the ‘m’-based system.identity model for accessing directory services
DESCRIPTION
SVC28. The ‘M’-Based System.Identity Model for Accessing Directory Services. Kim Cameron Distinguished Engineer Microsoft Corp. Gert Drapers Software Architect Microsoft Corp. Agenda:. Vision of a Federated Directory Evolving Active Directory - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/1.jpg)
The ‘M’-Based System.Identity Model for Accessing Directory ServicesKim CameronDistinguished EngineerMicrosoft Corp.
SVC28
Gert DrapersSoftware Architect
Microsoft Corp.
![Page 2: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/2.jpg)
Agenda:> Vision of a Federated Directory> Evolving Active Directory> Introducing “System.Identity” the
model> Introducing “System.Identity” the API
![Page 3: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/3.jpg)
Vision> We need a directory metasystem that
works holistically in the cloud, in enterprises and organizations, and on devices> Shared architecture, data model and
semantics, protocols, publication paradigm
> Policy framework for configuration> Simple APIs integrated with developer
platforms
![Page 4: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/4.jpg)
Constraints> Application developer experience should
be the same whether an app will run in the cloud or on-premise.
> Same for end user experience.> Directory must be insulated from its
success (example of Active Directory)> The directory shouldn’t need to trust the
applications that use it> Need to support per-service “shadow” identity
stores on-premise and in the cloud
![Page 5: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/5.jpg)
New demands on the directory> Relationships and multiple identifiers> Cross directory federation and virtual
teams> Multi tenant (eg: mergers & acquisitions)> Partitioning (data & workload)> Extensible without disruption> Support RSS, REST, WS*, .NET, Win32, …> Simplify common tasks> Complex query, polyarchy> Use ubiquitous tooling
![Page 6: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/6.jpg)
Evolving Active Directory
> Active Directory remains completely stable> Directory federation service will “clamp on” to
existing Active Directory, much like ADFS does today
> First steps are the next generation schema, API and protocol
> Leverages repository patterns hosted on top of SQL server and Cloud DB
> New applications will use new capabilities> Open conversation with customers and industry
![Page 7: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/7.jpg)
System.Identity SchemaCustomerVendor Citizen
Resources Policies1 To * 1 From *
Policy relationshi
ps
Party Resourc
es
AdditionalPropertie
s
Party Location
s
Locations
Tokens
Process Role Employee
Party
Kind
Identity Keys
Party-To-PartyRelationships
Amalgamation of Abstraction/specialization Within another Has a kind
Authority
People
Group
Organization
Device
Software Service
![Page 8: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/8.jpg)
System.Identity Schema
Party
Kind
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
![Page 9: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/9.jpg)
Party and ExtentsID Kind DisplayName
1 Person Joe Long
2 Person Kim Cameron
3 Person Gert Drapers
4 Group Directory V-Team
5 Device JoeLong04
Parties Extent
PartyID
Surname
MiddleName
GivenName
Nickname Gender Start
DateEndDate
1 Long Joe Male 1991
2 Cameron Kim Male 1999
2 PhotoGeek Male 2006
3 Gert Drapers DataDude Maile 1991
8 Brown Mary Female 2004
Personas Extent
![Page 10: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/10.jpg)
System.Identity Schema
Party
Kind
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
![Page 11: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/11.jpg)
System.Identity Schema
Party
Kind
Identity Keys
Party-To-PartyRelationships
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
![Page 12: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/12.jpg)
Party and ExtentsID Kind DisplayName
1 Person Joe Long
2 Person Kim Cameron
3 Person Gert Drapers
4 Group Directory V-Team
5 Device JoeLong04
Parties Extent
ContextParty
ReferencedParty Kind Start
DateEndDate
1 2 Friend
1 3 Friend
3 1 Friend
4 1 Group Member
4 3 Group Member
May 12 2009
PartyToPartyRelationships Extent
![Page 13: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/13.jpg)
Party and ExtentsID Kind DisplayName
1 Person Joe Long
2 Person Kim Cameron
3 Person Gert Drapers
4 Group Directory V-Team
5 Device JoeLong04
Parties Extent
PartyID Kind Value Start
DateEndDate
2 Email [email protected] 1999
2 NTName REDMOND\kcameron 1999
2 NTSID S-1-5-21-2127521184-1604012920-1887927527-5353432 1999
3 Email [email protected] 1991
3 Phone +1 425 321-9876 1996
3 NTName NORTHERNEUROPE\gertd 1991 1996
3 NTName REDMOND\gertd 1996
IdentityKeys Extent
![Page 14: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/14.jpg)
System.Identity Schema
Party
Kind
Identity Keys
Party-To-PartyRelationships
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
![Page 15: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/15.jpg)
System.Identity SchemaProcess Role Employee
Party
Kind
Identity Keys
Party-To-PartyRelationships
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
![Page 16: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/16.jpg)
System.Identity SchemaCustomerVendor Citizen
Resources Policies1 To * 1 From *
Policy relationshi
ps
Party Resourc
es
AdditionalPropertie
s
Party Location
s
Locations
Tokens
Process Role Employee
Party
Kind
Identity Keys
Party-To-PartyRelationships
Authority
People
Group
Organization
Device
Software Service
Amalgamation of Abstraction/specialization Within another Has a kind
![Page 17: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/17.jpg)
System.Identity Model> Entity
> Entity equates to an object in LDAP systems like Active Directory
> Party > Party equates to a principal in AD – it is the most
important and central entity in System.Identity. > Users , Groups, Services, Devices, and Groups are all parties.
