The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Created: October 29, 2008.
News: Cover StoriesPrevious News ItemNext News Item

Microsoft 'Geneva' Framework Supports SAML 2.0, WS-Federation, and WS-Trust.

Contents

Microsoft has announced a new identify management strategy, which is "becoming more important with the growth of cloud-based computing and its associated need for new ways to access software and services from any location or device." The single, simplified, claims-based identity model code-named "Geneva" includes support for several standards in the federated identity space, including SAML 2.0, WS-Federation, and WS-Trust.

According to the Microsoft announcement, "'Geneva' includes built-in interoperability via open industry standards and claims, and implements the industry Identity Metasystem vision for open and interoperable identity. It includes three components for enabling claims-based access. Beta 1 of the following components are now available for public evaluation:

  • 'Geneva' Framework: Previously called 'Zermatt', the Geneva Framework helps developers build claims-aware .NET applications that externalize user authentication from the application and helps them build custom Security Token Services (STSs). It supports WS-Federation, WS-Trust, and SAML 2.0.

  • 'Geneva' Server: Geneva Server is an STS that issues and transforms security tokens and claims, manages user access, and enables easy federation. Based on the 'Geneva' framework, it also supports WS-Federation, WS-Trust, and SAML 2.0.

  • Windows CardSpace 'Geneva': CardSpace 'Geneva' will be the next version of Windows CardSpace. It has a much smaller download footprint, starts fast, and has some innovative user interface improvements made in response to feedback from the first version."

Geneva is Microsoft's open platform for simplified user access based on claims. In the Geneva context, claims "describe identity attributes and can be used to drive application and other system behaviors with an open architecture that implements the industry's shared Identity Metasystem vision... The Identity Metasystem is a shared industry vision that defines a single identity model for the enterprise, federation, and the consumer and citizen Web. Claims issued by security token services (STS) are used in the Identity Metasystem to help applications make user access decisions across applications and systems regardless of location or architecture. Claims are delivered inside security tokens produced by an STS, and can disclose identity information selectively."

The claims-based solution avoids asking developers to connect to any particular enterprise directory in order to look up identity details for users. Instead, the user's request arrives with all of the identity details the application needs to do its job. By the time the user arrives with these claims, the user has already been authenticated, and the application can go about its business without worrying about managing or finding user accounts.

As presented by Microsoft's Don Schmidt:

'Geneva' helps IT professionals to efficiently deploy and manage new applications by reducing user account management, promoting a consistent security model, and facilitating seamless collaboration across departmental, organizational and vendor boundaries. User access benefits include shortened provisioning lead times, reduced accounts, passwords and logins, and enhanced privacy support. 'Geneva' implements the Identity Metasystem vision for open and interoperable identity, and includes built-in support for standard federated identity protocols.

A fundamental goal of 'Geneva' is to extend the reach of its predecessor, Active Directory Federation Services, and provide a common identity programming model for developers of both web applications and web services. To maximize interoperability with clients and servers from other vendors, it supports the WS-Trust, WS-Federation and SAML 2.0 protocols. To maximize administrative efficiency 'Geneva' automates federation trust configuration and management using the new harmonized federation metadata format (based on SAML 2.0 metadata) that was recently adopted by the [OASIS] WSFED TC.

WS-Trust is provided to support Information Card based Identity Selectors from third parties, as well as Windows CardSpace. WS-Federation is required to maintain interoperability with existing federations being operated by government agencies, military organizations and business enterprises around the world. 'Geneva' support for SAML 2.0 was added in direct response to customer requests for increased cross-platform interoperability..."

A blog article from Mike Jones highlights support for the OASIS Security Assertion Markup Language (SAML) V2.0:

Microsoft's 'Geneva' Identity Server product will support the SAML 2.0 protocol. Specifically, we will be supporting the SAML 2.0 IdP Lite and SP Lite profiles and the US Government GSA profile. Customers had told us that these SAML profiles are important to them and we're responding to that feedback by implementing them in 'Geneva' Server...

I'll add that the SAML 2.0 support doesn't stop with the server. SAML 2.0 is also supported by the 'Geneva' Identity Framework — a .NET application development framework formerly known as 'Zermatt' and 'IDFX', which likewise also supports WS-Federation and WS-Trust. In short, the same identity development framework components that are being used to build 'Geneva' Server will be available to all .NET developers as the 'Geneva' Identity Framework...

