Tuesday, May 24, 2005

Powerful Stuff: WS-*, Single Sign-On, and InfoCard

It's risky to speculate on the nature of the "powerful stuff" that Steve Ballmer mentioned during a Q&A session at the recent TiEcon 2005 conference:

"We are working on more existing powerful stuff around XML Web services that will address many issues beyond RSS."
However, a likely "powerful stuff" candidate is Microsoft's InfoCard initiative for personal digital identity management and Web-based single-sign-on (SSO) in the forthcoming Windows Longhorn client OS. The first public demonstration of InfoCard occurred in May at the Digital ID World 2005 conference in San Francisco. Microsoft more or less simultaneounsly published Kim Cameron's "The Laws of Identity" white paper and a more extensive "Microsoft's Vision for an Identity Metasystem" article. (Kim Cameron is Microsoft's Identity and Access Architect, and publishes the Identity Weblog). The "Pre-Release Software Code Named “Avalon” and “Indigo” Beta1 RC" download, which appeared on May 23, 2005, runs on Windows XP SP-2 or Windows 2003 Server. This download provides the Indigo runtime infrastrastructure for InfoCard Beta 1. (The only references to InfoCard Beta 1appear in the press release and the main Longhorn Developer page's link to the RC, which also has a link to the Release Notes.) Running the Indigo setup program installs the .NET Framework 2.0 April CTP (Beta 2) version. You also can download and install an updated WinFX SDK as an ISO image from a link on the download page. The runtime and SDK compatible with Visual Studio 2005 Beta 2. Johannes Ernst's Blog provides an independent overview of InfoCard and describes its reliance on the WS-* stack. According to Johannes, InfoCard employs the following WS-* members and related specs:
  • SOAP [1.2]
  • WS-Addressing
  • WS-MetadataExchange
  • WS-Policy
  • WS-Security
  • WS-SecurityPolicy
  • WS-Transfer
  • WS-Trust
  • XML Signature
  • XML Encryption
  • SAML
  • WS-Federation (?, unclear)
[Note that Indigo bindings for WS-* support use SOAP 1.2, which results in Web services that don't meet WS-I Basic Profile 1.1. As Tim Ewald observes, many organizations require that all Web services they publish or consume to claim BP-1.1 conformance.] If processing InfoCard identities requires implementation of the eight WS-* specs from the above list, support for SAML, and the Indigo messaging infrastructure, is InfoCard destined for HailStorm's fate? At this point, only WS-Security is an official OASIS specification; the remaining members are at varying points in the standards process. So far, InfoCard appears to me to be another example of the overly complex "everything at once" syndrome that doomed HailStorm. The preceding Indigo and InfoCard Beta 1 RC release followed a May 13, 2005 joint publication by Microsoft and Sun Micrososystems of the Web Single Sign-On Interoperability Profile and Web Single Sign-On Metadata Exchange Protocol (WSSOMEX) specifications. These specs provide a mechanism for integrating WS-* and Liberty Alliance identity management of Web-based single sign-on technologies. WSSOMEX represents Sun's first—if tentative—committment to the WS-* standards beyond WS-Security. The press release, transcript of remarks by Steve Ballmer and Scott McNealy's comments, and related links are here. WSSOMEX is the first concrete result of the 10-year Sun-Microsoft technical collaboration agreement of April 2004. Paul Madsen posted an early analysis of WSSOMEX and WS-MetadataExchange:
WSSOME[X] defines how WS-MetadataExchange can be used to determine which Single Sign-On protocol suites (SAML 1.1, ID-FF 1.2, SAML 2.0, WS-Federation, etc) your partner is capable of supporting so that the two of you can actually do something interesting (like enabling SSO for your customers, employees, etc). WS-MetadataExchange defines a SOAP-based request/response protocol. Fundamentally, one provider says to the other 'tell me what you can do'. If the returned list includes something that the asking provider can also [do], then we have an intersection of capabilities and we're off to the races. If [there's] no intersection, [there's] no way forward.
Sun's Hubert Le Van Gong posted a response to Paul's post and added his own initial InfoCard analysis and a follow-up in response to Kim Cameron's comments. InfoWorld's Jon Udell also weighed in with a post about Web single-sign-on with client-side certificates, a much simpler technology that never caught on, versus InfoCard. In fairness to InfoCard, the Liberty Alliance lists a large number of "Liberty-Enabled Products," but, according to Web service analyst Ron Schmelzer, "[T]here are still very few products, if any, that implement Liberty Alliance on the desktop client, and so Microsoft has a distinct advantage."