“Geneva” Team Blog : "Geneva" Server

AD FS v2.0 Passes Liberty Alliance SAML 2.0 Interoperability Testing

CardSpaceBlog — Thu, 01 Oct 2009 02:48:00 GMT

Interoperability of identity systems is an important consideration for a large percentage of customers. With this in mind we chose to participate in 8 weeks of SAML 2.0 testing, which is was conducted by the Drummond Group Inc. As previously announced, we entered testing with three profiles, IdP Lite, SP Lite and EGov 1.5.

Today the test results were made public , and we are thrilled to announce we have passed. We are very proud of this accomplishment, and all the hard work the AD FS team did to make this happen.

We would like to thank the other test participants; Entrust, IBM, Novell, Ping Identity, SAP, and Siemens. They where all great to work with, and demonstrated a real commitment to ensuring all of our products work together for customers.

Testing was done in a full matrix, meaning all tests pass with each vendor. This meant 8 to 12 tests (depending on the profile) with each of the 7 solutions, with AD FS acting as both IdP and SP; resulting in about 150 tests to pass! As you can imagine there were a few nights the team didn’t get much sleep. If you would like to dig into the details of what was tested, the test plan is available from the Liberty site.

Additional articles about the Liberty Alliance Testing:

· PRN Newswire - Entrust, IBM, Microsoft, Novell, Ping Identity, SAP and Siemens Pass Liberty Alliance SAML 2.0 Interoperability Testing

· Computerworld - Microsoft passes its first SAML 2.0 interoperability test

Official Name for "Geneva"

CardSpaceBlog — Wed, 22 Jul 2009 02:55:00 GMT

This Monday, Microsoft made several announcements at the Worldwide Partner Conference in New Orleans. Among these announcements were the official names for the Geneva products currently in Beta.

The three components of Microsoft “Geneva” have the following names:

· Active Directory Federation Services – formerly known as “Geneva” Server. Active Directory Federation Services (AD FS) enables Active Directory to be an identity provider in the claims based access platform. AD FS provides end users a single sign-on experience across applications, platforms and organizations and simplifies identity management for IT Pros by reducing duplicate accounts.

· Windows Identity Foundation – formerly known as “Geneva” Framework. Windows Identity Foundation (WIF) offers sets of APIs for ASP.NET and WCF developers to build claims-aware applications and make them federation capable. This API set covers both building relying party applications and federation services that can issue security tokens.

· Windows CardSpace – same as current version. Windows CardSpace enables managed and native applications to participate in the claims-based access platform. Windows CardSpace empowers end-users to have better control of their identity and allows administrators to setup streamlined single sign-on access.

This news is part of our Business Ready Security strategy to help both partners and customers 1) protect everywhere and access anywhere, 2) integrate and extend security across the enterprise, and 3) simplify the security experience and manage compliance.

For more information about these announcements and others that were made, check out the Microsoft Forefront Team Blog.

Information Card Issuance: a small step for "Geneva" Server, a big leap for Federated Identity

CardSpaceBlog — Fri, 29 May 2009 05:26:00 GMT

Imagine this: you have been following this blog and have decided to try “Geneva” Beta 2. You have gone to the connect site and downloaded the "Geneva" platform components, installed them, configured the server, used the framework to write a claims-aware uber cool application, and set up trust between your server and the application. Now your users can log in and use your application and you can manage access easily. But that uses only two out of the three "Geneva" products. What does it mean to incorporate CardSpace "Geneva" into this scenario? From the server perspective, it means configuring information card issuance.

Intro

The "Geneva" Server in this scenario is configured to use the active directory that contains all your users. We call this role an Identity Provider STS because it authenticates users and produces tokens about their identities. One of the powerful features that “Geneva” Server gives an STS is the ability to issue cards that CardSpace "Geneva" stores and allows you to use to authenticate. For more information on cards see: http://blogs.msdn.com/card/archive/2008/05/20/backing-a-managed-card-with-alternate-credentials.aspx

Each part of our scenario needs to be properly configured:

· Your users need to have CardSpace “Geneva” installed (or compatible Identity Selector)

· The Server needs to issue cards.

· The application needs to support card selector log in

"Geneva" Server Card Issuance

Configuring a card is simple: the initial configuration wizard sets all required parameters. You can update any and all of them at any time. List of the parameters you can set:

· Card name

· Card image (typically your organization's logo)

· Privacy Notice (optional)

· Authentication type (more in the next paragraph)

· Certificate to sign the card (this is located in the certificate settings)

Choosing an authentication type depends on your deployment, and the strength of authentication you wish to enforce. “Geneva” Server Beta 2 supports three types of authentication:

· Windows – by selecting this type, CardSpace performs Windows Integrated Authentication, which only works when the user is connecting from the internal network.

