News
Microsoft: 'Geneva' Will Help Change Access Paradigm
- By Herb Torrens
- November 5, 2008
Microsoft is leading the move to claims-based access with an announcement
this week of a claims-aware application codenamed "Geneva" Framework.
According to a Tuesday
post on the Geneva Team Blog , the Geneva Framework is the successor to
a previous beta known as Zermatt. Both are part of a suite of secure access
products known as "Geneva," which was rolled
out in October at Microsoft's Professional Developers Conference.
Geneva, according to MSDN, simplifies user access to applications and services
using claims-based access instead of the legacy identification-based access
prevalent today in protected environments.
The whitepaper "Introducing Geneva" by David Chappell & Associates
(available here)
describes claims-based access as a "straightforward idea founded on a small
number of concepts." The key components of claims-based identity include
claims, tokens, identity providers and security token services (STS).
Claims are described as a digital-identity that contains data such as name,
group, e-mail, etc. Tokens, aka security tokens, are a set of bytes containing
one or more claims and are used to transfer digital-identity across a network,
according to Chappell's whitepaper. For security, each token carries the "signature"
of its issuer (company, organization, etc.)
In the simplest terms, a user creates a claim (on provided form or CardSpace)
using a client or browser. The claim is sent (via WS-Trust standard protocol)
to a STS, which authenticates the claim (Kerberos, password, etc.) information
and creates a token. The token provides access to a protected environment.
Chappell said claims-based identity provides a standard method for applications
to acquire and confirm identity information. Conversely, identity-based user
access can vary widely from application to application and, according to the
Geneva team, can be highly complex to implement and manage.
"There are several problems with today's application access solutions,
including too many different identity technologies for developers to choose
from, high complexity to implement and manage user access, and difficulty interoperating
heterogeneous applications and systems," stated the Geneva Team Blog. "Emerging
cloud services and SOA trends could amplify these challenges."
Microsoft's Geneva includes three components that enable claims-based access:
Geneva Framework to build .NET applications that deploy claims to determine
user access decisions; Geneva Server, an STS that issues and transforms claims,
enables federations and manages user access; and Windows CardSpace, a tool for
users and developers to build customer authentication.
All three Geneva components are available in beta, and all three work independently
of each other and a variety of third-party applications and services, according
to Chappell's whitepaper.
The goal for Microsoft, according to Chappell, is to "make it easier to
use claims-based identity both within the Windows world and across platforms
from different vendors." He noted that the move toward claims-based identity
is "an industry-wide, multi-vendor endeavor."
According to the Geneva team, the new paradigm in user access will externalize
access logic from applications via claims, thereby "reducing development
effort with pre-built security logic and integrated .NET tools."
IT professionals will be able to deploy and manage new applications with little
or no custom implementation work. Geneva consolidates access management and
establishes a consistent security model, according to the Geneva team's post.
For the user, a claims-based identity will reduce the number of passwords they
use and minimize navigation. It also provides greater control of how personal
information is shared.
Tuesday's Geneva Team Blog stated, "Geneva includes built-in interoperability
via open industry standards and claims, and implements the industry Identity
Metasystem vision for open and interoperable identity."
Chappell concluded in his whitepaper that "changing how people and applications
work with identity is not a small thing. Given this, widespread adoption of
claims-based identity is likely to take some time. Still, the foundation is
now in place to make this much-improved approach real."
About the Author
Herb Torrens is an award-winning freelance writer based in Southern California. He managed the MCSP program for a leading computer telephony integrator for more than five years and has worked with numerous solution providers including HP/Compaq, Nortel, and Microsoft in all forms of media. You can contact Herb at [email protected].