Caleb Baker, Stuart Kwan (Group Program Manager for Identity) present :

See how to use "Geneva" and the claims-based identity model to enable single sign-on, strong authentication, federation, and the ability to flow user authentication between applications. Find out how to use "Geneva" with ASP.NET, WCF, Active Directory, Windows Live ID, and Windows CardSpace.

What are Claims-based access model ?

A claim is a statement by one party about another party, It may be an identifier a characteristic.

A security token is a signed document which contains claims, produced by the Security Token Service (STS)

An identity meta-system are protocols and architecture for exchange claims

And a claims aware application uses claims to provide its behavior.

If you want more details and today announces, you will be interested in reading Pierre Couzy notes from the introductory session : “Identity Roadmap for Software + Services.”

Getting Claim Process

1. Establish relationship using metadata (trust relationship) : the app server publishs the claims it uses

2. Read Policy (from Application Server) : what claims do I need

3. Read Policy (from STS) : what does the STS need from me

4. Get claims (from STS)

5. Send claims (to Application Server)

The protocols used are WS-Trust and WS-Federation, they are technology independent.

The Geneva Framework operates on claims in the application server application.

The Geneva Server produces the claims, it exposes identity resources such as Active Directory.

Why an STS ?

It is the key to flexibility : you can externalize authentication to an STS

STS cares of : user authentication, source claim values about users…

Demo : starting with an ASP.Net web application.

  1. Wire the app to a STS
  2. Get user data without a lookup
  3. Enable access by partner users
  4. Access to a back end web service
  5. Require strong authentication to access specific resources

Standard ASP.Net Code

User.Principal.Name, User.IsInRole, [PrincipalPermission()] on methods

Start the Federation Utility (comes with Geneva Framework SDK ?)

Change the IIS authentication to Anonymous Authentication

…  see webcast …

Geneva Server and Framework

The Geneva Framework used to be called Zermatt.

Most applications must do lookup in directories, databases for information about user. By conveying user attributes instead of an identifier, you can get instant access to the info you need. The physical resource access is not necessary anymore, it can be handled by the infrastructure.

This is particularly true for cloud applications which may not be able to read enterprise directory.

Demo : instead of using User.Identity.Name, use IClaimsIdentity & IClaimsPrincipal and retrieve the required claims.


Federation is essential for B2B and when using cloud services.

  • You want end users to have a single SSO experience
  • Organizations don’t want to manage spearate user accounts

Demo : Configuring federation between 2 partners

Windows Cardspace “Geneva”

Enables the application consumer to select an identity instead of having your enterprise STS decide for you. Identities may be provisioned from card file (retrieved from the Web, an email …).

This scenario works with Web and Smart Client Applications.

Identity Delegation

This scenario corresponds to : We call a Web back end but preserve the user identity communicated on the Front End. Of course, this can be solved with Trust of the Front End, but this present security issues about security and maintenance.

Kerberos constrained delegation does it, but tied to Kerberos. If I go to the cloud, I can not work with Kerberos today.

Demo : scenario implementation with WCF on the back end. Custom binding in WCF which ActAs Credentials.

REMARK : It is possible to turn claims back into mapped NT user for access to Kerberos protected resources.

Strong authentication

Apps that need strong auth get bound to particular mechanism. May want to vary authentication strenght based on endpoint or resource accessed.

If you are an application developer, you do not want to deal with any of this.


Beta 1 : October 2008

Beta 2 : first half of 2009

RTM : 2nd half of 2009

All pieces of Geneva are Windows Components, no additional charges.