The “Geneva”, while being a very interesting framework developed by Microsoft, isn’t getting much buzz on the blogs. A beta 2 version was just recently released and the final version is planned somewhere in 2009.
The framework aims at providing an easy to use solution for federated authentication and claims based security. None of those concepts are new in IT world. There are standards from WS-* family, which encompass both. In fact, WCF provides both claims based security plumbing code and bindings compatible with WS-Federation standard. The problem was, that those concepts were hard to implement in applications and required a lot of effort from developers. There also were no easy means of implementing own STS (Security Token Service). This changes with “Geneva”, which tries to make usage of federation and claims based security as easy as possible. As for claims, a developer can access them using IClaimsPrincipal interface (which derives from IPrincipal) – this integrates very well with security mechanisms built into .NET. There are even ASP.NET controls provided making implementation of ASP.NET based Relaying Parties and Security Token Services a lot easier. But Geneva is not only a library to use in your code. It also consists of two more components – the Geneva Server, which is a STS (with identity database and GUI for administration) as well as extensions to Windows CardSpace. I’m not going to go into details with this – there are very good whitepapers on this topic and I’d hate to just copy them here. Instead I would like to write about two usage cases, that got me most interested.
Not directly related to federation, “Authentication assurance” sample from Geneva SDK presents a case, where different parts of system require different levels of security. For example browsing the order list is not a security critical operation and user can be authenticated based on his Windows account (not to bother him with different form of authentication). When performing more sensitive operations like canceling an order, system might require a stronger proof of user’s identity like a certificate stored on a smart card. Geneva’s programming model makes it easy to secure operations according to their sensitivity level. Developer just needs to access authentication type stored as one of user claims in IClaimsPrincipal. Then, if authentication type is too weak, user is required to prove his identity in another way (and possibly in another STS).
“Act As” Scenario
In one of the whitepapers you can read:
When you build a multi-tier system, typically with a web front end and a collection of web services and other resources on the back end, you have a tough choice to make. Should the web front end use its own identity to access those back end resources, or should delegate the user’s credentials to make those requests? If you choose the first option, you end up with what is known as a trusted subsystem model. If you choose the second, you’ll need some way to delegate the client’s identity to the back end. There are performance and security tradeoffs for both of these choices, with the trusted subsystem model generally favoring performance over security and the delegation model generally favoring security over performance.
The example is:
Web application talks to Service1, which in turn talks to Service2. How should Service1 authenticate at Service2? First solution is to use same credentials for each user of web application. This creates the trusted subsystem and Service2 has to trust Servce1 to only perform those operations, which are permitted for the user. The other solution requires Service1 to act on behalf of the user, which allows Service2 to make it’s own security assertions. In order to achieve that, a special kind of security token has to be issued for Service1, which contains ActAs property set to the users identity.
What’s more, Geneva provides means of transforming security token into Windows identity, which for example allows for using Windows authentication while accessing SQL Server data store by back end services. I recommend you download the beta and check it out yourself.