If you want your application to externalize user authentication to a Security Token Service (STS), you must consider:
Most or all of these questions must be answered in order to establish trust between the STS and your application.
Setting a trust relationship, as we mentioned above, implies interchanging different pieces of data such as digital certificates, uniform resource identifiers (URI), and endpoint addresses. Some of the feedback we received regarding “Geneva” Server’s predecessor, Active Directory Federation Services (AD FS), indicated that setting up these relationships was cumbersome and very error prone for users, especially when it came to typing URIs or choosing the right certificates to send across. Resulting errors are difficult to diagnose, especially if multiple organizations are involved.
Our goal with this series of 3 posts is to talk about how the features we have implemented in “Geneva” Server and “Geneva” Framework simplify trust establishment.
Let’s look at a couple of scenarios.
In the first scenario, suppose that a user needs to access your claims-aware application that requires a token from an STS inside your organization. As we mentioned before, the STS and the application have to trust each other:
The trust relationship between STS1 and Application1 needs to be configured at both ends:
In the second scenario, you want to reach another claims-aware application that is deployed in a different organization; the most common deployment pattern is to use two STSs where one is in your organization and one is on your partner’s premises:
As in the previous scenario, two trusts must be configured so that:
The information that needs to be exchanged is the same as in the single STS scenario.
With the beta release of “Geneva” Server and Framework, we have simplified this experience and significantly reduced the number of manual steps needed:
In the next two posts, we will talk in more detail about how to configure ASP.NET applications to accept tokens issued by an standards-based STS (such as “Geneva Server”) using “Geneva” Framework and how to create trust relationships with Identity Providers and Relying Parties using “Geneva” Server.
We look forward to receiving your valuable feedback.
Software Design Engineer in Test