Mary Jo Foley knows her stuff, knows identity and knows Microsoft. She just published a piece called “With Azure Active Directory, Microsoft wants to be the meta ID hub“. The fact that she picked up on John Shewchuk's piece despite all the glamorous announcements made in the same timeframe testifies to the fact that she understands a lot about the cloud. On the other hand, I hope she won't mind if I push back on part of her thesis. But before I do that, let's hear it:
Summary: A soon-to-be-delivered preview of a Windows Azure Active Directory update will include integration with Google and Facebook identity providers.
Microsoft isn’t just reimaginging Windows and reimaginging tablets. It’s also reimaginging Active Directory in the form of the recently (officially) unveiled Windows Azure Active Directory (WAAD).
In a June 19 blog post that largely got lost among the Microsoft Surface shuffle last week, Microsoft Technical Fellow John Shewchuk delivered the promised Part 2 of Microsoft’s overall vision for WAAD.
WAAD is the cloud complement to Microsoft’s Active Directory directory service. Here’s more about Microsoft’s thinking about WAAD, based on the first of Shewchuk’s posts. It already is being used by Office 365, Windows InTune and Windows Azure. Microsoft’s goal is to convince non-Microsoft businesses and product teams to use WAAD, too.
This is how the identity-management world looks today, in the WAAD team’s view:
And this is the ideal and brave new world they want to see, going forward.
WAAD is the center of the universe in this scenario (something with which some of Microsoft’s competitors unsurprisingly have problem).[Read more of the article here]
The diagrams Mary Jo uses are from John's post. And the second clearly shows the “Active Directory Service” triangle in the center of the picture so one can understand why Mary Jo (and others) could think we are talking about Active Directory being at the center of the universe.
Yet in describing what we are building, John writes,
“Having a shared directory that enables this integration provides many benefits to developers, administrators, and users.”
“Shared” is not the same as “Central”. For the Windows Azure AD team the “shared directory” is not “THE hub” or “THE center”. There is no one center any more in our multi-centered world. We are not building a monolithic, world-wide directory. We are instead consciously operating a directory service that contains hundreds of thousands of directories that are actually owned by individual enterprises, startups and government organizations. These directories are each under the control of their data owner, and are completely independent until their data owner decides to share something with someone else.
The difference may sound subtle, but I don't think it is. When I think of a hub I think of a standalone entity mediating between a set of claims providers and a set of relying parties.
But with Azure Active Directory the goal is quite different: to offer a holistic “Identity Management as a Service” for organizations, whether startups, established enterprises or government organizations – in other words to “operate” on behalf of these organizations.
One of the things such a service can do is to take care of connecting an organization to all the consumer and corporate claims providers that may be of use to it. We've actually built that capability, and we'll operate it on a 24/7 basis as something that scales and is robust. But IdMaaS involves a LOT of other different capabilities as well. Some organizations will want to use it for authentication, for authorization, for registration, credential management and so on. The big IdMaaS picture is one of serving the organizations that employ it – quite different from being an independent hub and following a “hub” business model.
In this era of the cloud, there are many cloud operators. Martin Kuppinger has pointed out that “the cloud” is too often vendor-speak for “this vendor's cloud”. In reality there are “clouds” that will each host services that are premium grade and that other services constructed in different clouds will want to consume. So we will all need the ability to reach accross clouds with complete agility, security and privacy and within a single governance framework. That's what Identity Management as a Service needs to facilitate, and the Active Directory Service triangle in the diagram above is precisely such a service. There will be others operated by competitors handling the identity needs of other organizations. Each of us will need to connect enterprises we serve with those served by our competitors.
This said, I really accept the point that to express this in a diagram we could (and should) draw it very differently. So that's something John and I are going to work on over the next few days. Then we'll get back to you with a diagram that better expresses our intentions.
@petervan: ?turning an aircraft carrier 180 degrees in a swimming pool? @Kim_Cameron @craigburton on Microsofts identity space http://t.co/4UJiZ11y
@jozian: RT @Kim_Cameron: @craigburton: fractal recursive mixed metaphor award for “turning an aircraft carrier 180 degrees in a swimming pool” – http://t.co/lkrGY6Gh
@kmallur: @kim_Cameron's “Conflicting Visions of Cloud Identity” #IDMaaS #cloud #IAM #in http://t.co/R0VJOAeg
@coremania: Digital Identity Management Daily is out! http://t.co/f7QH0ivS ? Top stories today via @OracleIDM @Kim_Cameron @dsearls
Kim – I'd like to say that since you're the ‘father’ of modern day identity architectures, that you're obviously right. But you're not THE father – you're just one of the fathers, in a distributed universe.