The 'Geneva' solution is designed to address a number of challenges faced by businesses and governments needing to enable collaboration within the enterprise, across organizational boundaries, and on the Web. There are "too many different identity technologies for developers to choose from; often that are expensive and complex to implement and manage. It is often difficult to interoperate heterogeneous applications and systems, and hard to adapt applications to new scenarios. Emerging cloud services and SOA trends could amplify these challenges. The 'Geneva' solution is designed to work for on-premises and cloud-based applications in the enterprise, in federated networks, and on the consumer Web, using interoperable standards that can interface with a variety of technologies... Consumers and information workers can benefit from help navigating logins, managing different personas, and controlling how personal information is shared... Also announced as part of Microsoft's cloud strategy are Microsoft Services Connector and .NET Access Control Service, which are both built on 'Geneva' technology and share the same claims architecture."

'Geneva' Description from Datasheet and White Papers

Microsoft has published several resources describing 'Geneva' in connection with the Beta rollout. Three documents are excerpted here.

  • 'Geneva' Claims Based Access Platform: Key Features

    • .NET developer tools including pre-built user access logic based on one common identity model that externalizes authentication from applications
    • Ability to change user authentication methods with minimal application re-work
    • Federation provider STS with simple administration tools to quickly set up federations
    • Federation between on-premises directories and cloud services for seamless SSO
    • Identity provider STS to issue and transform claims
    • STS transformation between claims and non-claims token formats to enable interoperability and SSO between claims-aware and nonclaims applications
    • Ability to issue managed CardSpace identity cards
    • Next generation CardSpace identity selector client to help users navigate between multiple identities
    • User control and transparency for how personal information is shared
    • Streamlined download and installation for efficient user experiences on the client and Web
    • Support for both WS-* and SAML 2.0 protocols, plus updated token format support for SAML 2.0

  • Introducing Geneva: An Overview of the "Geneva" Server, CardSpace "Geneva" and the "Geneva" Framework, by David Chappell:

    Claims-based identity is a straightforward idea, founded on a small number of concepts: claims, tokens, identity providers, and a few more... When a digital identity is transferred across a network, it's just a bunch of bytes. It's common to refer to a set of bytes containing identity information as a security token or just a token. In a claims-based world, a token contains one or more claims, each of which carries some piece of information about the user it identifies...

    Claims can represent pretty much anything about a user. In this example, for instance, the first three claims in the token contain the user's name, an identifier for a group she belongs to, and her age. Other tokens can contain other claims, depending on what's required. To verify its source and to guard against unauthorized changes, a token's issuer digitally signs each token when it's created... But who issues tokens? In a claims-based world, tokens are created by software known as a security token service (STS).

    In a typical scenario, an application working on behalf of a user, such as a Web browser or another client, asks an STS for a token containing claims for this user (step 1). This request is made using the standard protocol WS-Trust. (In fact, support for WS-Trust is one of the defining characteristics of an STS.) This request is authenticated in some way, such as by providing a Kerberos ticket, a password from the user, or something else. The request typically contains both the name of the user for whom this token should be issued and a URI identifying the application the user wishes to access. The STS then looks up information about the user and the application in a local database (step 2). As the figure shows, this database maintains account information and other attributes about users and applications. Once the STS has found what it needs, it generates the token and returns it to the requester (step 3)....

    Claims, tokens, identity providers, and STSs are the foundation of claims-based identity. They're all just means to an end, however. The real goal is to help a user present her digital identity to an application, then let the application use this information to decide what she's allowed to do... For example, a Web browser or other client acting on behalf of a user gets a token for a particular application from an STS that's owned by some identity provider (step 1). Once it has this token, the browser or client sends it to the application (step 2), which attempts to verify its signature. If this verification works, the application knows which STS, and thus which identity provider, issued the token. If the application trusts this identity provider, it assumes the claims in the token are correct and uses them to decide what the user is allowed to do (step 3)...

    While claims-based identity does specify important aspects of these interactions, such as how tokens are requested from an STS, this approach explicitly omits defining other things. For example, the claims-based approach doesn't mandate any particular format for tokens. It's common today to use tokens defined using the XML-based Security Assertion Markup Language (SAML), but this isn't required. Any token format that an application and an STS agree on can be used.

