donovanf's Identity and Access Blog

Transitioning to a new Evangelism Focus

Well it’s been a really good run for these past several years having the opportunity to evangelize the Identity and Access technologies on the Microsoft platform. And it has been my sincere pleasure to not only work with my Microsoft Identity colleagues, but with so many customers and partners around AD, AD LDS, AD FS and Windows Authorization Manager as well. But now my evangelism focus is shifting to another set of Microsoft technologies – I’ll have more on that in an upcoming post. Therefore, as I transition away from Identity and Access I’d like to simply say:

• The show must go on… Although I’ll no longer be hosting The Id Element, the show will continue so be sure to stay tuned to Channel 9!!
• My best to the Microsoft Federated Identity team as they push on to ship a great set of Geneva technologies.
• Thanks to all that have been the source behind so many of these blog posts due to your writing, interviews, technical expertise, etc.
• Thanks to all that have followed this blog, but as mentioned, you’ll see it transition shortly to a new focus. If it fits your interest, stay on board.
• And a special thanks to Vittorio – it’s been great working with you! I’ll still be reading Vibro.NET!

Microsoft Forefront Identity Manager 2010 Highlighted on “The Id Element”

For those that are struggling with getting a handle on Identity Management in their enterprise, Alex Weinert, Principal Group Program Manager, Identity Management, provided me with an “Id Element” interview on the subject that may be of great help to you. Alex first provides a background on evolution of the synchronization products on the Microsoft platform and then provides an excellent whiteboard session on how Forefront Identity Manager (FIM) 2010 (formerly known as Microsoft code name ILM “2”) builds on these to provide significant new identity management capabilities. Built on the .NET 3.5 technologies, FIM’s web services, workflow and portal provide a range of extensibility opportunities from the enterprise/ISV developer to the codeless capabilities offered to the IT Pro in the portal itself. If you want to check things out for yourself, you can download FIM 2010 RC0 here. Or to read more about FIM 2010 you can start here.

Enjoy!

FabrikamShipping Demo Application Available for Download

In an October 2008 blog post I highlighted some videos from the PDC sessions, one being Identity Roadmap for Software + Services by Kim Cameron and Vittorio Bertocci. In this video, Vittorio demonstrates the FabrikamShipping application that was built using the Geneva Framework. We have gone on to use this demo in a number of other venues to show off the use of claims-based identity and it has always been really well received. Therefore, this application has now been upgraded to use the Geneva beta 2 Framework and made available for public download here. It provides an excellent example of how to build a claims-based application and is super simple to download and setup on your machine. Vittorio describes the details so I won’t repeat them here. So if you’re needing a way to show your management the really cool ways you can drive applications using claims-based identity, this will provide you with a super demo!!

Enjoy!

Identity and Access Strategies for SharePoint (MOSS 2007 and WSS 3.0) Products and Technologies

I want to thank Ethan Wilansky and Tomek Stojecki for their excellent and hard work to pull together this two part whitepaper on Identity and Access Strategies for SharePoint Products and Technologies. Part 1 discusses the Membership and Provider Architecture and Part 2 digs into Membership and Role Provider Assignment. These constitute a comprehensive look at and guidance for the use of membership and role providers with SharePoint. Sample code, Identity and Access Strategies Code Sample for SharePoint Server, accompanies the whitepaper. To give you a flavor for the paper, here’s the introduction:

“Tomes have been written about the Microsoft ASP.NET provider architecture, and much of that content focuses specifically on the membership and role providers. In addition, there are probably two dozen blogs about how to configure membership and role providers in Microsoft SharePoint Products and Technologies (which includes Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0). This article provides a variety of links to many of these additional resources. Why, then, write this article? We aim to start where most of these resources stop. Sure, certain items addressed in this article repeat existing guidance to establish context. However, this article delves deeply into describing exactly how SharePoint Products and Technologies use the membership and role providers. Then, it demonstrates how to automatically configure providers into Office SharePoint Server so that SharePoint Server manages the configuration settings for you. The article's examples focus on the Microsoft SQL Server Membership and Role providers and the Lightweight Directory Access Protocol (LDAP) membership and role providers in SharePoint Server 2007, and then briefly explores the Active Directory Federation Services (ADFS) single sign-on (SSO) Membership and Role providers.”

Thanks Ethan and Tomek!

Enjoy!

