07 November 2008

Geneva supports OASIS WS-Trust, SAML

Last week at the PDC 2008, Microsoft released the public beta of “Geneva”. 

 

“Geneva” is three things:

Geneva Server.  This is a security token service (STS), as defined in the OASIS WS-Trust specification.  This thing issues and transforms claims, manages user access, and enables automated federation.

Geneva Framework.  This is a managed (.NET) Framework that helps developers build claims-aware applications and services, that connect to the STS.  You can use it to process claims on either side of an authorization transaction (requestor or responder).

Windows CardSpace Geneva.  This is just an extension of the CardSpace thing in Windows you know and love today.  chances are, you've seen it, but you don't use it. In a nutshell - CardSpace is a set of Windows features and user-interface that lets users navigate access decisions and control how personal information is used. Everyone has multiple claims as part of their identity: you are a student at UW, you are an employee of BigCorp, you are a member in good standing of a particular club, you have received a particular security clearance, You have a bank account with number 4444-444-44 at BigBank, etc. CardSpace lets you decide which of the many claims you can make about your identity, to disclose to a particular service or server. Rather than disclosing "everything" about you to every server or service, you disclose only what you need to disclose for the particular transaction. That is one aspect of the identity model, and CardSpace is the thing in Windows that makes that possible.

CardSpace technology, and actually, the Identity Metasystem concept, is pretty cool. If you haven't looked at it, you should.   The problem with CardSpace and more generally, using claims-based access control (CBAC) in an application, has always been that it was impractical. Microsoft delivered a client (CardSpace), but we didn't deliver an STS! And we didn't deliver an easy way for the server to evaluate and verify claims. Therefore developers didn't have an easy way to employ CBAC in their apps. Geneva will change this.

Now, some of you are thinking, "ok, this sounds interesting but I don't know what you are talking about with this WS-Trust thing and 'claims based access control'. And I can understand that. Here's the thing - instead of hand-crafting access-control logic into your application, instead of managing your own user list and access control list, you can "outsource" this job to an STS. The Authorization Manager (sometimes called AzMan) is similar in philosophy, so if you understand the utility of AzMan, then you will get the idea of CBAC. But AzMan is not standards based, not federated, not truly claims-based (it is role based, which is less general than claims-based), and not usable in Web services transactions. Imagine generalizing AzMan and federating it and using only standard protocols, and that's where we're headed with Geneva. You're gonna want to use this.

I said "Geneva is standards based." The key to standards is support by the vendors, in tools, frameworks, servers, and so on. Currently, WCF from Microsoft supports WS-Trust, as does the WSIT from Sun. WebSphere App Server v7.0 announced support for WS-Trust just last month, but I haven't had the time to test it with Geneva. Not sure of other frameworks. The key is, with Geneva, the server is now here, and people can and will start building on this. I think with the release of the Geneva CTP, we'll start to see broader adoption of WS-Trust and standards-based CBAC among frameworks. 

One last thing to point out: In the cloud, the Microsoft Services Connector and the .NET Access Control Service, both announced at PDC as well, are built on “Geneva” technology and share the same claims architecture.

More Information:
Kim Cameron’s blog
Vittorio Bertocci’s blog
Get the Geneva beta
Single stop resource on Geneva

A list of “Geneva” sessions recordings at PDC:

code Title Presenter(s) Link
BB11 Identity Roadmap for Software + Services Kim Cameron and Vittorio Bertocci http://channel9.msdn.com/pdc2008/BB11/
BB42 Identity: "Geneva" Server and Framework Overview Stuart Kwan and Caleb Baker http://channel9.msdn.com/pdc2008/BB42/
BB43 Identity: "Geneva" Deep Dive Jan Alexander http://channel9.msdn.com/pdc2008/BB43/
BB44 Identity: Windows CardSpace "Geneva" Under the Hood Rich Randall http://channel9.msdn.com/pdc2008/BB44/
Filed under: , , , , ,
 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# WSOAC#38 - Azure, Geneva, and Gartner on REST - Service Endpoint said:

PingBack from http://itknowledgeexchange.techtarget.com/serviceendpoint/wsoac-sharp-38-azure-geneva-and-gartner-on-rest/

21 November 08 at 12:27 AM
# Canadian IT Architecture Blog said:

I wanted to provide pointers and credit to the detail behind the ‘Architectural Impact’ portion of the

05 March 09 at 12:00 PM
# Vivek said:

I would like to have further clarification on AzMan and Geneva comparison in this article. You said - "Imagine generalizing AzMan and federating it and using only standard protocols". But does Geneva really provides all the functionality embedded in AzMan? If yes, then please point me to the correct documentation. For example, I couldn't find a way to build claim hierarchies (which we can do easily with AzMan using Tasks and Operations). In geneva, the only thing we can specify is a Claim (based off an attribute in AD or some other claim).

So how could we use Geneva to perform the tasks we can with AzMan? Any help would be appreciated.

Thanks.

09 March 09 at 10:30 AM

Leave a Comment

Comment Policy: No HTML allowed. URIs and line breaks are converted automatically. Your e–mail address will not show up on any public page.

(required) 
(optional)
(required) 

  
Enter Code Here: Required
Page view tracker