(EIC-2009) Claims is what we have, claims is wat it will be

[Blogged from the 2009 edition of the European Identity Conference]

Slowly I am getting the impression that Microsoft is going to use claims for everything even remotely related to identity. During discussions at EIC 2009 I understood that Microsoft is also positioning claims for authorization. This is not entirely new, in their Azure Cloud Services offering they positioned claims this way: for authorization.

I am not feeling a 100% comfortable with this. Without more and detailed information on how Microsoft will realize it, I can hardly judge their strategy but here are some of my worries:

  • Is the claims request/response protocol capable of supporting authorization? XACML obviously has a more rich model that allows for fine grained context descriptions and nuanced responses (e.g. obligations). With claims it’s more simple.
  • Using claims for authorization makes the solution attribute driven. That opens the door for a heavy dependency on roles: roles are easy to represent in a claim. As far as I know Microsoft doesn’t have a solution to manage roles. Perhaps they have something on the horizon?
  • Microsoft already indicated that roles as we use them today are incomplete. They are looking for a standard way to accompany roles with predicates. For instance “The user has the role ABC but only between 9AM and 5PM”. I can agree with the usefulnes and semantics of this roles-predicates marriage but I smell a box of pandora: so many ways to mess this up.
  • Claims are a powerful concept and we can thank Kim Cameron and Microsoft for defining and pushing this. But there is this saying in Flanders “if the only tool you have is a hammer, everything looks like a nail”. This is a real trap for Microsoft: using claims to solve every IAM problem. I see the first signs of claims semantics being stretched too far.
  • Lastly, informally I heard some ideas on how they will align Sharepoint with the claims world (specifically in terms of authorization). Policies would not evaluate to authorization responses but might evaluate to query-like structures that can be used by Sharepoint to select the resources you have access rights for. I am not sure if I understood this correctly so I am going to hold back on commenting.

It will be interesting to see how all this will be evolving in 2009 and 2010. I assume more on this during EIC 2010.