1 / 33

The ‘M’-Based System.Identity Model for Accessing Directory Services

SVC28. The ‘M’-Based System.Identity Model for Accessing Directory Services. Kim Cameron Distinguished Engineer Microsoft Corp. Gert Drapers Software Architect Microsoft Corp. Agenda:. Vision of a Federated Directory Evolving Active Directory

MikeCarlo
Download Presentation

The ‘M’-Based System.Identity Model for Accessing Directory Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SVC28 The ‘M’-Based System.Identity Model for Accessing Directory Services Kim Cameron Distinguished Engineer Microsoft Corp. Gert Drapers Software Architect Microsoft Corp.

  2. Agenda: • Vision of a Federated Directory • Evolving Active Directory • Introducing “System.Identity” the model • Introducing “System.Identity” the API

  3. Vision • We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices • Shared architecture, data model and semantics, protocols, publication paradigm • Policy framework for configuration • Simple APIs integrated with developer platforms

  4. Constraints • Application developer experience should be the same whether an app will run in the cloud or on-premise. • Same for end user experience. • Directory must be insulated from its success (example of Active Directory) • The directory shouldn’t need to trust the applications that use it • Need to support per-service “shadow” identity stores on-premise and in the cloud

  5. New demands on the directory • Relationships and multiple identifiers • Cross directory federation and virtual teams • Multi tenant (eg: mergers & acquisitions) • Partitioning (data & workload) • Extensible without disruption • Support RSS, REST, WS*, .NET, Win32, … • Simplify common tasks • Complex query, polyarchy • Use ubiquitous tooling

  6. Evolving Active Directory • Active Directory remains completely stable • Directory federation service will “clamp on” to existing Active Directory, much like ADFS does today • First steps are the next generation schema, API and protocol • Leverages repository patterns hosted on top of SQL server and Cloud DB • New applications will use new capabilities • Open conversation with customers and industry

  7. System.Identity Schema Vendor Citizen Employee Customer Authority Process Role Party Resources Software Service Kind Resources Policies Tokens 1 To * 1 From * Group Policy relationships Party Organization Party Locations Party-To-Party Relationships Identity Keys Additional Properties Locations Device People Amalgamation of Abstraction/specialization Within another Has a kind

  8. System.Identity Schema Software Service Kind Group Party Organization Device People Amalgamation of Abstraction/specialization Within another Has a kind

  9. Party and Extents Parties Extent Personas Extent

  10. System.Identity Schema Software Service Kind Group Party Organization Device People Amalgamation of Abstraction/specialization Within another Has a kind

  11. System.Identity Schema Software Service Kind Group Party Organization Party-To-Party Relationships Identity Keys Device People Amalgamation of Abstraction/specialization Within another Has a kind

  12. Party and Extents Parties Extent PartyToPartyRelationships Extent

  13. Party and Extents Parties Extent IdentityKeys Extent

  14. System.Identity Schema Software Service Kind Group Party Organization Party-To-Party Relationships Identity Keys Device People Amalgamation of Abstraction/specialization Within another Has a kind

  15. System.Identity Schema Employee Process Role Software Service Kind Group Party Organization Party-To-Party Relationships Identity Keys Device People Amalgamation of Abstraction/specialization Within another Has a kind

  16. System.Identity Schema Vendor Citizen Employee Customer Authority Process Role Party Resources Software Service Kind Resources Policies Tokens 1 To * 1 From * Group Policy relationships Party Organization Party Locations Party-To-Party Relationships Identity Keys Additional Properties Locations Device People Amalgamation of Abstraction/specialization Within another Has a kind

  17. System.Identity Model • Entity • Entity equates to an object in LDAP systems like Active Directory • Party • Party equates to a principal in AD – it is the most important and central entity in System.Identity. • Users , Groups, Services, Devices, and Groups are all parties. • Kinds • Kinds describe the equivalent of Object class, attribute type , and attribute syntaxes in other systems. Kind-to-kind relationships describe things like inheritance. • Relationships • Party-to-Party relationships is a native concept in System.Identity. There are many possible types – e.g. Group-Member, Manager-Direct reports, Friend, etc.

