Geneva – Introduction

After looking at the Windows Live ID SDK and doing a couple of posts on Authentication and Authorization in the Live Framework and Using Delegated Authentication to Access LiveFX from Windows Azure I thought I should look at Geneva – Microsoft’s claims-based identity metasystem. Currently in Beta 2, Geneva comprises:

  • Geneva Server – a Security Token Service (STS)
  • Geneva CardSpace – an identity selector
  • Geneva Framework – a .Net API

The Geneva Server is a application allowing an enterprise to support claims-based identity. It can connect to identity providers, possibly outside the enterprise, and transform claims into claims usable by claims-based applications running inside the enterprise.

Geneva CardSpace is an identity selector that uses displayable information "cards" which the user can select to simplify the authentication process. Each card is specific to an authentication system and the card stores detail about the authentication methods and communication endpoints. For example, the card might specify that Windows Live requires a username/password combination and the sign-in page is A Geneva CardSpace user wishing to access Windows Live would be presented with a set of information cards and on selecting the Windows Live card would automatically be presented with the appropriate sign-in screen. Note that the information cards do not contain any authentication information so do not represent a security risk. Geneva CardSpace and information cards are designed to simplify the identity management process for end users faced with an increasing identity managment burden.

The Geneva Framework provides a large API for developing claims-based applications and the Geneva Server is being developed using it.  The Geneva Framework is not a replacement for the Windows Live ID SDK since the Geneva Framework is focused on handling claims while the Windows Live ID SDK is focused on providing access to the Windows Live identity provider and, in particular, consent-based access to Windows Live Services.

The Microsoft home for Identity Management and all things Geneva is here. This page has links to the Geneva Beta 2 bits (or a VM) and a really great Identity Developer Training Kit with hands-on labs.

The starting point for Geneva development should be the two Geneva whitepapers: a broad overview Introducing "Geneva" An Overview of the "Geneva" Server, CardSpace "Geneva", and the "Geneva" Framework by David Chappell; and a detailed development guide Microsoft Code Name "Geneva" Framework Whitepaper for Developers by Keith Brown and Sesha Mani.

A number of informative blogs on identity management have mutated into blogs on Geneva. These include Vittorio Bertocci’s, Kim Cameron’s Identity Blog, and the Geneva Team blog. Outside Microsoft, dominick baier and Matias Woloski also have great blogs and Keith Brown posts occasionally on identity management.

There is a lengthy discussion of the Kim Cameron’s Seven Laws of Identity and the Identity Metasystem in chapter 2 of the book: Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack and Caleb Baker.

Microsoft Architecture Journal issue 16 was devoted to identity and has eight articles on various features of identity management. The May 2009 issue of Computer, an IEEE Computer Society journal, has  a number of articles on identity management.

Another very useful source of information is the somewhate clunkily named MSDN Forum: Claims based access platform (CBA), code-named Geneva.

I intend to do a few more posts on the Geneva Framework from the perspective of someone working out how to use it rather than someone with a deep inside knowledge – for which you should look at the blogs I linked to earlier.

UPDATE 5/28/2009

By request I did a major clarification of the Geneva CardSpace paragraph.

Technorati Tags: ,

About Neil Mackenzie

Cloud Solutions Architect. Microsoft
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Geneva – Introduction

  1. Veleen says:

    Very nice summary on the Geneva platform and information resources! I would like to point out a slight lack clarity in your one of the phrases in your post. You say that "Geneva CardSpace is an identity selector that allows a user to store credentials" but a better phrasing would be that an identity selector stores cards and a card contains metadata on, amongst other things, different authentication types. Cards do not store the actual authentication credentials, those are derived or the user is queried for them every time you use a card. You can find a very good post on the topic by Caleb in the team’s blog: . Why does clarity in this phrasing matter? Because it means that if the user does not take care and their card falls into someone else’s hands, since the card contains only metadata and no actual credential data, the thief could not authenticate as the user.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s