The m based system identity model for accessing directory services
This presentation is the property of its rightful owner.
Sponsored Links
1 / 33

The ‘M’-Based System.Identity Model for Accessing Directory Services PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on
  • Presentation posted in: General

SVC28. The ‘M’-Based System.Identity Model for Accessing Directory Services. Kim Cameron Distinguished Engineer Microsoft Corp. Gert Drapers Software Architect Microsoft Corp. Agenda:. Vision of a Federated Directory Evolving Active Directory

Download Presentation

The ‘M’-Based System.Identity Model for Accessing Directory Services

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The m based system identity model for accessing directory services

SVC28

The ‘M’-Based System.Identity Model for Accessing Directory Services

Kim Cameron

Distinguished Engineer

Microsoft Corp.

Gert Drapers

Software Architect

Microsoft Corp.


Agenda

Agenda:

  • Vision of a Federated Directory

  • Evolving Active Directory

  • Introducing “System.Identity” the model

  • Introducing “System.Identity” the API


Vision

Vision

  • We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices

    • Shared architecture, data model and semantics, protocols, publication paradigm

    • Policy framework for configuration

    • Simple APIs integrated with developer platforms


Constraints

Constraints

  • Application developer experience should be the same whether an app will run in the cloud or on-premise.

  • Same for end user experience.

  • Directory must be insulated from its success (example of Active Directory)

  • The directory shouldn’t need to trust the applications that use it

    • Need to support per-service “shadow” identity stores on-premise and in the cloud


New demands on the directory

New demands on the directory

  • Relationships and multiple identifiers

  • Cross directory federation and virtual teams

  • Multi tenant (eg: mergers & acquisitions)

  • Partitioning (data & workload)

  • Extensible without disruption

  • Support RSS, REST, WS*, .NET, Win32, …

  • Simplify common tasks

  • Complex query, polyarchy

  • Use ubiquitous tooling


Evolving active directory

Evolving Active Directory

  • Active Directory remains completely stable

  • Directory federation service will “clamp on” to existing Active Directory, much like ADFS does today

  • First steps are the next generation schema, API and protocol

  • Leverages repository patterns hosted on top of SQL server and Cloud DB

  • New applications will use new capabilities

  • Open conversation with customers and industry


System identity schema

System.Identity Schema

Vendor

Citizen

Employee

Customer

Authority

Process Role

Party Resources

Software Service

Kind

Resources

Policies

Tokens

1 To *

1 From *

Group

Policy relationships

Party

Organization

Party Locations

Party-To-Party

Relationships

Identity Keys

Additional

Properties

Locations

Device

People

Amalgamation of

Abstraction/specialization

Within another

Has a kind


System identity schema1

System.Identity Schema

Software Service

Kind

Group

Party

Organization

Device

People

Amalgamation of

Abstraction/specialization

Within another

Has a kind


Party and extents

Party and Extents

Parties Extent

Personas Extent


System identity schema2

System.Identity Schema

Software Service

Kind

Group

Party

Organization

Device

People

Amalgamation of

Abstraction/specialization

Within another

Has a kind


System identity schema3

System.Identity Schema

Software Service

Kind

Group

Party

Organization

Party-To-Party

Relationships

Identity Keys

Device

People

Amalgamation of

Abstraction/specialization

Within another

Has a kind


Party and extents1

Party and Extents

Parties Extent

PartyToPartyRelationships Extent


Party and extents2

Party and Extents

Parties Extent

IdentityKeys Extent


System identity schema4

System.Identity Schema

Software Service

Kind

Group

Party

Organization

Party-To-Party

Relationships

Identity Keys

Device

People

Amalgamation of

Abstraction/specialization

Within another

Has a kind


System identity schema5

System.Identity Schema

Employee

Process Role

Software Service

Kind

Group

Party

Organization

Party-To-Party

Relationships

Identity Keys

Device

People

Amalgamation of

Abstraction/specialization

Within another

Has a kind


System identity schema6

System.Identity Schema

Vendor

Citizen

Employee

Customer

Authority

Process Role

Party Resources

Software Service

Kind

Resources

Policies

Tokens

1 To *

1 From *

Group

Policy relationships

Party

Organization

Party Locations

Party-To-Party

Relationships

Identity Keys

Additional

Properties

Locations

Device

People

Amalgamation of

Abstraction/specialization

Within another

Has a kind


System identity model

System.Identity Model

  • Entity

    • Entity equates to an object in LDAP systems like Active Directory

  • Party

    • Party equates to a principal in AD – it is the most important and central entity in System.Identity.

      • Users , Groups, Services, Devices, and Groups are all parties.

  • Kinds

    • Kinds describe the equivalent of Object class, attribute type , and attribute syntaxes in other systems. Kind-to-kind relationships describe things like inheritance.

  • Relationships

    • Party-to-Party relationships is a native concept in System.Identity. There are many possible types – e.g. Group-Member, Manager-Direct reports, Friend, etc.


