the ‘m’-based system.identity model for accessing directory services
DESCRIPTION
SVC28. The ‘M’-Based System.Identity Model for Accessing Directory Services. Kim Cameron Distinguished Engineer Microsoft Corp. Gert Drapers Software Architect Microsoft Corp. Agenda:. Vision of a Federated Directory Evolving Active Directory - PowerPoint PPT PresentationTRANSCRIPT
The ‘M’-Based System.Identity Model for Accessing Directory ServicesKim CameronDistinguished EngineerMicrosoft Corp.
SVC28
Gert DrapersSoftware Architect
Microsoft Corp.
Agenda:> Vision of a Federated Directory> Evolving Active Directory> Introducing “System.Identity” the
model> Introducing “System.Identity” the API
Vision> We need a directory metasystem that
works holistically in the cloud, in enterprises and organizations, and on devices> Shared architecture, data model and
semantics, protocols, publication paradigm
> Policy framework for configuration> Simple APIs integrated with developer
platforms
Constraints> Application developer experience should
be the same whether an app will run in the cloud or on-premise.
> Same for end user experience.> Directory must be insulated from its
success (example of Active Directory)> The directory shouldn’t need to trust the
applications that use it> Need to support per-service “shadow” identity
stores on-premise and in the cloud
New demands on the directory> Relationships and multiple identifiers> Cross directory federation and virtual
teams> Multi tenant (eg: mergers & acquisitions)> Partitioning (data & workload)> Extensible without disruption> Support RSS, REST, WS*, .NET, Win32, …> Simplify common tasks> Complex query, polyarchy> Use ubiquitous tooling
Evolving Active Directory
> Active Directory remains completely stable> Directory federation service will “clamp on” to
existing Active Directory, much like ADFS does today
> First steps are the next generation schema, API and protocol
> Leverages repository patterns hosted on top of SQL server and Cloud DB
> New applications will use new capabilities> Open conversation with customers and industry
System.Identity SchemaCustomerVendor Citizen
Resources Policies1 To * 1 From *
Policy relationshi
ps
Party Resourc
es
AdditionalPropertie
s
Party Location
s
Locations
Tokens
Process Role Employee
Party
Kind
Identity Keys
Party-To-PartyRelationships
Amalgamation of Abstraction/specialization Within another Has a kind
Authority
People
Group
Organization
Device
Software Service
System.Identity Schema
Party
Kind
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
Party and ExtentsID Kind DisplayName
1 Person Joe Long
2 Person Kim Cameron
3 Person Gert Drapers
4 Group Directory V-Team
5 Device JoeLong04
Parties Extent
PartyID
Surname
MiddleName
GivenName
Nickname Gender Start
DateEndDate
1 Long Joe Male 1991
2 Cameron Kim Male 1999
2 PhotoGeek Male 2006
3 Gert Drapers DataDude Maile 1991
8 Brown Mary Female 2004
Personas Extent
System.Identity Schema
Party
Kind
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity Schema
Party
Kind
Identity Keys
Party-To-PartyRelationships
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
Party and ExtentsID Kind DisplayName
1 Person Joe Long
2 Person Kim Cameron
3 Person Gert Drapers
4 Group Directory V-Team
5 Device JoeLong04
Parties Extent
ContextParty
ReferencedParty Kind Start
DateEndDate
1 2 Friend
1 3 Friend
3 1 Friend
4 1 Group Member
4 3 Group Member
May 12 2009
PartyToPartyRelationships Extent
Party and ExtentsID Kind DisplayName
1 Person Joe Long
2 Person Kim Cameron
3 Person Gert Drapers
4 Group Directory V-Team
5 Device JoeLong04
Parties Extent
PartyID Kind Value Start
DateEndDate
2 Email [email protected] 1999
2 NTName REDMOND\kcameron 1999
2 NTSID S-1-5-21-2127521184-1604012920-1887927527-5353432 1999
3 Email [email protected] 1991
3 Phone +1 425 321-9876 1996
3 NTName NORTHERNEUROPE\gertd 1991 1996
3 NTName REDMOND\gertd 1996
IdentityKeys Extent
System.Identity Schema
Party
Kind
Identity Keys
Party-To-PartyRelationships
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity SchemaProcess Role Employee
Party
Kind
Identity Keys
Party-To-PartyRelationships
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity SchemaCustomerVendor Citizen
Resources Policies1 To * 1 From *
Policy relationshi
ps
Party Resourc
es
AdditionalPropertie
s
Party Location
s
Locations
Tokens
Process Role Employee
Party
Kind
Identity Keys
Party-To-PartyRelationships
Authority
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity Model> Entity
> Entity equates to an object in LDAP systems like Active Directory
> Party > Party equates to a principal in AD – it is the most
important and central entity in System.Identity. > Users , Groups, Services, Devices, and Groups are all parties.
