After looking at the Windows Live ID SDK and doing a couple of posts on Authentication and Authorization in the Live Framework and Using Delegated Authentication to Access LiveFX from Windows Azure I thought I should look at Geneva – Microsoft’s claims-based identity metasystem. Currently in Beta 2, Geneva comprises:
- Geneva Server – a Security Token Service (STS)
- Geneva CardSpace – an identity selector
- Geneva Framework – a .Net API
The Geneva Server is a application allowing an enterprise to support claims-based identity. It can connect to identity providers, possibly outside the enterprise, and transform claims into claims usable by claims-based applications running inside the enterprise.
Geneva CardSpace is an identity selector that uses displayable information "cards" which the user can select to simplify the authentication process. Each card is specific to an authentication system and the card stores detail about the authentication methods and communication endpoints. For example, the card might specify that Windows Live requires a username/password combination and the sign-in page is http://login.live.com/login.srf. A Geneva CardSpace user wishing to access Windows Live would be presented with a set of information cards and on selecting the Windows Live card would automatically be presented with the appropriate sign-in screen. Note that the information cards do not contain any authentication information so do not represent a security risk. Geneva CardSpace and information cards are designed to simplify the identity management process for end users faced with an increasing identity managment burden.
The Geneva Framework provides a large API for developing claims-based applications and the Geneva Server is being developed using it. The Geneva Framework is not a replacement for the Windows Live ID SDK since the Geneva Framework is focused on handling claims while the Windows Live ID SDK is focused on providing access to the Windows Live identity provider and, in particular, consent-based access to Windows Live Services.
The Microsoft home for Identity Management and all things Geneva is here. This page has links to the Geneva Beta 2 bits (or a VM) and a really great Identity Developer Training Kit with hands-on labs.
The starting point for Geneva development should be the two Geneva whitepapers: a broad overview Introducing "Geneva" An Overview of the "Geneva" Server, CardSpace "Geneva", and the "Geneva" Framework by David Chappell; and a detailed development guide Microsoft Code Name "Geneva" Framework Whitepaper for Developers by Keith Brown and Sesha Mani.
A number of informative blogs on identity management have mutated into blogs on Geneva. These include Vittorio Bertocci’s vibro.net, Kim Cameron’s Identity Blog, and the Geneva Team blog. Outside Microsoft, dominick baier and Matias Woloski also have great blogs and Keith Brown posts occasionally on identity management.
There is a lengthy discussion of the Kim Cameron’s Seven Laws of Identity and the Identity Metasystem in chapter 2 of the book: Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack and Caleb Baker.
Microsoft Architecture Journal issue 16 was devoted to identity and has eight articles on various features of identity management. The May 2009 issue of Computer, an IEEE Computer Society journal, has a number of articles on identity management.
Another very useful source of information is the somewhate clunkily named MSDN Forum: Claims based access platform (CBA), code-named Geneva.
I intend to do a few more posts on the Geneva Framework from the perspective of someone working out how to use it rather than someone with a deep inside knowledge – for which you should look at the blogs I linked to earlier.
By request I did a major clarification of the Geneva CardSpace paragraph.