The end game for corporate identity architectures is an "identity bus" that off-the-shelf applications can plug into in order to authenticate users and provide access control, according to Microsoft.

Stuart Kwan, director of program management for identity and access for Microsoft, used his keynote address at NetPro's Directory Access Conference (DEC) to say that work building identity platforms is far from over and to explore where it might end.

"What is the finish line?" Kwan asked. "It is when you are able to take off-the-shelf applications and plug them right into the identity system and go. When we reach that point we are largely done with identity. It does not seem as far off as you might think."

Kwan said what is needed are "transformers," places where data contained within "claims" about a user can be into changed into different formats depending on an application's need. Kwan said the transformers would be able to handle such things as Kerberos, X.509 certificates and assertions based on SAML.

Claims are a set of statements that identify a user and provide specific information. Applications use them to make decisions on who gets access, who can retrieve content or who can complete transactions.

Claims can come from Active Directory, LDAPv3 based directories, application specific databases and new user-centric identity models such as LiveID, OpenID and InfoCard systems including Microsoft's CardSpace and Novell's Digital Me.

"Transformers allow us to fold, spindle and mutilate the data in any way we want. It lets us adapt to the infrastructure without completely destroying the applications," Kwan said.

Microsoft is adopting a claims-based authentication model and its first examples will come with Rights Management Server and SharePoint Server.

Kwan said the key will be standards and interoperability and said protocols from the WS-star stack, including WS-Trust, will be key for success. He said the future may include new protocols for exchanging data.

He pointed to a number of transformers that Windows users have access to today: the meta-directory and a first-generation security token service (STS) that is part of Active Directory Federation Services (ADFS).

The STS handles the exchange of claims and is part of Microsoft's MetaSystem model for a distributed identity architecture. The MetaSystem is based on protocols such as WS-Federation, WS-Trust and SAML.

Microsoft plans to update its STS in ADFS 2.0, giving the company a more powerful transformer than exists today, Kwan said.

"Certainly how he envisions STS is a viable model, that is what we see in federation today," says Jeremy Palenchar, a directory services and identity management consultant for Avanade. "But if you are going to talk about having a transformer built into the directory, what standards or protocols are you going to use to do that data transformation? How as an application do I say 'I am the travel services application so give me the travel services view of the data' versus 'I am the employee time expense system and give me that view of the data.'"

Kwan said he does not know if all the pieces exist today to build the identity bus, and those enhancements to meta-directories and the STS might be all that are needed. Or there may be entirely new pieces that must be developed to support the concept. He said the virtual directory could become a piece of the puzzle.

In addition, Kwan said, emerging technologies such as SOA, and applications offered as services online, will put pressure on how the identity bus concept develops.

"But without transformers we have no chance," he said.