    While the "Geneva" Server adds quite a bit to its predecessor AD FS, including a full-fledged STS, it also supports all of the functions of its earlier incarnation. For example, as mentioned earlier, the "Geneva" Server allows using WS-Federation to provide identity federation for passive clients (i.e., Web browsers). Unlike AD FS, however, the "Geneva" Server also supports using the SAML 2.0 protocol for this purpose, as mentioned earlier. Supporting this alternative protocol, which has been embraced by the Liberty Alliance and others, allows Windows systems with the "Geneva" Server to work with a broader range of identity federation products...

    CardSpace "Geneva" is the second version of Microsoft's CardSpace technology. The basics are the same as in the original, with enhancements that reflect what CardSpace's designers have learned since its first release... When a user selects a card, CardSpace "Geneva" requests a token from an STS at the corresponding identity provider. But how is the connection made between the card seen by a user and this STS? The answer is that each association between a card and an identity provided by some STS is represented by an information card.

    An information card is just an XML file, and as the figure shows, each one represents a relationship with an identity provider. This relationship lets the user get tokens from the identity provider for use with applications willing to accept these tokens. The information card contains everything needed to find the right STS at the right identity provider, then request a token for the identity this card represents. The card doesn't contain any claims, however; these are all maintained by the identity provider. The sole purpose of the information card is to store the information needed to find the right STS and request a token for a particular identity. A user selects a card (a visual representation) that's associated with an information card (an XML file) that contains all of the information needed to request a token (a signed group of bytes issued by an STS)...

    Another challenge for information card-based identity is supporting roaming users. Many of us use a desktop computer at work, another one at home, and a laptop while we're traveling, yet we'd like to present the same digital identity from all of them. To allow a user to roam among these different machines, CardSpace provides a card export feature. This option allows copying information cards onto an external storage medium, such as a USB key. The cards can then be installed onto other machines, letting a user request security tokens from identity providers in the same way whether he's using his home computer, his office computer, or his laptop in a hotel room. To guard against attacks, exported information cards are encrypted using a key derived from a user-selected pass-phrase. This ensures that even if the storage medium is lost, only someone who knows the pass-phrase can decrypt the cards it contains...

    Yet another issue that CardSpace "Geneva" must address is revocation. Once an identity provider has issued an information card to a user, how can that card be revoked? In the simplest case, the identity provider itself might wish to stop issuing security tokens based on this card. Perhaps using this identity provider requires a paid subscription, for example, and the user hasn't kept up his payments. Revocation in this case is simple: the identity provider just stops honoring requests for security tokens made with this card. Every request carries a unique CardSpace reference, so it's easy for the identity provider to identify requests made with cards it has revoked...

    Why can't the user act as her own identity provider, requesting tokens from an STS installed on her own machine? The answer is that, by using the self-issued identity provider that's part of CardSpace "Geneva", she can. Using the self-issued identity provider changes a number of things, such as how much trust an application can place in the claims this provider issues, but the mechanics remain much the same... When the user selects the card associated with this identity, the CardSpace "Geneva" identity selector requests a SAML token from the local self-issued identity provider, then sends that token to whatever application the user is accessing. The claims in this token are fixed — users can't add to them —and they include basic information such as the user's name...

    An STS provides tokens containing identity information, while an identity selector helps users choose which tokens they'd like to use. Yet both are pointless unless applications are modified to accept and use these tokens. The goal of the "Geneva" Framework is to make it easier to do this, helping developers create claims-aware applications.

    The "Geneva" Framework provides built-support for verifying a token's signature and extracting its claims. Each claim is extracted into an instance of the "Geneva" Framework-defined Claim class, providing a consistent way for developers to work with a token's information. This class's properties include things such as: (1) ClaimType, indicating what kind of claim this is. Does the claim contain a user's name, for example, or a role, or something else? Claim types are identified by strings, which are typically URIs. (2) Value, containing the actual content of the claim, such as the user's name. (3) Issuer, which specifies the identity provider this claim came from. In other words, this is the entity asserting that this claim is true. Along with helping developers create claims-aware applications, the "Geneva" Framework also provides support for creating a custom STS..."

  • Geneva Framework for Developers, by Keith Brown and Sesha Mani:

    "Most developers are not security experts and many feel uncomfortable being given the job of authenticating, authorizing, and personalizing experiences for users. It's not a subject that has been traditionally taught in computer science curriculum, and there's a long history of these features being ignored until late in the software development lifecycle.

