One of the hottest topic for ISVs is identity. The ability to identify a user and provide the correct details for that user is a challenge all ISVs face. ISVs need a federated identity, an identity that you can get from your customers. You need to be able to use that identity regardless of whether it comes from Active Directory or some other provider.
A project Microsoft Code Name “Geneva” is an claims-based access model identity platform’s foundation is the claims-based access model. It is built on Security Token Service (STS) technology that we’ve been developing over the past few years as part of its industry effort to create a single identity system based on standard protocols.
Geneva” helps simplify user access for developers by externalizing access logic from applications via claims, and reducing development effort with pre-built security logic and integrated .NET tools.
Geneva is made up of several main parts:
- Geneva Server, formerly called Active Directory Federation Services 2.0.
- Geneva CardSpace Client, a smaller and faster version of the identity client now available with Vista.
- Geneva Framework, which was formerly code-named Zermatt.
In addition, we provide:
- .Net Access Control Service, which are designed to create a sort of identity backbone and connection to the cloud.
- Microsoft Service Connector
- Microsoft Federation Gateway,
To learn more about Geneva, see the Microsoft Code Name “Geneva”. For architecture details, see Introducing Geneva whitepaper by David Chappell.
It’s important to point out here that although the technologies work together, you can use them separately. For example, Geneva Server does not require CardSpace Client.
Geneva family of identity software and services is expected out by the second half of 2009.
Geneva Server is an STS that augments Active Directory and installs on a domain controller or a server on the network. It implements an security token service (STS) in response to WS-Trust requests. It supports broswers and other clients, such as Windows Communications Foundation (WCF). Although it supports the XML–based Security Access Markup Language (SAML) 2.0 protocol, you can use create your own tokens for your application.
For more information about the business problems addressed by “Geneva” Server and its features, see “Geneva” Server overview. To learn how to configure “Geneva” Server in an end-to-end scenario, see Step-By-Step Guide. To see specific steps and explanations for various procedures within “Geneva” Server, see Getting Started with “Geneva” Server. You can download community previews for both x86 and x64 from Microsoft Code Name “Geveva”.
Geneva CardSpace Client
Windows CardSpace Geneva for helping users navigate access decisions. It can be used with Web browsers, with Windows clients, or WCF. While a user doesn’t have to have Geneva CardSpace to access the data, the user can use Geneva CardSpace as a consistent way of selecting what identity is shared.
The Geneva Framework is an extension to the .Net Framework 3.5 that helps developers more easily build applications that incorporate a claims-based identity model for authentication/authorization. Your applications could plug into the bus in order to authenticate users and provide access control.
Your authorization code can be as easy as one line of code, similar to that of Windows identity in .NET Framework.
Geneva Framework uses standard protocols such as WS-Federation, WS-Trust, and Security Assertion Markup Language (SAML). Data contained in the claims can come from Active Directory, LDAPv3-based directories, application-specific databases, and new user-centric identity models such as Windows Live ID, OpenID and InfoCard systems including CardSpace and Novell’s Digital Me.
.NET Services Access Control Service
.Net Access Control (NAC), is a service on the Azure Services Platform. NAC is an STS that takes in authentication claims and outputs authorization claims based on a set of rules that can be defined via a management portal. The service lets users create and maintain rules and integrates with the Federation Gateway.
The Microsoft .NET Access Control Service helps you avoid the complicated programming that is normally required to secure applications that extend beyond organizational boundaries. With its support for a simple declarative model of rules and claims, Access Control Service rules can easily and flexibly be configured to cover a variety of security needs and different identity-management infrastructures.
Microsoft Federation Gateway
The Microsoft Federation Gateway (MFG) is an identity backbone that runs as part of Azure Services Platform. Geneva Server or third-party STS gateways could connect to MFG that provides identity services to cloud applications such as Exchange, SharePoint and SQL Server. Developer services also would be securely accessed via MFG.
The gateway acts as a hub for all the connections the organization wants to make, whether to a developer application built on Windows® Azure™ or to a Microsoft application running in the cloud.
For more information, see Quick Start for the Microsoft Federation Gateway.
Microsoft Service Connector
The Microsoft Service Connector (MSC), a fixed- function gateway that lets users connect Active Directory with the Microsoft Federation Gateway. MSC, which will be a free download, is a lightweight version of the Geneva Server. MSC is in a community technology preview (CTP) now with a beta and final release slated for the first half of next year. For more information, see Microsoft Service Connector.