News

Inside Microsoft's Network Identity Framework

• By Jeffrey Schwartz
• November 5, 2008

The company outlined several key deliverables at last week's Professional Developers Conference, including its new Geneva Server, which was released for beta testing last week. Microsoft uses a claims-based model for accessing systems that may reside in any number of datacenters, among multiple parties as well as those residing in cloud services.

Claims-based identity assigns attributes to an individual, such as an e-mail address or Social Security number issued by a security token service (STS), which allow systems and applications to share information in a secure transaction with corresponding systems.

Geneva (formerly known as "Zermatt") and Live Identity Services look to fulfill the ambitious goal of allowing developers to easily build federated identity management into their apps.

"What we are trying to achieve here is one identity model that puts users firmly in control of their identities," said Kim Cameron, Microsoft's chief architect of identity and a Microsoft distinguished engineer, speaking at the PDC. "The goal is, you write a pure application once, you run it anywhere, in any kind of deployment scenario."

Geneva Software Stack
On the software side, Geneva consists of three core components: the Geneva Server, an STS that manages user access and distributes and transforms claims; Geneva CardSpace, which lets developers build client-based authentication; and Geneva Framework, a set of .NET-based class libraries and SDKs. The Geneva Server is integrated with Microsoft Active Directory as well as Windows CardSpace, which accepts and receives digital tokens that allow users to control their digital identities.

A new version of Windows CardSpace will offer improved performance and a smaller footprint, and will be tuned to work with the Geneva Server which, in addition to supporting Active Directory, is compatible with Web services standards including the Security Assertion Markup Language 2.0 (SAML), WS-Federation and WS-Trust.

Vittorio Bertocci, a senior architect evangelist, demonstrated a federated SAML-based link between Geneva and a site based on IBM's Tivoli Federated Identity Manager. Bertocci told attendees it took less than five hours to make it work.

Live Identity Services
The services-based counterpart to Geneva will consist of three core components: Live Identity Services, the Microsoft Federation Gateway (MFG) and .NET Access Control Service.

The MFG is a backbone that will connect Geneva via Active Directory, or competing STSes that may have other directory services or user databases to Azure and hosted applications such as SharePoint and Exchange, and developer services such as .NET Services and SQL Services, according to Cameron.

MFG is in production now, while Microsoft released a CTP of the Microsoft Services Connector, a fixed function server that connects Active Directory to MFG. A full beta is planned for the first half of next year.

Also on the services side, Microsoft announced the .NET Access Control Service, which allows individuals to control their identities. It consists of a portal, a client API and the STS. Cameron described the service as a next-generation STS. "It takes in authentication claims and puts out authorization decisions," he said. "You put your rules in there about who can access what."

If Microsoft can deliver on that promise, that would make life a lot easier for Joe Christopher, vice president at HealthStream, a Nashville-based company that provides both education and research for hospitals nationwide via the Internet.

"Today there's a lot of custom glue," Christopher said in an interview at PDC right after hearing Cameron's presentation. "There's a lot of plumbing that's built manually by our site, a third-party site, and it requires a lot of working out data exchanges and working out how do we keep those up to date real time."

Live ID Will Work With OpenID
Cameron also announced that Microsoft will let the 460 million users of its Live ID service use their credentials to log in to any site that supports the OpenID 2.0 standard. OpenID is shows promise as a de facto authentication standard that transfers existing URIs into an account that can be used at sites that support OpenID access. Among those that support it are AOL, Flickr, Technorati, WordPress and Yahoo, according to the OpenID Foundation. That means users will be able to use their Live ID credentials to log in to those and other OpenID sites. For example, if you have a My Yahoo account, you'll be able to use your Live ID to log in to it.

Microsoft joined the OpenID Foundation earlier this year and had indicated ultimate support was planned in Live ID. An OpenID Provider beta is available now, and the company plans to release the final version by the end of next year.