    It's not surprising nowadays to see a single company with tens or hundreds of web applications and services, many of which have their own private silo for user identities, and most of which are hardwired to use one particular means of authentication. Developers know how tedious it is to build identity support into each application, and IT pros know how expensive it is to manage the resulting set of applications.

    One very useful step toward solving the problem has been to centralize user accounts into an enterprise directory. Commonly it's the IT pro that knows the most effective and efficient way to query the directory, but today the task is typically left up to the developer. And in the face of mergers, acquisitions, and partnerships, the developer might be faced with accessing more than one directory, using more than one API...

    When you build claims-aware applications, the user presents her identity to your application as a set of claims. One claim could be the user's name, another might be her email address. The idea here is that an external identity system is configured to give your application everything it needs to know about the user with each request she makes, along with cryptographic assurance that the identity data you receive comes from a trusted source.

    Under this model, single sign-on is much easier to achieve, and your application is no longer responsible for: (1) Authenticating users; (2) Storing user accounts and passwords; (3) Calling to enterprise directories to look up user identity details; (4) Integrating with identity systems from other platforms or companies.

    Under this model, your application makes identity-related decisions based on claims supplied by the user. This could be anything from simple application personalization with the user's first name, to authorizing the user to access higher valued features and resources in your application...

    In order to make [transactions] interoperable, several WS-* standards are used in the above scenario. Policy is retrieved using HTTP GET and the policy itself is structured according to the WS-Policy specification. The STS exposes endpoints that implement the WS-Trust specification, which describes how to request and receive security tokens. Most STSs today issue SAML tokens (Security Assertion Markup Language). SAML is an industry-recognized XML vocabulary that can be used to represent claims in an interoperable way. This adherence to standards means that you can purchase an STS instead of building it yourself. Or, if you end up in a sticky multi-platform situation, this allows you to communicate with an STS on an entirely different platform and achieve single sign-on across all of your applications, regardless of platform. Identity federation also becomes an option...

    Smart clients aren't the only ones who can participate in the world of claims-based identity. Browser-based applications (also referred to as passive clients) can participate as well. The user points her browser at a claims-aware web application (relying party). The web application redirects the browser to the STS so the user can be authenticated. The STS in [the example] is wrapped by a simple web application that reads the incoming request, authenticates the user via standard HTTP mechanisms, and then creates a SAML token and emits a bit of JavaScript that causes the browser to initiate an HTTP POST that sends the SAML token back to the relying party. The SAML token in the POST body contains the claims that the relying party requested. At this point it is common for the relying party to package the claims into a cookie so that the user doesn't have to be redirected for each request. The WS-Federation specification includes a section3 that describes how to do these things in an interoperable way...

    Identity Federation: When you build claims-aware web applications and services, you decouple yourself from any one user store. All you want to know is that an authority you trust has given you the identity details you need about the user who is using your application. You don't have to worry about what domain or security realm that user happens to be part of. This makes it a lot easier to federate identity with other platforms or organizations...

    Geneva Framework: Claims-based identity has been evolving within the Microsoft .NET Framework during the last few years. Active Directory Federation Services (ADFS) was released with Microsoft Windows Server 2003 R2, and included its own claims-based programming model. Soon afterward, the .NET Framework version 3.0 shipped with a little assembly called 'System.IdentityModel.dll', which included classes like Claim and ClaimSet, and WCF exposed an AuthorizationContext that allowed you to access these in a web service. Another pillar of this new framework was CardSpace, and some sample code was released that helped to decrypt and parse SAML tokens obtained by dereferencing an information card. And while WCF already has all the plumbing you need to build an STS from scratch, many of the classes you'd need to use are marked internal, making the task rather challenging for anyone outside of the WCF team. Suffice it to say that in the .NET Framework 3.0 timeframe, the developer story around claims wasn't very appealing. Geneva Framework solves this problem. It was designed to unify and simplify claims-based applications. It builds on top of WCF's plumbing to implement WS-Trust and comes with an HttpModule called the WS-Federation Authentication Module (FAM) that make it trivial to implement WS-Federation in a browser-based application by simply tweaking your 'web.config' file a bit...