System identity model1

System.Identity Model

  • Identity keys

    • Identity keys are defined formally in System.Identity, vs. in other systems where they were attributes of a principal. Identity keys have special characteristics: they are unique; it is always possible to efficiently locate any party by an identity key; one can easily translate between Kinds of key. Identity key’s have kinds – e.g. SamAccountName, UPN, SID, PUID are all kinds of identity keys. Applications can expect new kinds of identity keys – and can handle them without necessarily having to interpret them.

  • Extents

    • Extent is the equivalent of a multi valued property set. Parties have Extents on them instead of properties / attributes. This allows cleaner factoring of information ( especially central vs. Application directory ) and also allows schematizing concepts which required blobs in other systems.

  • Attributes

    • Attributes are single-value properties, which are the equivalent of attributes in Active Directory where multi-values are Extents.

  • Roles

    • Roles are relationships with additional information pertaining to the role (i.e. employees, or RBAC roles).


Exploring the system identity model using quadrant

Exploring the System.Identity model using “Quadrant”

demo

Gert Drapers

Principal Software Architect

Identity and Access Division


Schema principles

Schema Principles

  • Concrete modeling of directory problems

    • With accent on principals, identity keys and party-to-party relationships

  • Reduce data redundancy through a normalized representation

    • Important to efficiency as AD showed with Security Descriptors and Group Memberships

  • Factored to cleanly separate the information associated with different applications while allowing sharing

  • Separation between the conceptual / logical schema and the physical schema / implementation

  • Extensible “Kinds” system that allows developers to add new functionality to the directory without altering schema


Schema api and protocol

Schema, API and Protocol

API

System.Identity API

LDAP API

Logical System.Identity model

Physical System.Identity SQL LINQ Provider

Protocols

LDAP

TDS

NextGen

AD & SD

AD

(X.500)

(System.Identity)

SiLoader.exe

Schema

Functionality System.Identity December 2009 CTP


Schema api and protocol1

Schema, API and Protocol

API

System.Identity API

LDAP API

Logical System.Idenity Provider

SI-WS*

SI-REST

SI-SQL

Protocols

LDAP

WS*

REST

Logical System.Idenity Provider

Physical System.Identity SQL LINQ Provider

LDAP

TDS

NextGen

AD & SD

AD

(X.500)

(System.Identity)

Synchronization/Replication

Schema


System identity api principles

System.Identity API Principles

  • High level .NET API which exposes the “logical” schema entities and relationships to developer through LINQ

    • The conceptual implementation of the schema is visible

    • The physical implementation of the schema is hidden and abstracted through a LINQ provider

    • Smallest API possible, with the option to use helper functions

    • Reuse constructs from other domains (e.g. LINQ)


Building our first directory application

Building our first directory application

demo

Gert Drapers

Principal Software Architect

Identity and Access Division


Extending the directory

Extending the Directory

  • Kinds and Kind Relationships

    • Adding new Kinds or optionally extending the existing kind system inside your own namespace

  • Party to party relationships

    • Establish new relationships between parties

  • PartyAttributes & PartyMedia

    • Name value pair associated with Party

  • Private Extends

    • Private type and storage linked to types inside identity schema


System identity workflow

System.Identity Workflow

SiUtil.exe

-InstallExtent

Directory Application

Application code

System.Identity

SiUtil.exe

-Code

Generated

System.Identity classes

SiUtil.exe

SiUtil.exe

-InstallDirectory

System.

Identity.sql

Quadrant

System.Identity.dll

LINQ

Net FX SDK

OSLO SDK

System.Identity

LINQ Providers (SQL, LDAP, WS*, REST)

m.exe

System.Identity.m


Extending the model and api

Extending the Model and API

demo

Gert Drapers

Principal Software Architect

Identity and Access Division


Summary system identity the new way of representing identity data

SummarySystem.Identity the new way of representing identity data

  • A logical schema for “directory” information

    • Represents parties with their multiple identities and relationship through kinds and party to party relationships

    • Extensible without disturbing the base schema and implementations

    • Build-in support for multiple tenants, federation and expiration of directory data

  • Accessed through an API which exposes the “logical model” via LINQ to developers

    • While hiding/abstracting the different physical implementations


Call to action

Call to Action

  • SVR19: Microsoft Project Code Name “Repository”: Using Metadata to Drive Application Design, Development, and Management

    • Thursday 11:30-12:30 room 515B

  • Register at the Microsoft Connect site to get access to the System.Identity Dec 2009 CTP

    • http://connect.microsoft.com/SystemIdentity


The m based system identity model for accessing directory services

YOUR FEEDBACK IS IMPORTANT TO US!

Please fill out session evaluation forms online at

MicrosoftPDC.com


Learn more on channel 9

Learn More On Channel 9

  • Expand your PDC experience through Channel 9

  • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses

    channel9.msdn.com/learn

Built by Developers for Developers….


  • Login