Making the shift from ADFS v1 to Geneva Server

After having worked with ADFS v1 for a number of years now, and with all that has been forthcoming around the Geneva Server betas, Vittorio proposed that he interview me about the deltas between ADFS v1 and Geneva Server. So in this episode of The Id Element I find myself, somewhat reluctantly, in front of the camera. However, for those that know and love ADFS as I do, it’s important to have some tips on how to make the conceptual connections to what Geneva Server has to offer – it has sooooo much more!

One other thing I want to add that is of great importance. In the video I highlight a significant delta in that the extensibility point in ADFS was the claims transformation module. By implementing a claims transformation module you could jump into the claims pipeline and reach out to a SQL database (or whatever) in your environment to augment, transform, etc. claims at will – but you needed to do this with code. In the video I highlighted that Geneva Server has built-in support for querying attribute stores that are based on AD, LDAP directories and SQL Server – which of course is a significant step forward. One need not write code for these now.

But after viewing the video, some might be saying, “but I need to get data for claims from other sources than the built-in stores, how do I do that?” That’s where I need to say here, you still can!! Geneva Server also provides extensibility in terms of custom attribute stores where you write your own module(s) that implements the attribute store interface. Once defined and plugged into Geneva server, the custom attribute store will be recognized by Geneva server and then can be used for querying the custom attribute store for claims population, etc. A whitepaper describing this is available for download on the Geneva Connect site, the document in Downloads is, Developing Custom Attribute Stores for Geneva Server. So, here’s the full picture…

Enjoy the document, and populate claims from any source desired!!

What’s new in Windows CardSpace “Geneva” beta 2

Oren Melzer, SDE, was introduced to “project InfoCard” (a former internal code name for Windows CardSpace) as an intern with Microsoft -- he’s now a developer on Windows CardSpace “Geneva” and a member of the Federated Identity team. This week I sat down with Oren to hear what’s new in CardSpace Geneva beta 2. Among the new features, managing information cards via Active Directory group policy (in concert with Geneva Server) provides new opportunities for using CardSpace within the enterprise. So enterprise developers and IT Pros will want to give this a listen. Oren also calls out the delta between beta 1 to beta 2 for the ASP.NET developer in that the information card control previously in the Geneva Framework beta 1 is no longer there. A number of code samples are available on the Microsoft code name “Geneva” Connect site under the Windows CardSpace “Geneva” section. These include ObjectTagSamples and a CardSpaceBackedWebApp showing how to work directly with the returned token. Oren requests feedback for the team on the new features so following are the pertinent links. Thanks Oren!!

• “Geneva” Forum on MSDN
• "Geneva" Team Blog

Enjoy!

Geneva Server beta 2, SAML 2.0 and Interoperability with Sun OpenSSO Enterprise and Novell Access Manager

In this episode of The Id Element I talked with Caleb Baker, Sr. SDET, who worked with the interoperability testing of Geneva Server’s SAML 2.0 with both Sun’s OpenSSO Enterprise and Novell’s Access Manager products. Caleb discusses his discoveries in the interoperability testing and demonstrates how to configure Geneva Server as both the Identity Provider and the Service Provider using SAML 2.0. He also shows how to configure Geneva Server for redirect, POST and artifact binding using the MMC and PowerShell. Two whitepapers were produced from the interop testing and are available here.

Enjoy!

PHP drill down for enabling Information Card use with CardSpace Geneva by Intand’s Scott Otis

Last week I posted a video to The Id Element and described the work that Intand had done to enable their PHP S+S application to accept information cards from Geneva Server via Windows CardSpace Geneva for a prototype project with the Lake Washington School District and Microsoft. In a follow-up video interview, Jean-Christophe Cimetiere, Sr. Technical Evangelist - Interoperability, talks with Scott Otis, CIO, Intand. Scott first provides a demo of the PHP application using information cards for application access. Then he drills down into the PHP code to show exactly what it takes to information card enable a PHP application and access the claims. Thanks Scott and Jean-Christophe for providing this deeper look for PHP developers!

For more information about Microsoft’s work around interoperability, visit the Interoperability@Microsoft blog.

Enjoy! 

Geneva Server, CardSpace Geneva and PHP Interoperability with Information Cards

This week on “The Id Element” I had the opportunity to interview both the President and CIO, Bryan Otis and Scott Otis, respectively, from Intand along with Vijay Rajagopalan, Principle Architect, Microsoft Interoperability Strategy. Intand offers a calendaring application for scheduling/managing a school’s facilities, events, teams, etc. Prior to this prototype project to enable information cards in their PHP application, Intand’s sole source for user authentication and authorization data was in its own directory. Accounts for administrators, teachers, parents and students were provisioned into the directory. An administrator would then login to the application and update the users with the appropriate access permissions. School users could then login.