Presentations and Papers

  • [October 23, 2008] Introducing Geneva: An Overview of the "Geneva" Server, CardSpace "Geneva" and the "Geneva" Framework. By David Chappell. Whitepaper. 28 pages. This paper presents the three main components of "Geneva" and how they work together to help solve application access problems with a single simplified access model. Understand how claims can be used across a wide variety of scenarios including enterprise, federation and Web. In this paper new concepts and terminology are introduced to help architects, developers and IT professionals understand the benefits and concepts behind the claims-based model of identity. A background in developing, deploying or managing web applications and services that entail user authentication is expected. HTTPS

  • [October 24, 2008] Geneva Framework for Developers. By Keith Brown and Sesha Mani. Whitepaper. 39 pages. The goal of this whitepaper is to help developers get started building claims-aware applications using the Geneva Framework. In this paper concepts and terminology are introduced to help developers understand the benefits and concepts behind the claims-based model of identity. Security expertise is not required but familiarity with ASP.NET or WCF programming is. A background in building web applications or services that care about authentication and authorization is expected. As such, the focus of the paper is on building relying parties using the framework. Issuance and security token services (STS) is discussed and an example of an STS built using the framework is provided, but that is not the focus of this paper.

  • 'Geneva' Claims Based Access Platform. Beta 1 Datasheet. Microsoft Corporation. 2 pages.

  • [October 28, 2008] Identity Roadmap for Software + Services. Presentation by Kim Cameron and Bertocci Vittorio. Identity@PDC08: Roadmap session. Requires Silverlight.

  • "Geneva" Webcast Series (MSDN Webcasts), November 2008:

    • "Geneva" Server and Framework Overview (Level 300). Stuart Kwan. November 04, 2008 11:00 AM Pacific Time. Event ID: 1032394337. Attend this webcast to see how you can use Microsoft code name "Geneva" Server and the claims-based identity model to enable single sign-on, strong authentication, federation, and the ability to flow user authentication between applications. Learn how to use "Geneva" with Microsoft ASP.NET, Windows Communication Foundation (WCF), Active Directory, Windows Live ID, and Windows CardSpace.
    • "Geneva" Deep Dive (Level 400). Jan Alexander. November 11, 2008 11:00 AM Pacific Time. Event ID: 1032394339. We examine the architecture of "Geneva" and how you can customize the architecture for advanced security scenarios. At the center of the discussion is the Security Token Service (STS), a core component that provides authentication and identity services. Learn how many applications benefit from an embedded STS and how many scenarios call for an STS that is built on a specialized user store.
    • Windows CardSpace "Geneva" Under the Hood (Level 400). Micah LaNasa. November 18, 2008 11:00 AM Pacific Time. Event ID: 1032394341. Windows CardSpace provides a consistent, hardened sign-in experience that uses standard protocols and works with both thin and smart client applications. Join this webcast to learn about the features and architecture of the next version of the Windows CardSpace client software for the Microsoft code name "Geneva" identity framework.

Blogs and Commentary

  • [October 28, 2008] Microsoft 'Geneva' Server Supports SAML 2.0 By Don Schmidt (Microsoft). "At the Professional Developers Conference this week Microsoft is announcing the beta release of 'Geneva', the codename for its new claims based access platform. This platform helps developers and IT professionals simplify user access to applications and other systems with an open claims-based model... To maximize administrative efficiency 'Geneva' automates federation trust configuration and management using the new harmonized federation metadata format (based on SAML 2.0 metadata) that was recently adopted by the WSFED TC... [as blogged:] The key to automation is enabling IPs and SPs to publish their federation metadata in a standard format which can be exchanged between potential partners. The Shibboleth community has demonstrated the effectiveness of this approach. The SAML 2.0 standard includes the Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 specification that is devoted to standardization of a federation metadata format. Federation metadata has also been a critical component of the WS-Federation specification that was submitted to OASIS. A key goal has been to develop a single specification that can support both passive web application and active web service requestors. In the interests of promoting engineering efficiencies for developers, and interoperability enhancements for deployers, the WSFED TC decided to make a substantive change to its federation metadata document structure during the first Public Review cycle. WS-Federation has been revised to take a normative dependency on the SAML 2.0 federation metadata document structure..."

