This is a topic I’ve been itching to start talking about since Citrix opened up the doors to blogging. I can only scratch the surface today, but it’s a good moment to start.
For those of you attending Citrix iForum in a couple of days, I want to draw your attention to a demo that you might otherwise easily overlook or not immediately see as significant. In the Tech Lab area on future technology we will be showing how Microsoft’s Active Directory Federation Services (ADFS) can be used with Citrix products to enable single sign-on across the enterprise. The demo will illustrate how the user frustration of multiple sign-ons to different apps is replaced with a single strong authentication event that is carried securely into web application sessions and applications running on Presentation Server (with the help of Password Manager if necessary).
Don’t be fooled though – single sign-on (SSO) is certainly powerful and useful, but that’s not all that’s happening here. What you are witnessing is the blurring of web and Windows application boundaries, the breaking down of silos of user identities for application access and control – the ending of the era of “one way for the web, another for Windows” and the start of a new way for all applications to tap into a common rich understanding of identity, context, roles, authorization, and trust.
If you care about identity (and I sincerely hope you all do) go see this demo and more importantly talk to the people giving it. You’ll find some smart people there who’ve been thinking hard about this subject, who are eager to hear about the issues you are wrestling with, share what they know, and talk about what Citrix has done already and the work we are doing to enrich and enlarge our approach to identity.
Let me share a bit of my perspective on this, and why I’m really excited by what we have enabled so far and where we’re going with this.
I talked before about the role of Web Interface in the Citrix Access Infrastructure, and said that WI is at the intersection of users, resources and access scenarios. Clearly identity is central to the understanding of users, but I hinted that identity is more than just username and password, richer than just which credentials are needed to access a system.
Web Interface, and Presentation Server, and Access Gateway, and most other products and systems throughout the lifetime of the entire IT industry were brought into the world with the feeble understanding of user identity that starts and ends with a username and password. But we know that doesn’t begin to match the reality users live in, and have lived in for years now. We know study after study has shown that workers, not just in large enterprises, often have 10 or more usernames and passwords for different systems. We know that they will try to make them the same, and they hate having to change them, and they can’t remember them all without using bits of paper stuck in odd places, or just in plain sight.
Heck, I’ve come across people that leave their work machines running all the time (even when they’re on holiday) with the screensaver turned off, just so they don’t ever have to type their password.
What’s really significant about our ADFS SSO demo is not that it demonstrates SSO, even across web and Windows applications, but that it is not sending passwords around to do it. It is sending signed statements of user identity issued by a trusted party (here a corporate ADFS server) based on whatever level of authentication the trusted party and the user agreed to use (password, smartcard, hardware token, etc). The applications, both web-based ones and Windows ones running on CPS, have been directly or indirectly configured to trust the ADFS server’s assertions of identity in lieu of performing their own user authentication.
A monumentally huge tectonic shift just happened so quietly in that last paragraph, you might not have noticed you aren’t in Kansas any more. Have a look out the window.
That’s right. Web apps don’t have to perform their own authentication; with help from Citrix, Windows doesn’t have to perform authentication either. Both can work with just user identities, not user credentials. The user identity that is authenticated doesn’t have to be the identity asserted or used; the identity asserted in one place doesn’t have to be the identity asserted in another. In some cases, it may not even be the user identity that matters – it can be enough that a trusted party vouches for the user being over 18 say, or a member of a certain organization, or entrusted with specific privileges (if only for one transaction).
(By the way, I think it is worthwhile everyone reading a bit about the Shibboleth project to get a feel for some of the scenarios in which that last statement applies. Then think about what situations in your organization might bear some resemblence to those, and reflect on whether those situations cause tensions and conflicts that might go away if you could make use of the richer understanding of identity, attributes, roles, authorization etc that Shibboleth users enjoy and which Microsoft is actively working to bring to wider fruition.)
Even if you are just going to work with user identities and use passwords for authentication, this is still a win – we no longer need to ship your full credentials around everywhere, in case something needs to check you have the right password to confirm your identity. You only need to confirm your identity once, to something you trust, using a protocol that doesn’t actually have to disclose your password to do it.
But make no mistake, the approach to identity embodied in standards like ADFS and SAML (what Microsoft calls claims-based identity) really is a tectonic shift from the past – and nowhere more-so than in the model of trust it imposes (more on that another time). To take proper advantage of this new approach, without opening yourself to entirely new risks, you need to get your head around how different this approach is and how it really works.
For those of you going to iForum, I trust you’ll get a lot out of it, but whether you are going or not try to spend some time lifting your eyes to see the tidal wave that is starting to come over the horizon. It’s going to take years to get here in full force, but it will radically change the way we think about identity, roles, authorization, trust, security and most other aspects of how applications are delivered and managed.
Just trust me on this one. Okay?