Monday, August 27, 2007

 

Thoughts on Microsoft and Federated Identity

In the past, I have talked about how WS-Federation may have capabilities that are better than SAML. Likewise, I have also mentioned that I like the fact that Microsoft put federation support directly into the operating system and didn't make it yet another product. Recently, I ran across a situation in which I may need to take back some credit...



This is my third conversation in the last couple of weeks where I noted that while Microsoft software has the capability of supporting federation via ADFS that many folks cannot use it. Apparently, in early Microsoft documentation, they encouraged large enterprises to come up with non-routable domain names for their Active Directory Forests. One popular choice I keep hearing about is how many enterprises choose .local.

The ability to generate a certificate that is signed by a root CA when your domains aren't routable is somewhat problematic. Microsoft did step up and provide the capability of renaming a domain but that doesn't really address this particular issue as it is easy but not lightweight.

Would be curious to know if others have also observed this problem space in large enterprises or am I seeing an early trend that folks will rather exercise their right to remain silent on?






<< Home
| | View blog reactions


This page is powered by Blogger. Isn't yours?