But with the work they did using the open source Zend Framework’s support for information cards, they now have an additional way to provide users with access to their application (again, this is a prototype and is not in production, the Geneva technologies are still in beta). To eliminate the need to create an additional user account, for those schools that are already managing their users in Active Directory, the Geneva Server can issue a managed information card to each user. Therefore, Intand, by implementing access to their application via information cards, “trusts” Geneva Server to issue it a security token with the appropriate permissions (in the form of claims) after the user authenticates to Active Directory. For instance, when the user accesses the Intand application, they can choose to login with an information card by clicking the information card icon on the web page. In the case of this prototype, Windows CardSpace Geneva is then invoked and the user selects the Geneva Server issued managed information card. The user is then prompted to authenticate to Active Directory at their school where they provide the appropriate AD credentials and the user then receives access to the PHP application via the trusted security token, issued by the Geneva Server. A video of this working prototype was featured in the Scott Charney, Corporate Vice President, Microsoft, 2009 RSA Conference keynote address.

In this segment, Vijay also discusses other open source interoperability work that’s been done around information cards for heterogeneous web applications, not only PHP (codeplex). This includes information card support for Java (codeplex), Ruby on Rails (codeplex) and a generic C module. 

Enjoy!

Geneva Server Interoperability with Sun OpenSSO and Novell Access Manager Whitepapers

Two new whitepapers are available regarding the interoperability of Geneva Server beta 2 with Sun’s OpenSSO Enterprise and Novell’s Access Manager. These papers discuss the need for standards-based solutions to provide identity federation across heterogeneous technology environments. One specific challenge these technologies help solve is today’s need for cross-organization collaboration and/or allowing partners to access web-based resources. Various use cases are called out in the papers where the federation products are serving in either the Identity Provider or Service Provider/Relying Party role. The whitepapers are available here.

Enjoy!

The Identity Developer Training Kit

Another nice treat coinciding with the Microsoft code name “Geneva” beta 2 release is the the Identity Developer Training Kit that Vittorio drove. He announces/introduces it here so you can read his post for the details. This is an exceptional tool for developers that want to get their feet wet in the waters of building claims-based ASP.NET web applications or WCF services – and more. Don’t miss out on exploring this – you’ll learn a lot!

Enjoy!

Microsoft code name “Geneva” beta 2 on “The Id Element”

In preparation for the beta 2 release of Geneva Server, Geneva Framework and Windows CardSpace Geneva, Vittorio and I have been working feverishly to provide content to introduce you to this great step forward in these technologies. Therefore, we’ve prepared four videos for “The Id Element” show highlighting both a feature overview and a deep dive into the Framework and Server. There is certainly something here for developers and IT Pros alike. So don’t miss out on these!!

• Sesha Mani on what's new with Geneva Framework beta 2
• Chuck Reeves deep diving into the structure and design of Geneva Framework beta 2
• Matt Steele on what's new with Geneva Server beta 2
• Jan Alexander on the claims transformation language in Geneva Server beta 2

Enjoy!

Microsoft code Name Geneva Beta 2 Released

The availability of Microsoft code Name “Geneva” beta 2 was announced today at TechEd. This release is a significant step forward for the Geneva Server, Geneva Framework and Windows CardSpace Geneva. Check out the Geneva Team Blog for the specific advances made. We’ve been anxiously awaiting the release of beta 2 and Vittorio and I have a couple treats around its release for you!! :-) More to come…

Enjoy!

This week on The Id Element: Ruchi Bhargava on Windows CardSpace Geneva

This week I visited with Ruchi, a veteran on the Windows CardSpace team. She was one of the devs that wrote the earliest prototypes for CardSpace and lead the development team through the Windows CardSpace Geneva Beta 1 release. Ruchi shares insights and lessons learned from customer feedback regarding CardSpace v1 and where the team has taken the product in the Beta 1 release.

Enjoy!

This week on The Id Element: Vijay Gajjala on the Geneva Server

This week I had the opportunity to sit down with Vijay Gajjala, Sr. Program Manager on the Federated Identity team, and talk with him about his team’s work on the Geneva Server. He discusses a number of investment the team made in delivering the Beta 1 release. 

Enjoy!