> Kinds> Kinds describe the equivalent of Object class, attribute
type , and attribute syntaxes in other systems. Kind-to-kind relationships describe things like inheritance.
> Relationships> Party-to-Party relationships is a native concept in
System.Identity. There are many possible types – e.g. Group-Member, Manager-Direct reports, Friend, etc.
![Page 18: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/18.jpg)
System.Identity Model> Identity keys
> Identity keys are defined formally in System.Identity, vs. in other systems where they were attributes of a principal. Identity keys have special characteristics: they are unique; it is always possible to efficiently locate any party by an identity key; one can easily translate between Kinds of key. Identity key’s have kinds – e.g. SamAccountName, UPN, SID, PUID are all kinds of identity keys. Applications can expect new kinds of identity keys – and can handle them without necessarily having to interpret them.
> Extents > Extent is the equivalent of a multi valued property set. Parties have Extents
on them instead of properties / attributes. This allows cleaner factoring of information ( especially central vs. Application directory ) and also allows schematizing concepts which required blobs in other systems.
> Attributes> Attributes are single-value properties, which are the equivalent of attributes
in Active Directory where multi-values are Extents.> Roles
> Roles are relationships with additional information pertaining to the role (i.e. employees, or RBAC roles).
![Page 19: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/19.jpg)
Exploring the System.Identity model using “Quadrant”
Gert DrapersPrincipal Software ArchitectIdentity and Access Division
demo
![Page 20: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/20.jpg)
Schema Principles> Concrete modeling of directory problems
> With accent on principals, identity keys and party-to-party relationships
> Reduce data redundancy through a normalized representation> Important to efficiency as AD showed with Security
Descriptors and Group Memberships> Factored to cleanly separate the information
associated with different applications while allowing sharing
> Separation between the conceptual / logical schema and the physical schema / implementation
> Extensible “Kinds” system that allows developers to add new functionality to the directory without altering schema
![Page 21: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/21.jpg)
>>FUTURESchema, API and Protocol
System.Identity API
(System.Identity)
AD
LDAP API
(X.500)
LDAP
NextGenAD & SD
Schema
Protocols
APILogical System.Identity model
Physical System.Identity SQL LINQ Provider
TDS
SiLoader.exe
Functionality System.Identity December 2009 CTP
![Page 22: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/22.jpg)
>>FUTURESchema, API and Protocol
System.Identity API
(System.Identity)
AD
LDAP APISI-WS*
(X.500)
LDAP
NextGenAD & SD
Schema
Protocols
API
Synchronization/Replication
Logical System.Idenity ProviderSI-REST SI-SQL
TDS
LDAP WS* RESTLogical System.Idenity ProviderPhysical System.Identity SQL LINQ
Provider
![Page 23: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/23.jpg)
>>FUTURESystem.Identity API Principles
> High level .NET API which exposes the “logical” schema entities and relationships to developer through LINQ> The conceptual implementation of the
schema is visible> The physical implementation of the schema
is hidden and abstracted through a LINQ provider
> Smallest API possible, with the option to use helper functions
> Reuse constructs from other domains (e.g. LINQ)
![Page 24: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/24.jpg)
Building our first directory application
Gert DrapersPrincipal Software ArchitectIdentity and Access Division
demo
![Page 25: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/25.jpg)
>>FUTUREExtending the Directory
> Kinds and Kind Relationships> Adding new Kinds or optionally extending
the existing kind system inside your own namespace
> Party to party relationships> Establish new relationships between parties
> PartyAttributes & PartyMedia> Name value pair associated with Party
> Private Extends> Private type and storage linked to types
inside identity schema
![Page 26: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/26.jpg)
>>FUTURESystem.Identity Workflow
System.Identity.dll
System.Identity
System.Identity.m
LINQ
Application codeGenerated
System.Identity classesSiUtil.exe
m.e
xeDirectory
Application
Net FX SDK
System.IdentityLINQ Providers
(SQL, LDAP, WS*, REST)
System.Identity.sql
OSLO
SDK
SiUtil.exe-InstallExtent
SiUtil.exe-
InstallDirectory
SiUtil.exe-Code
Quadrant
![Page 27: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/27.jpg)
Extending the Model and API
Gert DrapersPrincipal Software ArchitectIdentity and Access Division
demo
![Page 28: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/28.jpg)
SummarySystem.Identity the new way of representing identity data> A logical schema for “directory” information
> Represents parties with their multiple identities and relationship through kinds and party to party relationships
> Extensible without disturbing the base schema and implementations
> Build-in support for multiple tenants, federation and expiration of directory data
> Accessed through an API which exposes the “logical model” via LINQ to developers> While hiding/abstracting the different physical
implementations
![Page 29: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/29.jpg)
Call to Action> SVR19: Microsoft Project Code Name
“Repository”: Using Metadata to Drive Application Design, Development, and Management> Thursday 11:30-12:30 room 515B
> Register at the Microsoft Connect site to get access to the System.Identity Dec 2009 CTP> http://connect.microsoft.com/SystemIdent
ity
![Page 30: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/30.jpg)
YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation
forms online atMicrosoftPDC.com
![Page 31: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/31.jpg)
Learn More On Channel 9> Expand your PDC experience through
Channel 9
> Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses
channel9.msdn.com/learnBuilt by Developers for Developers….
![Page 32: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/32.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
![Page 33: The ‘M’-Based System.Identity Model for Accessing Directory Services](https://reader036.vdocument.in/reader036/viewer/2022062501/568165dd550346895dd8f6ba/html5/thumbnails/33.jpg)