  • [October 28, 2008] Next News from the PDC: SAML 2.0 Protocol Support in 'Geneva' Server By Mike Jones (Microsoft). "As Don Schmidt wrote this morning, Microsoft's Geneva Identity Server product will support the SAML 2.0 protocol... Those of you who were at Kim Cameron's Identity Roadmap for Software + Services presentation at the PDC got to see Vittorio Bertocci demonstrate SAML federation with 'Geneva' Server to a site running IBM's Tivoli Federated Identity Manager. The Geneva Server is the successor to Active Directory Federation Services (ADFS). It will, of course, interoperate with existing ADFS and other federation implementations using the WS-Federation protocol. In addition, it adds WS-Trust support for issuing Information Cards, letting it work with Windows CardSpace and other Identity Selectors..."

  • [October 28, 2008] Identity@PDC08: Roadmap session with Kim Cameron. By Vittorio Bertocci (Microsoft). "Yesterday I had the honor and privilege of presenting with Kim Cameron himself a session about Microsoft's identity strategy. I believe it is the first time in our history that we present in a single deliverable pretty much ALL of our identity-related products and initiatives, regardless of shipping vehicle (product or service) or product team (live, federated identity, .net services)... I supported the point by showing an end to end demo that used in a realistic scenario each and every product/service mentioned, and even demonstrated interop with Tivoli Federated Identity Manager. In the near future I will write waaay more diffusely about the demo (and give credit where is due, where possible)..."

  • [October 29, 2008] Windows CardSpace 'Geneva' Beta. By Rob Franco, Mike Jones, Tariq Sharif, and Anand Sivaramakichenane. Geneva Team Blog — Federated Identity and the Identity Metasystem. "We're proud that CardSpace is no longer an only child! We've announced two new siblings: Geneva Server for IT Pros and Geneva Framework for.NET developers. Both can help you deploy CardSpace for user access or can implement claims-based access without CardSpace. It's your choice to tailor how the pieces work together for your needs... In this beta, CardSpace 'Geneva' takes on a minimalist form. Users now have a small, fast and straightforward prompt to choose their Information Card. Some users may recognize the prompt as the standard Windows Credential UI, and based on results from our usability studies, users will understand the context of the prompt at a glance. If the user decides to use an Information Card, sign in and claims presentation can be as simple as a single click... Much of the plumbing needed to support existing cards isn't available yet in this beta, including the code to import and export cards from .crds files and support for personal (self-issued) cards. When included, self-issued cards will offer privacy conscious users or developers the ability use their own cards rather than downloading cards from a provider. We think of these as analogous to a business card, serving as an excellent introduction, but offering no third party verification of your identity. Card issuers can enable retrieving the information that CardSpace needs to use a card either via the WS-MetadataExchange protocol or via HTTP GET over HTTPS. This beta only supports retrieving this information via HTTP GET. We will look into the support for WS-MetadataExchange for the next public release. This release continues to support the standard version of WS-Trust (version 1.3) for its interactions with an Identity Provider. This beta will not import the cards you may have currently installed with CardSpace v1. You will have to download and install those cards again to work with this beta..."

  • [October 28, 2008] Related: Windows Live ID Becomes an OpenID Provider. See also the articles by Mike Jones and Jason Kincaid. Kincaid: "Login standard OpenID has gotten a huge boost today from Microsoft, as the company has announced that users will soon be able to login to any OpenID site using their Windows Live IDs. With over 400 million Windows Live accounts (many of which see frequent use on the Live's Mail and Messenger services), the announcement is a massive win for OpenID. And Microsoft isn't just supporting OpenID — the announcement goes as far as to call it the de facto login standard. The news parallels Yahoo's announcement in January that users would be able to use their Yahoo IDs on any OpenID site - a move that instantly tripled the protocol's potential user base. But it also comes with the same caveat that we had with the Yahoo news: while Windows Live accounts will work for logging into other sites, it's unclear if Live will become a 'relying party' that would allow users to login with third party OpenIDs..."

  • [October 28, 2008] Microsoft and the SAML protocol come together in Geneva. By Gerry Gebel. Burton Group. "Geneva is the successor to the Active Directory Federation Services (ADFS) product and the Zermatt developer framework announced over the summer and has a broad scope as Microsoft's 'claims based access platform.' Geneva includes the runtime server apparatus to support claims based applications, a developer framework for building those applications, and an enhanced Geneva CardSpace client. This is another positive step for Microsoft as this announcement addresses one of the main pain points for its customers that want to operate in many federation scenarios without imposing a specific protocol on partner organizations. Geneva, according to the announcement, contains support for WS-Federation, SAML 2.0 IDP lite and SP lite profiles, the GSA profile used by the U.S. federal government, WS-Trust and information cards. Finally, Microsoft customers will be able to interoperate in a heterogeneous federation environment using Microsoft tools exclusively. Some early interop testing has already occurred with Internet 2 Shibboleth and IBM's Tivoli Federated Identity Manager. Microsoft's Geneva announcement moves applications toward a cleaner architecture that rely on shared services for authentication as well as authorization information. The next step we're waiting to hear about is entitlement management and policy enforcement. Today, that is still handled by the developer within the business application. Will Microsoft also externalize that function a la entitlement management tools?"

