• Illustration: MIIS Architecture
• Illustration: AD, ADAM, and MIIS Interaction

Identity management, the process of maintaining volatile data about people such as names, titles, and addresses across multiple directories and applications, remains a challenge in large organizations. To help customers address identity management, Microsoft has released Microsoft Identity Integration Server (MIIS) 2003 (formerly called Metadirectory Server) and Active Directory Application Mode (ADAM), and it will support the latest version of the Directory Services Markup Language (an XML-based specification for describing directory information). These tools go a long way toward integrating an organization’s identity information, but total support for business-to-business identity information sharing is still in the future.

Identity Management

Identity data is composed of attributes about a person, such as his name, e-mail addresses, physical addresses, phone numbers, titles, user accounts, and passwords. Identity management addresses the problems of maintaining this identity data across many independently maintained systems that need the identity data. Examples of systems include the following: OSs and their directories, such as Windows with Active Directory (AD), which use identity data to determine access to files, applications, and other resources; key applications for tracking people, such as human resources and customer relationship management systems; communications directories, such as the corporate phone directory and e-mail directories for applications like Exchange; and corporate intranets and extranets, which use identity data for access control and personalization. These systems frequently have their own databases or stores for the identity data they use.

The key issues with identity management are provisioning and synchronizing, with the goal of providing a single view of identity data, and supporting password management.

Provisioning. Provisioning involves creating or deleting identity data—for example, adding new identity data when an employee is hired and removing obsolete identity data when the employee is terminated or resigns.

Synchronizing. Synchronizing involves managing changes to identity data, which tends to be volatile because people constantly change: they move, marry, divorce, join a new organization, take a new role in their existing organization, or resign. Each of these events can trigger a change to the stored identity data, and each time the information is changed in one store, it is out of date in all the other stores. Therefore, any change to identity data needs to be synchronized across all data stores.

Single identity information view. With multiple identity data stores, it is unlikely that each data store will have the same attributes about each user, or have it in the same format—for example, the last name and first name can be kept as separate values or combined as a single name value. Therefore, it is hard to create a single consistent view combining all the various identity attributes or pieces of data about a single person from all the identity data stores.

Password management. If a user wants to use the same credentials on all systems that he has authority to access, then account names and passwords become another set of identity data attributes that need to be synchronized across multiple data stores. In addition, with more organizations requiring strong passwords and enforcing password durations and the use of unique passwords upon expiration, resetting forgotten passwords is becoming a time-consuming and expensive administration activity.

Active Directory and Identity Management

Microsoft originally hoped that AD would become the single identity store for an organization.

AD provides a structured data schema as the basis for a logical and hierarchical organization of data about people, computers, and other objects on a Windows server-based network. Microsoft applications, such as SQL Server and Exchange, and third-party applications can use identity data in AD to authenticate users and control access to resources such as mailboxes and database tables, enabling AD to serve as a shared identity store for multiple applications.

Microsoft has realized that as good as AD may be, organizations will likely always have multiple stores of identity data, and no one identity data store can ever meet all of an organization’s identity management needs. With this in mind, Microsoft has released the Microsoft Identity Management Server and improved the identity management features of AD, and is providing ADAM to help manage identity data.

Microsoft Identity Integration Server 2003

Microsoft's major identity management tool, Metadirectory Server, was originally acquired as part of its acquisition of Zoomit Corporation in 1999. The third version, released in Aug. 2003 and renamed Microsoft Identity Information Server (MIIS) 2003, contains new features to help organizations manage multiple identity data stores so that administrators can easily provision identity data, synchronize it, obtain a single view of the identity information, and facilitate password management for users via a Web-based interface.

What’s New in MIIS 2003?

The main change to MIIS 2003 is the use of Microsoft SQL Server as the primary storage engine for identity data. (For an overview of MIIS 2003, see the illustration "MIIS Architecture".) Other improvements to MIIS 2003 include support for custom extensions, data lineage, password management, and improved identity data analysis.

