Re: So Microsoft joins the fray
"Riiiiiight. So what exactly do you mean? ADFS from Microsoft, PING, CA, Oracle and to some degree Shibboleth have been translating AD authentication to the cloud via standardized federation protocols for over a decade. These were not lackluster attempts at separate online authentication systems. Federation solutions from vendors have been working with AD for a long time and a LOT of people implemented them."
These solutions have mostly been translating between enterprise applications and/or customer built stuff (including websites that could, yes, be hosted "in the cloud") and AD. They are not generally "cloud based authentication systems" that then tie back to AD. Rather, they take the opposite approach, living mostly behind the corporate firewall and then extending a tendril to hosted applications one at a time.
The goal behind these sorts of applications is "single sign on". Basically what FIM was supposed to do, but never quite got right. They still (generally) rely on either loading client software onto clients or having client systems connect to the corporate network via VPN, etc.
Azure Active Directory takes a different approach. It basically hangs the authentication system out on the internet and says "address me via API from wherever you are." Instead of custom coding each interconnected tendril into each third party app, website or so forth, Microsoft expects everyone else to code for AAD. And they'll probably do so.
But it also means that when you combine it with technologies like Direct Access, the whole concept of having to manage a client system with agents, VPNs or other tools of "get the behind my corporate firewall" go away. Everything lives facing the internet, and the internet becomes the common point of communication, not the corporate network.
"Maybe you are referring to the efforts of Facebook (via their Graph API) and Google that pioneered the OAuth protocols for web based authentication. In fact Microsoft has only recently started to implement these standards into Azure AD."
Yes, as a matter of fact, when talking about "everyone else - including Microsoft's past incarnations - have all been lackluster attempts to create what amounts to a separate online authentication system only very loosely coupled to AD" that was exactly who I was thinking of.
The major online authentication systems - Facebook, Twitter and Google being the primary examples - have done very poor jobs of enterprise integration. And they are the only things that are, to my mind, directly comparable to Azure Active Directory. Why? Because their primary purpose - like that of AAD - is authentication of online services. They are there to live "in the cloud" and serve as a central point of identity using a globally addressable network that isn't directly controlled by the enterprise.
This is completely different to SSO software setups that seek to make the enterprise authentication system (AD) the primary, and extend that piecemeal into selected applications and services. They approaches are polar opposites.
"Again, you should really find a contact at Microsoft (Vittorio Bertocci would be a good contact for you) who can help you understand the history and current implementation of Azure AD. It wasn't "AD thrown into the cloud". Azure AD is a brand new code base. File -> New -> Project...."
The code base doesn't matter. The APIs do. How much of the functionality is exposed. How much legacy is maintained, how much isn't. What can integrate with ease and what can't. My understanding is that AAD will never fully replicate traditional AD. It's a clean break, with only the minimum required to get the job done held over from the old AD. The goal isn't to authenticate devices anymore, it's to authenticate SaaS apps and various other services.
Microsoft basically took the AD APIs, threw them into the cloud, cut back to the bare minimum they could get away with then started growing it in a whole new direction from the on-prem stuff.
"Microsoft's solution for hybrid auth is the SAME as everyone elses."
False. It was similar. The latest iteration has changed that.
"In fact some would argue that they have a old architecture for the bridge from Azure AD to on premises AD. Microsoft uses ADFS for the federation of authentication between Azure AD and on premises. Just like Oracle,PING, CA and IBM (and so on)."
False, dirsync is moving away from this.
"The only piece that Microsoft has that is fairly unique, is the synchronization of identity attributes. Built on a 10 year old legacy system, it requires the deployment of slight (with DirSync/AADSync) to significant (with FIM) on premises software."
Start here: http://blogs.technet.com/b/educloud/archive/2013/06/03/new-azure-active-directory-sync-tool-with-password-sync-is-now-available.aspx and continue through the various links and research until you get the difference between a "federated" auth system and a "managed" one.