· Certificate – by selecting this type, CardSpace authenticates with a user certificate located on the user’s machine. This type works well for smart cards, and is especially useful for authenticating users outside of the corporate network in a highly secure way.

· Username and password – by selecting this type, CardSpace prompts the user for their domain user name and password. This type also works for authentication outside the corporate network.

The order of the authentication types will always be first Windows if present, next Certificate if present and last Username Password if present. The implication of this is that if you can turn on two authentication types, for example Windows and Certificate. Then inside a corporate network, users would automatically get authenticated with Windows Integrated Authentication. Outside a corporate network where Integrated Authentication is not available, authentication falls down on the next authentication type and users will get authenticated by their user certificate.

The initial configuration wizard does one more thing for you. It deploys a card issuance website from where users can download your spiffy new card. Note that by default access to the site is windows authentication based. Once the website is deployed you can customize it with your organization's name, logo, contact information, etc.

Tips

A subset of the settings that are part of the card file your users will download is derived directly from the STS settings. However to give the administrator more control over the process, changes to the STS that affect the card will not be applied to the card until the administrator chooses to do so and clicks the “Update Information Card” action.

The “Geneva” Server Beta 2 gives you a powerful new way to configure and maintain your configuration: PowerShell. I’d like to briefly note that there is a resource dedicated to configuring card issuance: GSInformationCard. There are five different cmdlets/verbs associated with this resource:

· Get-GSInformationCard,

· Set-GSInformationCard,

· Enable-GSInformationCard,

· Disable-GSInformationCard

· Update-GSInformationCard.

The GSInformationCard resource covers all UI capability and some additional parameters not visible in the UI, like explicitly adding claims and in depth management of certificate backed cards amongst others. Look to future posts for more details.

Conclusion

As you can see, “Geneva” Server provides quick access to the world of information cards:

· Simple, secure provisioning of cards to users

· Simple administration of the card

· Flexibility to provide/ensure specific authentication types

· Customizable site to provide users with familiar corporate site experience

A great reference for setting up information card issuance you can find here: http://technet.microsoft.com/en-us/library/dd807042(WS.10).aspx. And in the next post you are going to learn about a powerful feature build on top of card provisioning: silent card provisioning.

Veneta Tashev

Software Development Engineer in Test

“Geneva” Server Team

What’s New in Geneva Beta 2

CardSpaceBlog — Tue, 12 May 2009 02:52:00 GMT

As announced at TechEd, Geneva has just released its Beta 2 bits! These are now available for download from here.

There is a lot that is new and updated in Beta 2! Here is a list of some of the things that you will be able to try out and give us feedback on. For additional details on each of these and more, see the release notes included with the Beta 2 package.

“Geneva” Server

· New rules engine for authoring claims transformation policies

· Ability to read attributes from AD, AD LDS, and SQL out of the box, plus pluggable provider model to enable access to other attributes stores

· Group policy-based Information Card provisioning for CardSpace “Geneva” clients

· Support for SAML 2.0 SP-Lite

· Proxy to enable authentication for users on the Internet when Geneva Server is on the intranet

· Scale out via farm and load balancer topology

· Powershell commandlets

· Support for AD RMS

· Utility for federating with the Microsoft Federation Gateway

“Geneva” Framework – IDFX

· Enhanced FedUtil Tool with local STS for easy offline development

· New Visual Studio templates for building claims-aware web applications, web services, and security token services

· Support for SharePoint 2007

· Revised token handlers

· Revised federation authentication module

· New Claims Authorization Manager API

· Updated config support

CardSpace

· Support for Group Policy-based Information Card provisioning.

· Updated management UI

· Updated card tile

· Group Policy-based way for administrator to make card selection decisions for specific sites

Improved provisioning of X509-backed cards
Compatible with most existing managed cards

We are very excited to be able to deliver these bits to you, and to hear your feedback. Please send any technical questions about Geneva to the product team via our forum or support email address. We will continue to announce updates to Geneva on our website and here on our team blog.

“Geneva” Server Beta

CardSpaceBlog — Wed, 05 Nov 2008 01:00:00 GMT

We’re excited to tell you more about the beta release of “Geneva” Server. In this post we’ll talk a bit about what “Geneva” Server is, as well as discuss the features of “Geneva” Server. As you may have read already, “Geneva” Server is one component of the broader “Geneva” claims based access (CBA) platform. The other components are the “Geneva” Framework for developers and Windows CardSpace “Geneva”. All of the “Geneva” components are available for download at our Connect site.