🙂
BTW I apologize for not having an Identity Card account or OpenID. I just like the idea of signing up for accounts – as me – the lonely human.
[Kim Cameron: Marc – I like hobbies as much as the next guy so if signing up for accounts is yours I can admire all the passwords you've collected 🙂 Good to connect again. As far as the distributed universe goes we see eye to eye – and I expect the distributed universe sees us that way too… Meanwhile, if I had worried that I really were the “father” of modern day identity architectures, I would also have worried that I'd be responsible for all the permutations and combinations of potential implementations. Very happy to know that an infinitely large number of other dads are involved in this world of “colliding solipsisms”. So let's “get together and feel alright – I sense progress here.”]
@RonnyHan: RT @WindowsAzure: Reimagining Active Directory for the Social Enterprise (Part 1) by John Shewchuk #WindowsAzure @Kim_Cameron http://t.co/xMHKkCfp
@mekline: @Kim_Cameron blogs about the recent Windows Azure Active Directory diagrams that have been circulating http://t.co/S0IRA6Mt
@thomas_gundel: RT @Kim_Cameron: Disruptive forces: the economy and the cloud – next on #IdMaaS – http://t.co/TgxZOai2
@johnshew: With @Kim_Cameron: new #IdMaaS picture. Good feedback from @craigburton & @garth_fort. Other suggestions? http://t.co/W3J03RuN
@Kim_Cameron: RT @johnshew: With @Kim_Cameron: new #IdMaaS picture. Good feedback from @craigburton & @garth_fort. Other suggestions? http://t.co/W3J03RuN
@mekline: RT @Kim_Cameron: Comment on Mary Jo Foley's ZDNet WAAD piece – http://t.co/kaBbLdkV
@dak3: RT @johnshew: With @Kim_Cameron: new #IdMaaS picture. Good feedback from @craigburton & @garth_fort. Other suggestions? http://t.co/W3J03RuN
@woloski: great post shedding light on WAAD RT @Kim_Cameron Comment on Mary Jo Foley's ZDNet WAAD piece – http://t.co/eGR0tTim
@auth10: “shared” is not “central” @Kim_Cameron http://t.co/oSUgY3rr commenting abt #WAAD and @maryjofoley post http://t.co/zFUGfhyq
@mknz: RT @woloski: great post shedding light on WAAD RT @Kim_Cameron Comment on Mary Jo Foley's ZDNet WAAD piece – http://t.co/N16xF67k #azure
@BrentCodeMonkey: RT @mknz: RT @woloski: great post shedding light on WAAD RT @Kim_Cameron Comment on Mary Jo Foley's ZDNet WAAD piece – http://t.co/N16xF67k #azure
@maryjofoley: @auth10 @Kim_Cameron Thanks. Looking forward to seeing Diagram 2.0 on WAAD!
@woloski: RT @maryjofoley: @auth10 @Kim_Cameron Thanks. Looking forward to seeing Diagram 2.0 on WAAD!
@bitcrazed: RT @johnshew: With @Kim_Cameron: new #IdMaaS picture. Good feedback from @craigburton & @garth_fort. Other suggestions? http://t.co/W3J03RuN
@MartinSalias: @woloski going celebrity! RT @maryjofoley: @auth10 @Kim_Cameron Thanks. Looking forward to seeing Diagram 2.0 on WAAD!
@xvilapueyo: RT @johnshew: With @Kim_Cameron: new #IdMaaS picture. Good feedback from @craigburton & @garth_fort. Other suggestions? http://t.co/W3J03RuN
@djros: RT @johnshew: With @Kim_Cameron: new #IdMaaS picture. Good feedback from @craigburton & @garth_fort. Other suggestions? http://t.co/W3J03RuN
@enichols: @Kim_Cameron Would WAAD support LDAP?
[Kim Cameron: Not in the first version, though we are listening to feedback and at least one organization has already demonstrated the practicality of building one.]
@kimcameron96: Follow Me on Instagram
@kim_cameron