330 likes | 477 Views
SVC28. The ‘M’-Based System.Identity Model for Accessing Directory Services. Kim Cameron Distinguished Engineer Microsoft Corp. Gert Drapers Software Architect Microsoft Corp. Agenda:. Vision of a Federated Directory Evolving Active Directory
E N D
SVC28 The ‘M’-Based System.Identity Model for Accessing Directory Services Kim Cameron Distinguished Engineer Microsoft Corp. Gert Drapers Software Architect Microsoft Corp.
Agenda: • Vision of a Federated Directory • Evolving Active Directory • Introducing “System.Identity” the model • Introducing “System.Identity” the API
Vision • We need a directory metasystem that works holistically in the cloud, in enterprises and organizations, and on devices • Shared architecture, data model and semantics, protocols, publication paradigm • Policy framework for configuration • Simple APIs integrated with developer platforms
Constraints • Application developer experience should be the same whether an app will run in the cloud or on-premise. • Same for end user experience. • Directory must be insulated from its success (example of Active Directory) • The directory shouldn’t need to trust the applications that use it • Need to support per-service “shadow” identity stores on-premise and in the cloud
New demands on the directory • Relationships and multiple identifiers • Cross directory federation and virtual teams • Multi tenant (eg: mergers & acquisitions) • Partitioning (data & workload) • Extensible without disruption • Support RSS, REST, WS*, .NET, Win32, … • Simplify common tasks • Complex query, polyarchy • Use ubiquitous tooling
Evolving Active Directory • Active Directory remains completely stable • Directory federation service will “clamp on” to existing Active Directory, much like ADFS does today • First steps are the next generation schema, API and protocol • Leverages repository patterns hosted on top of SQL server and Cloud DB • New applications will use new capabilities • Open conversation with customers and industry
System.Identity Schema Vendor Citizen Employee Customer Authority Process Role Party Resources Software Service Kind Resources Policies Tokens 1 To * 1 From * Group Policy relationships Party Organization Party Locations Party-To-Party Relationships Identity Keys Additional Properties Locations Device People Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity Schema Software Service Kind Group Party Organization Device People Amalgamation of Abstraction/specialization Within another Has a kind
Party and Extents Parties Extent Personas Extent
System.Identity Schema Software Service Kind Group Party Organization Device People Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity Schema Software Service Kind Group Party Organization Party-To-Party Relationships Identity Keys Device People Amalgamation of Abstraction/specialization Within another Has a kind
Party and Extents Parties Extent PartyToPartyRelationships Extent
Party and Extents Parties Extent IdentityKeys Extent
System.Identity Schema Software Service Kind Group Party Organization Party-To-Party Relationships Identity Keys Device People Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity Schema Employee Process Role Software Service Kind Group Party Organization Party-To-Party Relationships Identity Keys Device People Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity Schema Vendor Citizen Employee Customer Authority Process Role Party Resources Software Service Kind Resources Policies Tokens 1 To * 1 From * Group Policy relationships Party Organization Party Locations Party-To-Party Relationships Identity Keys Additional Properties Locations Device People Amalgamation of Abstraction/specialization Within another Has a kind
System.Identity Model • Entity • Entity equates to an object in LDAP systems like Active Directory • Party • Party equates to a principal in AD – it is the most important and central entity in System.Identity. • Users , Groups, Services, Devices, and Groups are all parties. • Kinds • Kinds describe the equivalent of Object class, attribute type , and attribute syntaxes in other systems. Kind-to-kind relationships describe things like inheritance. • Relationships • Party-to-Party relationships is a native concept in System.Identity. There are many possible types – e.g. Group-Member, Manager-Direct reports, Friend, etc.
System.Identity Model • Identity keys • Identity keys are defined formally in System.Identity, vs. in other systems where they were attributes of a principal. Identity keys have special characteristics: they are unique; it is always possible to efficiently locate any party by an identity key; one can easily translate between Kinds of key. Identity key’s have kinds – e.g. SamAccountName, UPN, SID, PUID are all kinds of identity keys. Applications can expect new kinds of identity keys – and can handle them without necessarily having to interpret them. • Extents • Extent is the equivalent of a multi valued property set. Parties have Extents on them instead of properties / attributes. This allows cleaner factoring of information ( especially central vs. Application directory ) and also allows schematizing concepts which required blobs in other systems. • Attributes • Attributes are single-value properties, which are the equivalent of attributes in Active Directory where multi-values are Extents. • Roles • Roles are relationships with additional information pertaining to the role (i.e. employees, or RBAC roles).
Exploring the System.Identity model using “Quadrant” demo Gert Drapers Principal Software Architect Identity and Access Division
Schema Principles • Concrete modeling of directory problems • With accent on principals, identity keys and party-to-party relationships • Reduce data redundancy through a normalized representation • Important to efficiency as AD showed with Security Descriptors and Group Memberships • Factored to cleanly separate the information associated with different applications while allowing sharing • Separation between the conceptual / logical schema and the physical schema / implementation • Extensible “Kinds” system that allows developers to add new functionality to the directory without altering schema
Schema, API and Protocol API System.Identity API LDAP API Logical System.Identity model Physical System.Identity SQL LINQ Provider Protocols LDAP TDS NextGen AD & SD AD (X.500) (System.Identity) SiLoader.exe Schema Functionality System.Identity December 2009 CTP
Schema, API and Protocol API System.Identity API LDAP API Logical System.Idenity Provider SI-WS* SI-REST SI-SQL Protocols LDAP WS* REST Logical System.Idenity Provider Physical System.Identity SQL LINQ Provider LDAP TDS NextGen AD & SD AD (X.500) (System.Identity) Synchronization/Replication Schema
System.Identity API Principles • High level .NET API which exposes the “logical” schema entities and relationships to developer through LINQ • The conceptual implementation of the schema is visible • The physical implementation of the schema is hidden and abstracted through a LINQ provider • Smallest API possible, with the option to use helper functions • Reuse constructs from other domains (e.g. LINQ)
Building our first directory application demo Gert Drapers Principal Software Architect Identity and Access Division
Extending the Directory • Kinds and Kind Relationships • Adding new Kinds or optionally extending the existing kind system inside your own namespace • Party to party relationships • Establish new relationships between parties • PartyAttributes & PartyMedia • Name value pair associated with Party • Private Extends • Private type and storage linked to types inside identity schema
System.Identity Workflow SiUtil.exe -InstallExtent Directory Application Application code System.Identity SiUtil.exe -Code Generated System.Identity classes SiUtil.exe SiUtil.exe -InstallDirectory System. Identity.sql Quadrant System.Identity.dll LINQ Net FX SDK OSLO SDK System.Identity LINQ Providers (SQL, LDAP, WS*, REST) m.exe System.Identity.m
Extending the Model and API demo Gert Drapers Principal Software Architect Identity and Access Division
SummarySystem.Identity the new way of representing identity data • A logical schema for “directory” information • Represents parties with their multiple identities and relationship through kinds and party to party relationships • Extensible without disturbing the base schema and implementations • Build-in support for multiple tenants, federation and expiration of directory data • Accessed through an API which exposes the “logical model” via LINQ to developers • While hiding/abstracting the different physical implementations
Call to Action • SVR19: Microsoft Project Code Name “Repository”: Using Metadata to Drive Application Design, Development, and Management • Thursday 11:30-12:30 room 515B • Register at the Microsoft Connect site to get access to the System.Identity Dec 2009 CTP • http://connect.microsoft.com/SystemIdentity
YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com
Learn More On Channel 9 • Expand your PDC experience through Channel 9 • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses channel9.msdn.com/learn Built by Developers for Developers….