Caleb Baker, Stuart Kwan (Group Program Manager for Identity) present :
See how to use "Geneva" and the claims-based identity model to enable single sign-on, strong authentication, federation, and the ability to flow user authentication between applications. Find out how to use "Geneva" with ASP.NET, WCF, Active Directory, Windows Live ID, and Windows CardSpace.
What are Claims-based access model ?
A claim is a statement by one party about another party, It may be an identifier a characteristic.
A security token is a signed document which contains claims, produced by the Security Token Service (STS)
An identity meta-system are protocols and architecture for exchange claims
And a claims aware application uses claims to provide its behavior.
If you want more details and today announces, you will be interested in reading Pierre Couzy notes from the introductory session : “Identity Roadmap for Software + Services.”
Getting Claim Process
1. Establish relationship using metadata (trust relationship) : the app server publishs the claims it uses
2. Read Policy (from Application Server) : what claims do I need
3. Read Policy (from STS) : what does the STS need from me
4. Get claims (from STS)
5. Send claims (to Application Server)
The protocols used are WS-Trust and WS-Federation, they are technology independent.
The Geneva Framework operates on claims in the application server application.
The Geneva Server produces the claims, it exposes identity resources such as Active Directory.
Why an STS ?
It is the key to flexibility : you can externalize authentication to an STS
STS cares of : user authentication, source claim values about users…
Demo : starting with an ASP.Net web application.
Standard ASP.Net Code
User.Principal.Name, User.IsInRole, [PrincipalPermission()] on methods
Start the Federation Utility (comes with Geneva Framework SDK ?)
Change the IIS authentication to Anonymous Authentication
… see webcast …
Geneva Server and Framework
The Geneva Framework used to be called Zermatt.
Most applications must do lookup in directories, databases for information about user. By conveying user attributes instead of an identifier, you can get instant access to the info you need. The physical resource access is not necessary anymore, it can be handled by the infrastructure.
This is particularly true for cloud applications which may not be able to read enterprise directory.
Demo : instead of using User.Identity.Name, use IClaimsIdentity & IClaimsPrincipal and retrieve the required claims.
Federation
Federation is essential for B2B and when using cloud services.
Demo : Configuring federation between 2 partners
Windows Cardspace “Geneva”
Enables the application consumer to select an identity instead of having your enterprise STS decide for you. Identities may be provisioned from card file (retrieved from the Web, an email …).
This scenario works with Web and Smart Client Applications.
Identity Delegation
This scenario corresponds to : We call a Web back end but preserve the user identity communicated on the Front End. Of course, this can be solved with Trust of the Front End, but this present security issues about security and maintenance.
Kerberos constrained delegation does it, but tied to Kerberos. If I go to the cloud, I can not work with Kerberos today.
Demo : scenario implementation with WCF on the back end. Custom binding in WCF which ActAs Credentials.
REMARK : It is possible to turn claims back into mapped NT user for access to Kerberos protected resources.
Strong authentication
Apps that need strong auth get bound to particular mechanism. May want to vary authentication strenght based on endpoint or resource accessed.
If you are an application developer, you do not want to deal with any of this.
Roadmap
Beta 1 : October 2008
Beta 2 : first half of 2009
RTM : 2nd half of 2009
All pieces of Geneva are Windows Components, no additional charges.