In a post entitled “Freedom of Choice ≠ Your Choice of Captor“, Craig Burton has responded to the part of my previous post where I expressed skepticism about the “profound innovation” in the work Microsoft is doing. I want to be clear: I am not questioning the vision that Kim Cameron has started to talk about in his posts about IDMaaS (though I was bringing up a part – the governance controls – that I felt was missing and that I believe has a major impact on the architecture of a Common Identity Framework, as Craig called it). And I am completely in agreement with what Craig described in his original post in the section “Stop Gushing and Lay it Out for Me”.
Craig talks about how Freedom of Choice necessarily includes Freedom from Captor. He then says “This definition is quite different than the freedom of choice Mr. Kaushik writes about in his blog piece“. I’m not sure why he thinks that, because what I am saying is exactly in line with what Craig and Kim are saying. It is what I have been saying since back in 2006 when I first started talking about the Identity Services Platform, which talks about the framework through which identity-enabled applications (essentially any application) consume identity from standardized services that can plug into any identity system or metasystem.
What I was pointing out was that John Shewchuck’s post about WAAD seemed to indicate a lack of Freedom of Choice in what Microsoft is rolling out, at least right now. Becoming an Office 365 customer would “automatically create a new Windows Azure Active Directory that is associated with the Office 365 account“, forcing you to store and manage your identities in WAAD. It should simply ask for the domain from which users could use this, and you could simply point to the Google Apps domain of your company, sign up for WAAD if needed, or grant access to contractors/partners using whatever identity they choose (traditional AD environment, Facebook or Twitter accounts, even personal OpenIDs). By the way, the governance controls I was talking about are essential here in order to define the process of granting, managing and taking away access in this deployment model.
When I said “I’m having a little trouble seeing what is so innovative about WAAD itself”, I was pointing out my opinion that the details in John’s post did not seem to match up with the vision being outlined in Kim’s post, representing the kind of disconnect that Craig himself called out as a risk at various times in his post, but most notably in the section titled Caveats. I guess I’m not quite ready to make the leap that Microsoft’s work will line up Kim’s vision, and was calling out the disconnect I was seeing. And when Craig said “Microsoft is not only doing something innovative – but profoundly innovative”, I assumed he was talking about WAAD and related work, and not just referring to what Kim is talking about.
Now, if WAAD has a virtualization-over-the-wire component to connect to distributed identity stores (maybe with some caching), or if applications like “Office 365, Microsoft Dynamics CRM, Windows Intune software and services, and third-party applications created by enterprises” integrate with it using pure LDAP or some other standard interface that is not proprietary to Microsoft, preventing lock-in and allowing me to plug something else in instead of WAAD in the future, then my read will change. Because re-architecting how applications consume identity or integrate with the identity infrastructure is one of the biggest and toughest obstacles to realizing what Kim is talking about, especially in a place like Microsoft. I know – I faced these same obstacles when trying to figure out how to do the same in reinventing the integration between Oracle’s Fusion Applications and the identity services it was going to rely on in Oracle’s Fusion Architecture.
Maybe these or similar details are what we will see in the upcoming posts from John that point out how the capabilities in WAAD and in the identity services in Azure are evolving in line with the IDMaaS vision, which is why I said I would refrain from going into details until I saw the remaining posts from John. Maybe that is the missing part of the puzzle that Craig is already privy to. We can hope. I am genuinely looking forward to learning more about this, and would love to be wrong on this. Because it will take a heavy hitter, like Microsoft or Oracle, to effect a sea change in application architectures, without which an identity services approach might go the way of SPML.
[Cross Posted to the Identropy Blog]