After a long wait and anticipation it finally arrived: “Zermatt”.

This is the long awaited framework for .Net developers that had to be a logical consequence of the Claims based Identity model and the idea of Information Cards that we at Microsoft have been a keen adopter of.

Cardspace was the first glimpse of the Microsoft initiatives that was a step towards user centrism and counter measures against phishing and phraud. This was a real eye opener on my behalf, but when I first discovered that I had to code the plumbing of my own Security Token Service (STS) to be an actual participant in the threesome of the User (Subject), Requested resource (Relying Party- RP) and Identity Provider (IDP), I was somewhat discouraged.

Today I took Zermatt for a spin for the first time. I basically ran some of the samples that come with the install. The samples have the taxonomy of “Basic”, “Intermediate” and “Advanced”. The sample titles are:

Basic:

  • ActiveSTSWithManagedCard
  • Claims Aware Web App
  • Claims Aware Web Service
  • Managed Card Issuance
  • Simple STS For Active Clients
  • Simple STS For Passive Clients


Here is a short recap on some of the wording here: 

  • Claims” – typically a set of name/value like attributes e.g. (FirstName/Rene, SurName/Loehde,Email/renelattmicrosoftdotcom) or (Age/30, Gender/Male). 
  • Active” – clients and services are able to participate in web service (SOAP/WS-* aware apps) communication and processing of tokens containing claims.
  • Passive” clients - usually web browser based communication (no SOAP aware apps).
  • STS” – Security Token Service (Introduced in the WS-Trust specification): A web service that supports client authentication, validation and issuing of security tokens with the required set of claims about a user/subject.
  • Managed Card” – Information Card issued by a website (RP) to a user/subject requesting a specific set of verified claims from a trusted third part (Identity provider).  

Intermediate:

  • Federation Scenario For Active Clients
  • Federation Scenario For Passive Clients
  • Identity Delegation Scenario


Advanced:

  • Authentication Assurance
  • Claims Aware AJAX App
  • Custom Username Card STS Host Factory
  • Customizing Request Security Token
  • Customizing Token
  • Extending FAM Timeout
  • Personal Card
  • SAML2 Token Issuance
  • Web App With Multiple SignIn Methods
  • WSTrustSTSHostFactory

The Authentication Assurance sample is about requesting a specific authentication scheme ("Higher" security assurance like X.509) for accessing a STS. In a national Danish context this is interesting from an OCES perspective. The STS could then be used at a Claims transformation service with the incoming X.509 certificate claim (The PID/RID) transformed into a security token with a requested set of verified claims (e.g. CPR number/ Age for PID and companyNr for RID etc.).

Another Danish - dare I say governmental issue – is the SAML2 Token Issuance. Those who read Danish will perhaps remember an article and a press release about governments using SAML 2.0 as the SSO enabler in e-Government.  Zermatt provides the ability to issue SAML 2.0 tokens. This means that Zermatt could give growth to some possible interoperability scenarios with Liberty/SAML 2.0 identity frameworks.


 

Here follow some of my test drives – primarily the ones that include some UI.

 

Issuing a managed Information Card:

 

 

Information Card login:

 

With the Cardspace UI asking to choose the Information Card to send (not running in a virtual environment I was forced to take a cell phone snapshot :-):


 

Granted access to the IC guarded web site:

 

Zermatt comes with an ASP.Net control for Information Card login (the “Click Here” and IC logo on the second picture):

 

So much for the UI stuff! Really the meat and potatoes of Zermatt are the abillity to create your own STS’s and thereby architecting your Identity management in the way that makes the most sense to you and your application, without writing a lot of plumbing. So I hope to really dig into that part of Zermatt in the near future.

A better introduction to Zermatt is given by Keith Brown whose whitepaper can be downloaded here.

[Post updated July 11'th: resizing pictures...etc.]