Custom extensions. Developers can use languages that support the .NET Framework, such as Visual Basic .NET or C#, to extend the functionality of management agents or the Metaverse (a set of database tables within MIIS that integrates the identity data from different stores into a single view with readable information about a person). For example, a custom extension could take particular actions in the event of an exception or problem, or validate the value of an identity data attribute—for example, checking to see that a value such as an employee number has a correct checksum or hash value.

Data lineage. MIIS now logs all changes, allowing administrators to track where identity data came from and what changes have been made to the identity data over time.

Password management. MIIS makes it possible for help desk operators or administrators to set user passwords from an included Web application. This Web application allows for efficient resetting of forgotten or expired passwords, and the synchronization of the password changes to all affected identity data stores, including AD, ADAM, Sun One Directory 5.1, Netscape Directory 6.1, Windows NT 4.0, and Lotus Notes 4.6 and 5.0.

Identity data analysis. MIIS provides new tools that allow organizations to explore relationships between identity data from multiple sources, which facilitates the processing of the data to answer ad hoc queries, such as "How many vice presidents are in the organization?"

Active Directory Identity Management Improvements

Microsoft made several improvements to AD in Windows Server 2003 to make it easier for an organization to deploy AD and to cope with organizational changes, such as the acquisition of a new company, that could impact the existing AD schema and hierarchy. The most significant changes from the perspective of identity management are support for the InetOrgPerson object class and the Directory Services Markup Language (DSML).

InetOrgPerson. In Windows Server 2003, AD improves its support for identity data standards. In particular, it provides a more complete implementation of the InetOrgPerson object class (support for InetOrgPerson was previously provided via an add-on kit). This specifies standard fields and data types for user identity and account data, such as a common name (cn) field for a person's name (Michael Cherry) and a field for the user's primary telephone number (telephoneNumber). The InetOrgPerson standard (specified in Internet Request for Comments 2798) is used by many other directories that support the Lightweight Directory Access Protocol (LDAP) standard, such as Sun Microsystems’ Sun One Directory (formerly Sun iPlanet). By supporting InetOrgPerson more completely, AD enables applications that were written for these other directories to work with AD and facilitates migration of data from other directories that support the standard.

Directory Services Markup Language (DSML). Microsoft is also supporting the Directory Services Markup Language version 2.0 (DSMLv2). DSML version 1.0 supported the definition of directory schemas as XML documents. DSMLv2 adds support for representing directory queries and updates as XML documents, which allows these XML documents to be used with an Internet-supported transport, such as Simple Object Access Protocol (SOAP), or in a manner similar to a file using the Lightweight Directory Interchange Format (LDIF) format.

Support for DSMLv2 could lead to better interoperability between AD and other directory services that also support this standard, such as Sun One Directory Server version 5.2. It could also support scenarios such as a cell phone or personal digital assistant (PDA) that needs to access identity data from a directory but does not have an LDAP client, and facilitate the access to identity data in a directory through a firewall.

Active Directory Application Mode

Microsoft has also introduced a new identity management tool: Active Directory Application Mode (ADAM). ADAM is an instance of AD which can run as a separate Windows Server 2003 service, and it allows an application to use AD as a service to store identity data that is relevant only to that application, without having to store it in the main AD database.

ADAM is useful as a store for application identity data because it does not have to run on a domain controller and multiple instances serving different purposes or requiring different schemas and replication schedules can run concurrently on the same server. Developers can modify the base AD schema on an ADAM instance without changing the schema for an entire organization (and possibly conflicting with schema changes made elsewhere in the organization). ADAM can also be run on a developer’s computer without the infrastructure of a domain controller to facilitate development. All of these capabilities make ADAM a useful tool for storing identity data for a particular application.

As AD is the data store for identity information used for managing security identities for Windows-based networks and security-integrated applications such as Exchange, it is likely that an application will use AD for authentication and authorization and use ADAM for application-specific identity data storage. For example, a Web application might use ADAM to store personalization information that enables it to customize its look and feel for particular users, without having to store such information in AD. (For an illustration, see "AD, ADAM, and MIIS Interaction".)