  • [October 27, 2008] "Microsoft's new Identity Platform is called Geneva." By Felix Gaehtgens. Kuppinger Cole. "Microsoft is making several important announcements in the identity management area at this week's Professional Developer's conference. What many are eagerly awaiting is the final decision on SAML 2.0 protocol support (the answer to that is yes, and it is available in beta as of today). This however is just one small detail. The real news is that Microsoft's is shifting gears with respect to its Identity and Access strategy and setting the groundwork for the future — by delivering the first beta of an integrated claims-based identity metasystem. And of course, there's a new code name for it too: 'Geneva' — an open claims-based platform. Geneva will be the identity platform to enable the cloud services architecture 'Windows Azure' that was equally announced this morning at PDC... Geneva has several components, some of which have been around for a while and are now (with substantial enhancements) bundled under the new platform. The 'Geneva Server' is the successor of Active Directory Federation Services (ADFS) with such significant enhancements that it really is much more than 'just the next version' of ADFS. The 'Geneva framework' is the new name for what Microsoft released as 'Zermatt' just a few months ago (see the official announcement and our review of Zermatt). Finally, there's 'Cardspace Geneva' — a new version of the Windows Infocards selector. Geneva Server, the successor to ADFS now supports SAML 2.0 protocol. The current Beta1 supports the ability to post but not yet to receive. The final version will be certified by the Liberty Alliance in the IdP Lite and SP Lite profiles..."

  • [October 27, 2008] Microsoft to Unveil Tools to Push Identity Platform Into the Cloud. By John Fontana. Network World. "Microsoft unveils an open identity platform code-named Geneva that extends to the cloud and includes development tools, gateway technologies and provides long-awaited support for the SAML 2.0 protocol. The goal is to create a standards-based way to share 'claims' and to connect with cloud-based services from Microsoft or other providers. Claims are a set of statements that identify a user and provide specific information such as title or purchasing authority. Geneva will let companies with Active Directory extend it to create single sign-on between local network resources and cloud services. In addition, developers will have tools to easily incorporate standards-based identity into the applications they build and IT will have choice in the identity services they roll out. Geneva Server is an STS that augments Active Directory and installs on a domain controller or a server on the network. It supports WS-Federation, WS-Trust and the SAML 2.0 protocol. Microsoft previously only supported the SAML 2.0 token... The STS handles the exchange of claims and is part of Microsoft's MetaSystem model for a distributed identity architecture. Beta 1 of the Geneva Server is available now. A second beta will be released in the first half of next year and the product will ship in the second half of 2009. Geneva CardSpace Client, which has been upgraded to be more efficient, and the Geneva Framework will follow the same roadmap. The Geneva Framework is an extension to the .Net Framework 3.5 that helps developers more easily build applications that incorporate a claims-based identity model for authentication/authorization. The framework and the STS technology are building toward Microsoft's ultimate goal of an 'identity bus'..."

  • [October 27, 2008] PDC: Microsoft Releases Geneva Beta. By Jeffrey Schwartz. Redmond Developer News. Microsoft today released the first beta of its federated identity services framework aimed at simplifying the way enterprises deploy authentication services. The company's Geneva framework is aimed at bringing claims-based federated identity management that extends to individuals, enterprises and online services. The framework allows organizations to deploy various standards-based identity protocols — including SAML, WS-Federated, WS-Identity and OpenID — and provides a common exchange across various gateways and security token services (STSs)... Geneva will bring a write-once anywhere model that should take the burden off developers from addressing identity into their applications... The company unveiled .NET Access Control Services, which is part of Microsoft's newly launched cloud-based service called Windows Azure (until today known as Project Red Dog). It is a tool that allows developers to determine access controls..."

Principal References
Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Bottom Globe Image

Document URI: http://xml.coverpages.org/ni2008-10-29-a.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org