{"id":1218,"date":"2012-06-21T13:08:02","date_gmt":"2012-06-21T21:08:02","guid":{"rendered":"\/?p=1218"},"modified":"2012-06-21T13:44:30","modified_gmt":"2012-06-21T21:44:30","slug":"making-good-on-the-promise-of-idmaas","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1218","title":{"rendered":"Making Good on the Promise of IdMaaS"},"content":{"rendered":"

The second part of John Shewchuk's <\/a>blog on Windows Azure Active Directory has been published here<\/a>.\u00a0 John goes into more detail about a number of things,\u00a0focusing on the\u00a0way it allows\u00a0customers to hook their\u00a0Cloud AD into the API Economy<\/a> in a controlled and secure way.\u00a0\u00a0<\/p>\n

Rather than describe\u00a0John's blog\u00a0myself I'm going to\u00a0parrot the blog post<\/a> that\u00a0analyst Craig Burton <\/a>put up just a few hours ago.\u00a0 I find it really encouraging to see\u00a0his excitement:\u00a0 it's the way I feel too, since I also think this is going to open up so many opportunities for innovation,\u00a0make\u00a0developing services simpler\u00a0and make\u00a0the services themselves more secure and respectful of privacy.\u00a0 Here's Craig's post<\/a>:<\/p>\n

As a follow up to Microsoft\u2019s announcement of IdMaaS, the company announced the \u2014 to be soon delivered \u2014 developer preview for Windows Azure Active Directory (WAzAD). <\/a>As John Shewchuk puts it:<\/p>\n

The developer preview, which will be available soon, builds on capabilities that Windows Azure Active Directory is already providing to customers. These include support for integration with consumer-oriented Internet identity providers such as Google and Facebook, and the ability to support Active Directory in deployments that span the cloud and enterprise through synchronization technology.<\/p>\n

Together, the existing and new capabilities mean a developer can easily create applications that offer an experience that is connected with other directory-integrated applications. Users get SSO across third-party and Microsoft applications, and information such as organizational contacts, groups, and roles is shared across the applications. From an administrative perspective, Windows Azure Active Directory provides a foundation to manage the life cycle of identities and policy across applications.<\/p>\n

In the Windows Azure Active Directory developer preview, we added a new way for applications to easily connect to the directory through the use of REST\/HTTP interfaces.<\/p>\n

An authorized application can operate on information in Windows Azure Active Directory through a URL such as:<\/p>\n

https:\/\/directory.windows.net\/contoso.com\/Users(\u2018Ed@Contoso.com\u2019<\/a>)<\/p>\n

Such a URL provides direct access to objects in the directory. For example, an HTTP GET to this URL will provide the following JSON response (abbreviated for readability):<\/p>\n

{ \u201cd\u201d: {
\n“Manager”: { “uri”:”https:\/\/directory.windows.net\/contoso.com\/Users(‘User…’)\/Manager” },
\n“MemberOf”: { “uri”:”https:\/\/directory.windows.net\/contoso.com\/Users(‘User…’)\/MemberOf” },
\n“ObjectId”: “90ef7131-9d01-4177-b5c6-fa2eb873ef19”,
\n“ObjectReference”: “User_90ef7131-9d01-4177-b5c6-fa2eb873ef19”,
\n“ObjectType”: “User”,
\n“AccountEnabled”: true,
\n“DisplayName”: “Ed Blanton”,
\n“GivenName”: “Ed”,
\n“Surname”: “Blanton”,
\n“UserPrincipalName”: Ed@contoso.com,
\n“Mail”: Ed@contoso.com,
\n“JobTitle”: “Vice President”,
\n“Department”: “Operations”,
\n“TelephoneNumber”: “4258828080”,
\n“Mobile”: “2069417891”,
\n“StreetAddress”: “One Main Street”,
\n“PhysicalDeliveryOfficeName”: “Building 2”,
\n“City”: “Redmond”,
\n“State”: “WA”,
\n“Country”: “US”,
\n“PostalCode”: “98007” }
\n}<\/p>\n

Having a shared directory that enables this integration provides many benefits to developers, administrators, and users. If an application integrates with a shared directory just once\u2014for one corporate customer, for example\u2014in most respects no additional work needs to be done to have that integration apply to other organizations that use Windows Azure Active Directory. For an independent software vendor (ISV), this is a big change from the situation where each time a new customer acquires an application a custom integration needs to be done with the customer\u2019s directory. With the addition of Facebook, Google, and the Microsoft account services, that one integration potentially brings a billion or more identities into the mix. The increase in the scope of applicability is profound<\/span>. (Highlighting is mine – Craig).<\/p><\/blockquote>\n

