: “User_90ef7131-9d01-4177-b5c6-fa2eb873ef19″,
“ObjectType”: “User”,
“AccountEnabled”: true,
“DisplayName”: “Ed Blanton”,
“GivenName”: “Ed”,
“Surname”: “Blanton”,
“UserPrincipalName”: Ed@contoso.com,
“Mail”: Ed@contoso.com,
“JobTitle”: “Vice President”,
“Department”: “Operations”,
“TelephoneNumber”: “4258828080″,
“Mobile”: “2069417891″,
“StreetAddress”: “One Main Street”,
“PhysicalDeliveryOfficeName”: “Building 2″,
“City”: “Redmond”,
“State”: “WA”,
“Country”: “US”,
“PostalCode”: “98007″ }
}

Having a shared directory that enables this integration provides many benefits to developers, administrators, and users. If an application integrates with a shared directory just once—for one corporate customer, for example—in most respects no additional work needs to be done to have that integration apply to other organizations that use Windows Azure Active Directory. For an independent software vendor (ISV), this is a big change from the situation where each time a new customer acquires an application a custom integration needs to be done with the customer’s directory. With the addition of Facebook, Google, and the Microsoft account services, that one integration potentially brings a billion or more identities into the mix. The increase in the scope of applicability is profound. (Highlighting is mine – Craig).

Now that’s What I’m Talking About

There is still a lot to consider in what an IdMaaS system should actually do, but my position is that just the little bit of code reference shown here is a huge leap for usability and simplicity for all of us. I am very encouraged. This would be a major indicator that Microsoft is on the right leadership track to not only providing a specification for an industry design for IdMaaS, but also is on well on its way to delivering a product that will show us all how this is supposed to work.

Bravo!

The article goes on to make commitments on support for OAuth, Open ID Connect, and SAML/P. No mention of JSON Path support but I will get back to you about that. My guess is that if Microsoft is supporting JSON, JSON Path is also going to be supported. Otherwise it just wouldn’t make sense.

JSON and JSON Path

The API Economy is being fueled by the huge trend of accessibility of organization’s core competence through APIs. Almost all of the API development occurring in this trend are based of a RESTful API design with data being encoded in JSON (JavaScript Object Notation). While JSON is not a new specification by any means, it is only in the last 5 years that JSON has emerged as the preferred — in lieu of XML — data format. We see this trend only becoming stronger.

[Craig presents a table comparing XPath to XML - look at it here.]

Summary

As an industry, we are completely underwater in getting our arms around a workable — distributed and multi-centered identity management metasystem — that can even come close to addressing the issues that are already upon us. This includes the Consumerization of IT and its subsequent Identity explosion. Let alone the rise of the API Economy. No other vendor has come close to articulating a vision that can get us out of the predicament we are already in. There is no turning back.

Because of the lack leadership (the crew that killed off Information Cards) in the past at Microsoft about its future in Identity Management, I had completely written Microsoft off as being relevant. I would have never expected Microsoft to gain its footing, do an about face, and head in the right direction. Clearly the new leadership has a vision that is ambitious and in alignment with what is needed. Shifting with this much spot on thinking in the time frame we are talking about (a little over 18 months) is tantamount to turning an aircraft carrier 180 degrees in a swimming pool.

I am stunned, pleased and can’t wait to see what happens next.
 

I think it goes without saying that “turning an aircraft carrier 180 degrees in a swimming pool” is a fractal mixed metaphor of colossal and recursive proportions that boggles the mind – yet there is more than a little truth to it.  In fact that's really one of the things the cloud demands of us all.

Craig's question about JSON Path is a good one.  The answer is that JSON Path is essentially a way of navigating and extracting information from a JSON document.  WAzAD's Graph API returns JSON documents and if they are complex documents we expect programmers will use JSON Path – which they already know – to extract specific information.  It will be part of their local programming environment on whatever device or platform they are issuing a query from.

On the other hand, one can imagine supporting JSON Path queries in the RESTful interface itself.  Suppose you have a JSON document with many links to other JSON documents.  Do you then support “chaining” on the server so it follows the links for you and returns the distributed JSON Path result?  The problem with this approach is that a programming model we want to be ultra-simple and transparent for the programmer turns into something opaque that can have many side effects, become unpredictable and exhibit performance issues.  As far as I know, the social network APIs that are most sophisticated in their use of links don't support this.  They just get the programmer to chase the links that are of interest.

So for these reasons server support is something we have talked about but don't yet have a position on.  This is exactly the kind of thing we'd like to explore by collaborating with developers and getting their input.  I'd also like to hear what other people have experienced in this regard.

 

Leave a Reply