NextGen Active Directory and System.Identity

While putting together the Windows HiEd 2010 conference topics several months ago with Microsoft and other conference organizers, I suggested we have someone from Microsoft talk about “NextGen AD” since there had recently been some hubbub about this at PDC. What we got was a session on System.Identity. System.Identity shouldn’t be confused with ADFSv2 or the Windows Identity Foundation, both of which have shipped in the last 6 months.
You can see thePDC session that covers System.Identity which started the hubbub. And you can read avery interesting write-up about System.Identity here.

Microsoft observed that existing directories have design constraints that make them difficult to use for all of an application’s identity needs, so many applications end up devoping extensions to meet this unmet need. But each of those applications are re-inventing the wheel, and these custom extensions are often a stumbling block to getting them to interoperate with each other. And all these applications basically result in AD data getting copied into the appplication’s SQL database. Microsoft also observed that a key failing was not allowing enough flexibility in defining relationships for any given identity. For example, in Active Directory, you really only have security groups to define relationships with. But groups only represent “member” relationships, have privacy limitations, and require that the “member” be in the local AD.

System.Identity is designed to help eliminate the wasted development costs put into each application’s identity needs. It does this by providing an identity model which is flexible and is not wedded to any particular authentication or authorization system/protocol. In other words, it provides an identity abstraction that an application can leverage, so that the application doesn’t have to worry about implementing support for authentication protocols, user settings sometimes called the “profile” of the user, and relationships that typically are used for authorization decisions. In the System.Identity model, relationships are “first class” entities, as opposed to a second class after-thought.

System.Identity is currently a community technology preview (CTP) experiment. Microsoft is hoping that others see the value of a common application identity framework which can leverage existing directory and identity technologies, but allow the greater flexibility needed by each application.

You can find out more at

It remains to be seen whether this is part of a larger NextGen Active Directory strategy or just another incremental step forward.