Now that\u2019s What I\u2019m Talking About<\/strong><\/p>\n

There is still a lot to consider in what an IdMaaS system should actually do, but my position is that just the little bit of code reference shown here is a huge leap for usability and simplicity for all of us. I am very encouraged. This would be a major indicator that Microsoft is on the right leadership track to not only providing a specification for an industry design for IdMaaS, but also is on well on its way to delivering a product that will show us all how this is supposed to work.<\/p>\n

Bravo!<\/p>\n

The article goes on to make commitments on support for OAuth, Open ID Connect, and SAML\/P. No mention of JSON Path support but I will get back to you about that. My guess is that if Microsoft is supporting JSON, JSON Path is also going to be supported. Otherwise it just wouldn\u2019t make sense.<\/p>\n

JSON and JSON Path<\/strong><\/p>\n

The API Economy<\/a> is being fueled by the huge trend of accessibility of organization\u2019s core competence through APIs. Almost all of the API development occurring in this trend are based of a RESTful API design with data being encoded in JSON (JavaScript Object Notation). While JSON is not a new specification by any means, it is only in the last 5 years that JSON has emerged as the preferred \u2014 in lieu of XML \u2014 data format. We see this trend only becoming stronger.<\/p>\n

[Craig presents a table comparing XPath to XML – look at it here<\/a>.]<\/p>\n

Summary<\/strong><\/p>\n

As an industry, we are completely underwater in getting our arms around a workable \u2014 distributed and multi-centered identity management metasystem \u2014 that can even come close to addressing the issues that are already upon us. This includes the Consumerization of IT and its subsequent Identity explosion. Let alone the rise of the API Economy. No other vendor has come close to articulating a vision that can get us out of the predicament we are already in. There is no turning back.<\/p>\n

Because of the lack leadership (the crew that killed off Information Cards) in the past at Microsoft about its future in Identity Management, I had completely written Microsoft off as being relevant. I would have never expected Microsoft to gain its footing, do an about face, and head in the right direction. Clearly the new leadership has a vision that is ambitious and in alignment with what is needed. Shifting with this much spot on thinking in the time frame we are talking about (a little over 18 months) is tantamount to turning an aircraft carrier 180 degrees in a swimming pool.<\/p>\n

I am stunned, pleased and can\u2019t wait to see what happens next.
\n\u00a0<\/p><\/blockquote>\n

I think it goes without saying that “turning an aircraft carrier 180 degrees in a swimming pool” is a fractal mixed metaphor of colossal and recursive proportions that boggles the mind – yet there is more than a little truth to it.\u00a0 In fact that's really one of the things the cloud demands of us all.<\/p>\n

Craig's question about JSON Path is a good one.\u00a0 The answer is that JSON Path is essentially a way of navigating and extracting information from a JSON document.\u00a0 WAzAD's Graph API returns JSON documents and if they are complex documents we expect programmers will use JSON Path – which they already know – to extract specific information.\u00a0 It will be part of their local programming environment on whatever device or platform they are issuing a query from.<\/p>\n

On the other hand, one can imagine supporting JSON Path queries in the RESTful interface itself.\u00a0 Suppose you have a JSON document with many links to other JSON documents.\u00a0 Do you then support “chaining” on the server so it follows the links for you and returns the distributed JSON Path result?\u00a0 The problem with this approach is that\u00a0a programming model we want to be ultra-simple and transparent for the programmer turns into something opaque that can have many side effects, become unpredictable\u00a0and exhibit\u00a0performance issues.\u00a0 As far as I know, the social network APIs that are most sophisticated in their use of links don't support this.\u00a0 They just get the programmer to chase the links that are of interest.<\/p>\n

So for these reasons\u00a0server support\u00a0is something we have\u00a0talked about\u00a0but don't yet have a position on.\u00a0 This is exactly the kind of thing we'd like to explore by collaborating with developers and getting their input.\u00a0 I'd also like to hear what other people have experienced in this regard.<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

Craig is stunned, pleased and can\u2019t wait to see what happens next<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1218"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1218"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1218\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}