With the pending introduction of Microsoft’s Geneva Framework and Geneva Server (now officially named Windows Identify Foundation and Active Directory Federation Services, respectively), a claims-based and federated security model is now available to the .NET world. The use of SAML-based authentication tokens distributed by Secure Token Servers (STS’s) is primed to be the next step in providing a more simplified identity management scheme throughout organizations and beyond into the “cloud” of Azure and Internet-based systems.
Claims-based authentication scenario
If you haven’t been exposed to the concept of claims-based security, it’s a bit of a mind-shift from how application rights and user properties have been typically implemented so it may take some time to fully grasp. A claim, to put it simply, is any attribute that can be ascribed to a user (or any resource). For example, a user’s claims may consist of his name, birth date, gender, and role within an organization.
What makes this different from traditional role-based security is that these claims are authenticated by a trusted third-party. One of the best analogies is to think of a person going to buy alcohol at a bar. The bartender must prove that the person is of legal age so he asks for an authenticated record from a trusted third-party, which in this case is a driver’s license from the DMV. The claim is that this person is over 21 years old, and the identity provider is the Department of Motor Vehicles.
A Boon to Developers and Organizations
OK, so this is all well and good but how does this make developing applications easier? The short answer is that claims alone don’t make things much easier, but what does simplify matters is the use of federated authentication. In our previous example, the bar knew nothing about the person buying a drink. There was no big filing cabinet with everybody’s name and birth records stored in the back room of the bar (at least you hope not). The problem is that this is how many applications work today. Each application stores off its own set of users and profile data, and therefore, the application (and consequently, the application developers) must be responsible for authenticating users.
By utilizing federation, the job of validating that a user is who he claims to be is now handed off to a third party, and a trust is established between our application (the relying party, or RP). If our identity provider (IP) says that Joe Smith is really Joe Smith, we can trust that this is true. Immediately, you can probably see that this is a boon for developers everywhere, who are tired of creating user login pages and databases. In addition, this now enables Single Sign-On (SSO) within a network of applications that share the same IP.
Putting it All Together
Now that you can probably see how claims and federated security can be of benefit, the next question is how all of this works within the current world of application security. The good news is that Microsoft seems to have done an admirable job of building on top of existing technologies (e.g., Active Directory and ASP.NET authentication) and providing flexibility to leverage existing security mechanisms (e.g., OpenID, Live ID, etc.).
The Geneva Framework is a set of assemblies that forms the foundation of the entire security suite. Using the Framework (otherwise known as Windows Identity Foundation, or WIF), developers can claims-enable their ASP.NET applications with just a handful of configuration settings. In addition, WIF can be used to create a custom Secure Token Server (STS) that can perform user authentication and claims look-ups using any technique imaginable. This open foundation will encourage developers and IT organizations to move towards this model. In addition, Geneva Server is a robust and freely available STS that can be rolled out within an organization, making federated security a reality in fairly short order.
Further Reading
This discussion barely scratches the surface and depth of Geneva so I would encourage you to read more on the blogs and Microsoft sites out there:
