Geneva Framework – Quick Intro
This new stuff will make me busy for the next 7 weeks as we will have POC for that. For you how are new to Geneva, you can download it at connect.microsoft.com including all of its tutorials and guidance around claim-based identity. In claim-based paradigm, user presents an identity to application as a set of claims. One claim could be the user ID, emails, or another The main idea is that an external identity system is configured to give your application everything it needs to know about the user with each request she makes, along with cryptographic assurance that the identity data you receive comes from a trusted source.
Let see simple scenario. Let say, you are creating a weather web services with smart client model. Diagram below shows a claims-aware weather Web service (the Relying Party application) and a smart client that wants to use that weather service. The RP exposes a policy that describes its addresses, bindings, and contracts. But the policy also includes a list of claims that the RP needs, such as user name, e-mail address, and role memberships. The policy also tells the smart client the address of the STS from which it should retrieve these claims. After retrieving this policy (1), the client now knows where to go to authenticate: the STS. The user presents credentials (2) and the smart client makes a web service request (3) to the STS, requesting the claims that the RP asked for in its policy. The job of the STS is to authenticate the user and return a security token that gives the RP all of the claims it needs. The smart client then makes its request to the weather web service as the relying party (4), and sending the security token along in the security SOAP header. The weather service as RP now receives claims with each request, and simply rejects any requests that don’t include a security token from the issuing authority that it trusts.
We already know this concept in general. But what about if you are required to reuse existing user identity, for example Windows Live passport or you have list of website users in SQL Database? Yes.. Here is where Geneva Framework can help you. You can make your custom STS that can read claims store in database (maybe in legacy system) and also directory services. Geneva is not only about SSO or Federation, but more than that because you will be able to create custom STS that match to specific requirement.
What about interoperability? Several WS-* standards are used in the previous scenario. Policy is retrieved using WS-MetadataExchange, and the policy itself is structured according to the WS-Policy specification. The STS exposes endpoints that implement the WS-Trust specification, which describes how to request and receive security tokens. Most STSs today issue tokens formatted with Security Assertion Markup Langauge (SAML). SAML is an industry-recognized XML vocabulary that can be used to represent claims in an interoperable way.
See you in other Geneva story.
Cheers – RAM