In my last post, "Microsoft on the verge", I talked about a number of things including "Geneva" or Windows Identity Foundation. One of the things that interests me about Microsoft's federation strategy is the inclusion of the foundation within Windows Server itself.
Why is this significant? Mainly because it means that federated scenarios are included in the server license so if a customer wants to federate with another organization all they have to do is set up the agreements and go from there without being concerned about additional licensing costs. As you can see from the Liberty Alliance test matrix Microsoft went through a battery of test to get their SAML 2.0 certification.
What does this all mean for Microsoft's customers? Well, it means that there may no longer be a need to purchase an actual federation solution from a 3rd party ISV. Or, as time goes on, I suspect that the inclusion of federation in the Windows platform will put significant pricing pressure on ISVs that sell federation products. ISVs will not be able to make a lot of money on pure federation solutions. However, I do believe that there are still three areas where ISVs will be able to add significant value over what Microsoft is delivering:
1. Auditing: I do not believe that Microsoft will be delivering a comprehensive audit capability around their federation components. As you can well imagine the need to audit federation or single sign-on "events" will be pretty important from a security and compliance perspective.
2. Management: By management I mean operational management of your federated relationships. How easy will setting up a federated partnership be? How easy will it be to monitor your on-going partnerships? How about troubleshooting those linkages?
3. Strong authentication: I haven't seen much discussed about enabling strong authentication of federated transactions. What if I want to use a smartcard or a one-time password (OTP) to protect my transactions?
Don't forget the basics that we have all come to rely on - or are asked to deliver by our company's management: Audit, compliance and security. They are all required - still.
identity management, ADFS, SAML, strong authentication, security, Microsoft, MSFT, cloud computing