Microsoft recommends that organizations use ADAM for identity data that meets any of the following criteria:

• The identity data is only valuable locally; for instance, identity data that is only useful to a single division in an organization or to a specific geographic location
• The identity data is volatile, and therefore would force the identity data to be frequently replicated to all AD domain controllers
• Storing the identity data in AD would require a change to the schema of the AD.

Future Directions: TrustBridge and Federation

In June 2002, Microsoft announced a new Windows technology, code-named TrustBridge, that it said would enable businesses to share user identity information between applications on different platforms and between independent organizations. TrustBridge is intended to make it easier for organizations to share internal resources with individuals and applications at partner organizations. For example, a software company might want to allow its public relations firm to read technical specifications and marketing plans for an upcoming product. Ideally, users at the public relations firm could access information at the software company with a single sign-on without having to log on first at the public relations firm and then again at the software company. However, the software company would somehow have to authenticate (verify the identity of) the public relation firm’s users to ensure they can be trusted.

.NET Passport—Microsoft’s single sign-on system for Web users—suggests an alternative to multiple accounts. Organizations could simply store all their user accounts at a single trusted organization like Passport and let that organization authenticate all users. Here the problem is that the trusted organization becomes a fat target for attackers and a single point of failure.

TrustBridge will enable an organization to use another solution: "federated identity." In a federated identity system, each organization authenticates its own users and maintains their user accounts. When a user wants to access resources at a partner organization, the user’s home organization forwards proof of the user’s identity (authentication data) to the partner; the partner grants access based on the degree to which it trusts the user’s home organization.

With the changes in AD in Windows Server 2003, and the release of MIIS 2003 and ADAM, much of the infrastructure necessary for TrustBridge is falling into place: a lot of identity information can be exchanged and synchronized.

The missing piece is the completion of the Web Services Architecture, which is currently being reviewed by the standards bodies and includes the following specifications:

• WS-Secure Conversation—a standard way to authenticate SOAP message exchanges
• WS-Trust—a standard mechanism for establishing both direct trust relationships between two organizations and brokered trust relationships between many organizations through a trusted third party
• WS-Federation—a standard way to create federations by combining WS-Security, WS-Policy, WS-Trust, and WS-Secure Conversation services
• WS-Authorization—a standard way to manage authorization data and policies (authorization defines what a user is allowed to do after being authenticated).

Availability and Resources

MIIS Server 2003 Enterprise Edition provides support for AD, ADAM, DSML, Exchange, LDAP, LDIF, Lotus Notes/Domino, Novell eDirectory, Oracle, Sun One Directory, Windows NT Domains, and flat-files (comma-, tab-, and column-separated values). MIIS 2003 Enterprise Edition costs US$24,999 per processor. Although a 180-day evaluation version is available, there is no Standard Edition.

For more information on Microsoft Identity Integration Server 2003, see www.microsoft.com/miis.

An Identity Integration Feature Pack offers the same base components as MIIS, but only supports AD, ADAM, and Exchange directories. It is available as a no-cost add-on for customers who have already licensed Windows Server 2003 Enterprise Edition, and is useful mainly in AD "cross-forest trust" scenarios. A cross-forest trust enables organizations to combine previously independent AD installations ("forests") after organizational changes such as mergers, while allowing the original organizations to retain administrative autonomy over their users and computers.

The Identity Integration Feature Pack can be downloaded from www.microsoft.com/windowsserver2003/technologies/directory/miis/

ADAM can be downloaded from www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4.

For more information on ADAM and AD, see www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx.

For general information on identity management, see www.microsoft.com/idm.

For background on changes to AD in Windows Server 2003, see "Active Directory Improvements Remove Many Migration Roadblocks" on page 3 of the Aug. 2002 Update.

For more information on InetOrgPerson, see www.faqs.org/rfcs/rfc2798.html.

For more information on TrustBridge, see "TrustBridge to Simplify Resource Sharing" on page 13 of the Aug. 2002 Update.

For more information on the GXA Web Services, see "GXA Defines Framework for Web Services" on page 11 of the Oct 2002 Update.