> Kinds> Kinds describe the equivalent of Object class, attribute
type , and attribute syntaxes in other systems. Kind-to-kind relationships describe things like inheritance.
> Relationships> Party-to-Party relationships is a native concept in
System.Identity. There are many possible types – e.g. Group-Member, Manager-Direct reports, Friend, etc.
System.Identity Model> Identity keys
> Identity keys are defined formally in System.Identity, vs. in other systems where they were attributes of a principal. Identity keys have special characteristics: they are unique; it is always possible to efficiently locate any party by an identity key; one can easily translate between Kinds of key. Identity key’s have kinds – e.g. SamAccountName, UPN, SID, PUID are all kinds of identity keys. Applications can expect new kinds of identity keys – and can handle them without necessarily having to interpret them.
> Extents > Extent is the equivalent of a multi valued property set. Parties have Extents
on them instead of properties / attributes. This allows cleaner factoring of information ( especially central vs. Application directory ) and also allows schematizing concepts which required blobs in other systems.
> Attributes> Attributes are single-value properties, which are the equivalent of attributes
in Active Directory where multi-values are Extents.> Roles
> Roles are relationships with additional information pertaining to the role (i.e. employees, or RBAC roles).
Exploring the System.Identity model using “Quadrant”
Gert DrapersPrincipal Software ArchitectIdentity and Access Division
demo
Schema Principles> Concrete modeling of directory problems
> With accent on principals, identity keys and party-to-party relationships
> Reduce data redundancy through a normalized representation> Important to efficiency as AD showed with Security
Descriptors and Group Memberships> Factored to cleanly separate the information
associated with different applications while allowing sharing
> Separation between the conceptual / logical schema and the physical schema / implementation
> Extensible “Kinds” system that allows developers to add new functionality to the directory without altering schema
>>FUTURESchema, API and Protocol
System.Identity API
(System.Identity)
AD
LDAP API
(X.500)
LDAP
NextGenAD & SD
Schema
Protocols
APILogical System.Identity model
Physical System.Identity SQL LINQ Provider
TDS
SiLoader.exe
Functionality System.Identity December 2009 CTP
>>FUTURESchema, API and Protocol
System.Identity API
(System.Identity)
AD
LDAP APISI-WS*
(X.500)
LDAP
NextGenAD & SD
Schema
Protocols
API
Synchronization/Replication
Logical System.Idenity ProviderSI-REST SI-SQL
TDS
LDAP WS* RESTLogical System.Idenity ProviderPhysical System.Identity SQL LINQ
Provider
>>FUTURESystem.Identity API Principles
> High level .NET API which exposes the “logical” schema entities and relationships to developer through LINQ> The conceptual implementation of the
schema is visible> The physical implementation of the schema
is hidden and abstracted through a LINQ provider
> Smallest API possible, with the option to use helper functions
> Reuse constructs from other domains (e.g. LINQ)
Building our first directory application
Gert DrapersPrincipal Software ArchitectIdentity and Access Division
demo
>>FUTUREExtending the Directory
> Kinds and Kind Relationships> Adding new Kinds or optionally extending
the existing kind system inside your own namespace
> Party to party relationships> Establish new relationships between parties
> PartyAttributes & PartyMedia> Name value pair associated with Party
> Private Extends> Private type and storage linked to types
inside identity schema
>>FUTURESystem.Identity Workflow
System.Identity.dll
System.Identity
System.Identity.m
LINQ
Application codeGenerated
System.Identity classesSiUtil.exe
m.e
xeDirectory
Application
Net FX SDK
System.IdentityLINQ Providers
(SQL, LDAP, WS*, REST)
System.Identity.sql
OSLO
SDK
SiUtil.exe-InstallExtent
SiUtil.exe-
InstallDirectory
SiUtil.exe-Code
Quadrant
Extending the Model and API
Gert DrapersPrincipal Software ArchitectIdentity and Access Division
demo
SummarySystem.Identity the new way of representing identity data> A logical schema for “directory” information
> Represents parties with their multiple identities and relationship through kinds and party to party relationships
> Extensible without disturbing the base schema and implementations
> Build-in support for multiple tenants, federation and expiration of directory data
> Accessed through an API which exposes the “logical model” via LINQ to developers> While hiding/abstracting the different physical
implementations
Call to Action> SVR19: Microsoft Project Code Name
“Repository”: Using Metadata to Drive Application Design, Development, and Management> Thursday 11:30-12:30 room 515B
> Register at the Microsoft Connect site to get access to the System.Identity Dec 2009 CTP> http://connect.microsoft.com/SystemIdent
ity
YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation
forms online atMicrosoftPDC.com
Learn More On Channel 9> Expand your PDC experience through
Channel 9
> Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses
channel9.msdn.com/learnBuilt by Developers for Developers….
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