  18. System.Identity Model • Identity keys • Identity keys are defined formally in System.Identity, vs. in other systems where they were attributes of a principal. Identity keys have special characteristics: they are unique; it is always possible to efficiently locate any party by an identity key; one can easily translate between Kinds of key. Identity key’s have kinds – e.g. SamAccountName, UPN, SID, PUID are all kinds of identity keys. Applications can expect new kinds of identity keys – and can handle them without necessarily having to interpret them. • Extents • Extent is the equivalent of a multi valued property set. Parties have Extents on them instead of properties / attributes. This allows cleaner factoring of information ( especially central vs. Application directory ) and also allows schematizing concepts which required blobs in other systems. • Attributes • Attributes are single-value properties, which are the equivalent of attributes in Active Directory where multi-values are Extents. • Roles • Roles are relationships with additional information pertaining to the role (i.e. employees, or RBAC roles).

  19. Exploring the System.Identity model using “Quadrant” demo Gert Drapers Principal Software Architect Identity and Access Division

  20. Schema Principles • Concrete modeling of directory problems • With accent on principals, identity keys and party-to-party relationships • Reduce data redundancy through a normalized representation • Important to efficiency as AD showed with Security Descriptors and Group Memberships • Factored to cleanly separate the information associated with different applications while allowing sharing • Separation between the conceptual / logical schema and the physical schema / implementation • Extensible “Kinds” system that allows developers to add new functionality to the directory without altering schema

  21. Schema, API and Protocol API System.Identity API LDAP API Logical System.Identity model Physical System.Identity SQL LINQ Provider Protocols LDAP TDS NextGen AD & SD AD (X.500) (System.Identity) SiLoader.exe Schema Functionality System.Identity December 2009 CTP

  22. Schema, API and Protocol API System.Identity API LDAP API Logical System.Idenity Provider SI-WS* SI-REST SI-SQL Protocols LDAP WS* REST Logical System.Idenity Provider Physical System.Identity SQL LINQ Provider LDAP TDS NextGen AD & SD AD (X.500) (System.Identity) Synchronization/Replication Schema

  23. System.Identity API Principles • High level .NET API which exposes the “logical” schema entities and relationships to developer through LINQ • The conceptual implementation of the schema is visible • The physical implementation of the schema is hidden and abstracted through a LINQ provider • Smallest API possible, with the option to use helper functions • Reuse constructs from other domains (e.g. LINQ)

  24. Building our first directory application demo Gert Drapers Principal Software Architect Identity and Access Division

  25. Extending the Directory • Kinds and Kind Relationships • Adding new Kinds or optionally extending the existing kind system inside your own namespace • Party to party relationships • Establish new relationships between parties • PartyAttributes & PartyMedia • Name value pair associated with Party • Private Extends • Private type and storage linked to types inside identity schema

  26. System.Identity Workflow SiUtil.exe -InstallExtent Directory Application Application code System.Identity SiUtil.exe -Code Generated System.Identity classes SiUtil.exe SiUtil.exe -InstallDirectory System. Identity.sql Quadrant System.Identity.dll LINQ Net FX SDK OSLO SDK System.Identity LINQ Providers (SQL, LDAP, WS*, REST) m.exe System.Identity.m

  27. Extending the Model and API demo Gert Drapers Principal Software Architect Identity and Access Division

  28. SummarySystem.Identity the new way of representing identity data • A logical schema for “directory” information • Represents parties with their multiple identities and relationship through kinds and party to party relationships • Extensible without disturbing the base schema and implementations • Build-in support for multiple tenants, federation and expiration of directory data • Accessed through an API which exposes the “logical model” via LINQ to developers • While hiding/abstracting the different physical implementations

  29. Call to Action • SVR19: Microsoft Project Code Name “Repository”: Using Metadata to Drive Application Design, Development, and Management • Thursday 11:30-12:30 room 515B • Register at the Microsoft Connect site to get access to the System.Identity Dec 2009 CTP • http://connect.microsoft.com/SystemIdentity

  30. YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com

  31. Learn More On Channel 9 • Expand your PDC experience through Channel 9 • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses channel9.msdn.com/learn Built by Developers for Developers….

More Related