This beta release of “Geneva” Server is not yet feature complete, and is not intended for use in a production environment. We’re looking forward to your early feedback on “Geneva” Server’s features and on what you’d like to see in future releases.

What is Geneva Server?

“Geneva” Server is a security token service (STS) that enables Active Directory to be an identity provider in the claims based access platform. Specifically, “Geneva” Server solves several identity problems for information technology (IT) professionals:

Use the Claims Based Access Platform: Deploying “Geneva” Server enables an organization’s applications to use the claims based access platform and avoid fixed dependencies on specific authentication, authorization and directory service technologies.
Reduce Duplicate Accounts: “Geneva” Server reduces the need for duplicate accounts and other credential management overhead by enabling federated single sign-on (SSO) for users in other organizations.
Reduce Number of Passwords for Users: “Geneva” Server enables an organization’s users to consume outsourced hosted services without needing additional credentials.
Centrally Manage Application Authentication: “Geneva” Server enables IT professionals to easily change the authentication methods for enterprise applications as security policies change.
Manage Communication of User Information: “Geneva” Server enables IT professionals to easily manage the user specific information that is sent to each enterprise application.
Normalize Directory Service Access: “Geneva” Server enables IT professionals to avoid line-of-business applications burdening the corporate directory services in unpredictable ways due to poorly constructed, processor-intensive requests.

Additional “Geneva” Server Features

Simplified trust establishment: “Geneva” Server uses industry standard metadata formats for establishing trust between federation partners. The “Geneva” Server administration console allows administrators to establish trust by simply entering the partner’s trust metadata URL. This simplifies and improves the trust establishment experience for administrators by reducing the number of manual steps involved.

Information Cards: Information Cards provide an improved log-in experience, and the issuance of Information Cards allows “Geneva” Server to act as an identity provider that can be used with Windows CardSpace. “Geneva” Server includes a Web application where Active Directory users can obtain managed Information Cards, as well as administrative capabilities for branding these Information Cards.

Identity delegation: Web applications in a multitier architecture often call infrastructure services to access common data or functionality. It is important for these infrastructure services to know the identity of the original user so that the service can make authorization decisions and perform auditing. “Geneva” Server allows an authorized front-end Web application to impersonate its users to the infrastructure service. When using “Geneva” Server, the infrastructure service knows that the front-end Web application is serving as the user’s delegate. In addition, “Geneva” Server does not require that an account exist in Active Directory for the impersonated user.

Multiple supported authentication methods: “Geneva” Server supports multiple authentication methods at the STS. Users will be able to authenticate with user name/password, the Kerberos authentication protocol, client X.509 certificates, and Information Cards. Administrators have fine-grained control over the specific authentication methods that are supported, to suit their security policies. In addition, “Geneva” Server supports responding to requests for particular authentication methods, such as smart-cards. This enables applications that are protected by “Geneva” Server to easily step-up to smart-card authentication for particular operations.

Interoperable by design: “Geneva” Server supports multiple, industry-standard, interoperable protocols such as WS-Federation, WS-Trust and other WS-* security standards. In addition, “Geneva” Server supports identity provider functionality in the Web SSO profile of the SAML 2.0 protocol. This broad base of protocol support makes it possible for “Geneva” Server to work with a variety of identity products from other vendors that support these protocols.

Give us your feedback!

Please give us your feedback and tell us what you think. The set of features above provides only a quick overview of what “Geneva” Server can do. More posts are coming to discuss these features in detail, and we look forward to a conversation on how “Geneva” Server can solve your identity challenges. Thanks,

- The “Geneva” Server Team

"Geneva" Beta available now

CardSpaceBlog — Wed, 29 Oct 2008 03:35:00 GMT

The Federated Identity ”Geneva” team is happy to announce the release of Microsoft code name “Geneva”, an open platform for simplified user access based on claims. This release consists of three components: Geneva Framework for .NET developers, Geneva Server for IT Pros, and Windows CardSpace “Geneva”.

You can find all of our installation downloads and supporting documentation for each component of the Geneva platform on the “Geneva” Connect site.

As our team now has three products available we will begin discussing them all on this site. We will continue to discuss details about CardSpace here, but you can also look forward to details on the “Geneva” Server and Framework on this blog. We also have a dedicated forum for “Geneva” available on MSDN.

We look forward to hearing from you about our new release!

- The Federated Identity “Geneva” team