With Dirsync AAD and WASD are not simply federated SSO systems. It's more appropriate to think of the local auth system as slaved to AAD. The architecture is different, which introduces it's own benefits and it's own drawbacks.
"Google has it's own similar solution, with GADS (Google Active Directory Sync). Heck even Salesforce has a way to sync AD data into it's own cloud identity platform."
And this is where I start to seriously doubt your self-declared (anonymous) authority on the topic. GADS is horrible compared to AAD. Not that I'm overly a fan of either solution, but that's like holding up a Windows Phone and declaring it a perfect substitute for a proper desktop.
Implementation matters. What strikes me is that you are holding up a whole bunch of completely unconnected solutions here that behave completely differently, have shockignly different design philosophies and radically different thresholds for ease of use and basically saying "they're all the same".
PING, CA, Oracle, Google, Facbook and AAD all live in the same box in your mind? Really? Do you also mentally cluster together a Caterpillar a Semi Truck and a Smart Car because they all can be used for transportation?
Look, let me make this simple for you:
AAD is the easiest of all the options available to set up. AAD is the easiest of all the options available to maintain. AAD is one of the most miserable to integrate with traditional enterprise applications or your own home-rolled special sauce because it doesn't conform to your enterprise apps, you conform to AAD. (Or you use FIM, but FIM is...touchy.)
AAD has a lovely API for everyone who wants to conform to AAD to do so. Microsoft is big enough to convince most of the world to do exactly that...and they're well on their way to getting Everyone Who Matters onboard. They'll bribe or bully whomever else remains.
AAD is comfortable, familiar, easy to use and already has quite a few SaaS apps and service providers on board. Perhaps more to the point, it's affordable and doesn't require specialists to work with. Every SMB in the world can use it tomorrow, and afford to do so.
Companies have trusted Microsoft to be their identity provider for 15 years now, AAD is the natural extension of that...and they finally have it done right.
Active Directory became the basis of modern identity systems a while back. Most applications talk to it natively, and don't need a third party SSO application. Hell, man, even PHP has libraries for talking directly to AD (http://adldap.sourceforge.net/)!
Yes, some applications - or rather the vendors seeking control over the customer that write those applications - still need some form of third party SSO. There will probably always be such folks in the world. But the majority of new applications out there will code for AAD, not for Oracle, Ping CA, Google or whathaveyou. (Well, maybe Google.)
Like it or not, when it comes to identity, Microsoft can bully through a standard by sheer largesse. And by making AAD easy to deploy, integrate with and maintain, I argue they've done exactly that.
"Trevor, please stop trying to declare that Azure AD is the worlds leading cloud identity platform when you clearly have little to no knowledge of other existing solutions or the identity industry in general."
Active directory is the world's leading identity platform. Azure Active Directory is the cloud extension of this that will dominate the online identity market. It is inevitable, and there is noone out there capable of preventing this.
The deal is done, the die is cast and it's all over except for the screaming.
The better question is: who are you, Mr Anonymous Coward, and what is your interest in all of this? Not meaning offense, but your posts strike me as similar to several I read around 10 years ago on usenet, in tech magazines, etc. They were by the staff (and sometimes executives) of hosted e-mail services/webmail etc who spent rather a lot of time telling anyone who would listen that Google wasn't a threat.
Well Google did change email forever. The old model of charging a monthly fee for a few dedicated megabytes of storage evaporated overnight. Google commodiitsed email. They offered the entire world a means to get an e-mail that wasn't tied to your ISP, and didn't go away when you switched providers. More to the point, you could store all your e-mail, forever, and it didn't go away when your hard drive crashed.
Here, now, Microsoft is commoditising joined-up identity services. They are also changing the focus from "identity behind your corporate firewall" to "identity in the Cloud". You might not like this - hell, I don't like this - but it is what is happening.
And really, why is that such a bad thing? A single common referent for future development could be very useful.
Biting the hand that feeds IT
