News

Microsoft: 'Geneva' Will Help Change Access Paradigm

• By Herb Torrens
• 11/05/2008

According to a Tuesday post on the Geneva Team Blog , the Geneva Framework is the successor to a previous beta known as Zermatt. Both are part of a suite of secure access products known as "Geneva," which was rolled out in October at Microsoft's Professional Developers Conference.

Geneva, according to MSDN, simplifies user access to applications and services using claims-based access instead of the legacy identification-based access prevalent today in protected environments.

The whitepaper "Introducing Geneva" by David Chappell & Associates (available here) describes claims-based access as a "straightforward idea founded on a small number of concepts." The key components of claims-based identity include claims, tokens, identity providers and security token services (STS).

Claims are described as a digital-identity that contains data such as name, group, e-mail, etc. Tokens, aka security tokens, are a set of bytes containing one or more claims and are used to transfer digital-identity across a network, according to Chappell's whitepaper. For security, each token carries the "signature" of its issuer (company, organization, etc.)

In the simplest terms, a user creates a claim (on provided form or CardSpace) using a client or browser. The claim is sent (via WS-Trust standard protocol) to a STS, which authenticates the claim (Kerberos, password, etc.) information and creates a token. The token provides access to a protected environment.

Chappell said claims-based identity provides a standard method for applications to acquire and confirm identity information. Conversely, identity-based user access can vary widely from application to application and, according to the Geneva team, can be highly complex to implement and manage.

"There are several problems with today's application access solutions, including too many different identity technologies for developers to choose from, high complexity to implement and manage user access, and difficulty interoperating heterogeneous applications and systems," stated the Geneva Team Blog. "Emerging cloud services and SOA trends could amplify these challenges."

Microsoft's Geneva includes three components that enable claims-based access: Geneva Framework to build .NET applications that deploy claims to determine user access decisions; Geneva Server, an STS that issues and transforms claims, enables federations and manages user access; and Windows CardSpace, a tool for users and developers to build customer authentication.

All three Geneva components are available in beta, and all three work independently of each other and a variety of third-party applications and services, according to Chappell's whitepaper.

The goal for Microsoft, according to Chappell, is to "make it easier to use claims-based identity both within the Windows world and across platforms from different vendors." He noted that the move toward claims-based identity is "an industry-wide, multi-vendor endeavor."

According to the Geneva team, the new paradigm in user access will externalize access logic from applications via claims, thereby "reducing development effort with pre-built security logic and integrated .NET tools."

IT professionals will be able to deploy and manage new applications with little or no custom implementation work. Geneva consolidates access management and establishes a consistent security model, according to the Geneva team's post.

For the user, a claims-based identity will reduce the number of passwords they use and minimize navigation. It also provides greater control of how personal information is shared.

Tuesday's Geneva Team Blog stated, "Geneva includes built-in interoperability via open industry standards and claims, and implements the industry Identity Metasystem vision for open and interoperable identity."

Chappell concluded in his whitepaper that "changing how people and applications work with identity is not a small thing. Given this, widespread adoption of claims-based identity is likely to take some time. Still, the foundation is now in place to make this much-improved approach real."