<![CDATA[[SecurityRatty] tag: zermatt]]> http://securityratty.com/tag/zermatt Wed, 09 Jul 2008 16:27:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Zermatt is now Geneva Framework]]> http://securityratty.com/article/ffdbf806596ce2b9eecd4ab50a7394dc http://securityratty.com/article/ffdbf806596ce2b9eecd4ab50a7394dc For those who didn't attend PDC, the Zermatt identity framework has been re-code-named Geneva Framework so that it fits in with the Geneva family of products:

Geneva Framework: a .NET class library called Microsoft.IdentityModel (basically it's an updated Zermatt)

Geneva Server: This is essentially ADFS v2, built on top of the Geneva Framework

Geneva CardSpace: This is CardSpace v2.

This link takes you to the "Geneva" landing page at Microsoft, where you'll find links to all of the bits, as well as the whitepaper v2. The new version of the whitepaper was co-authored by myself and a PM on the Geneva Framework team, Sesha Mani, who added a bunch of new details based on the PDC version of the framework.

]]> Wed, 26 Nov 2008 11:41:00 +0000 geneva geneva framework zermatt framework geneva family zermatt identity framework geneva cardspace cardspace geneva framework team Zermatt is now Geneva Framework <![CDATA[Zermatt in Community Server]]> http://securityratty.com/article/e775efcf6afa32aabd54630993695eaa http://securityratty.com/article/e775efcf6afa32aabd54630993695eaa I'm about to embark on a mission to get Zermatt integrated into pluralsight.com as our single-sign-on solution, and a big part of that is getting our Community Server installation wired into that. I'm curious if anyone else has seen any work being done in this area, or if I'll be the first?

I plan to blog about my progress (and share it) if there's not already a built-in solution out there.

]]> Mon, 06 Oct 2008 18:07:17 +0000 built-in solution single-sign-on solution zermatt embark progress mission pluralsight blog curious Zermatt in Community Server <![CDATA[Introducing Microsoft Code Name Zermatt]]> http://securityratty.com/article/732b3e6ffabbf1bdf556615c13244f16 http://securityratty.com/article/732b3e6ffabbf1bdf556615c13244f16 For a couple of years now, I've been giving talks about "claims-based identity", and "claims-aware applications". The most concrete example of a claims-based identity architecture that I've been able to show so far is Active Directory Federation Services v1 (ADFS) and Windows CardSpace. And the claims programming model I've been using is the one that shipped with WCF in the System.IdentityModel assembly.

But today I'm happy to announce that there's a new path forward in the claims world. Zermatt is the "identity framework" that I've been itching to talk about, but until today, hasn't been announced publicly.

Well, Vittorio just made the announcement just a moment ago, and now you can get your hands on this new framework. With it, you can build web applications and services that rely on claims to discover identity details about users. And you can easily build a security token service (STS) that supplies those claims. Zermatt makes this possible by supplying all of the plumbing that implements WS-Trust (for web services) and WS-Federation (for browser-based web applications). All you have to do is figure out what claims you want to issue based on what you know about the user and what you know about the application (aka relying party).

I was fortunate to be asked by the team to write the white paper introducing Zermatt to developers. You can download it here. The paper introduces the ideas behind claims-based identity, and talks about how you can use Zermatt to centralize authentication (and to some degree, authorization) in an STS, thus making it easy to achieve single sign on in your applications, and even be ready to federate with other organizations or platforms should that need arise.

Here are some highlights of what you'll find in Zermatt:

Zermatt includes a new claims programming model, with IClaimsPrincipal and IClaimsIdentity, two new interfaces that extend the existing IPrincipal and IIdentity that you already know and love from the .NET Framework. IClaimsIdentity adds a collection of claims. Zermatt's claims programming model is in many ways simpler than that in WCF - the Claim class exposes the value of claims as strings (always) and calls the value of a claim "Value", instead of "Resource" as WCF did. But the model is also more sophisticated - multi-hop delegation is supported, so one user can "Act As" another user, and the relying party will see the entire chain of delegation as a linked list of IClaimsIdentity objects.

Zermatt includes an HttpModule that you can wire into your ASP.NET application that will implement WS-Federation for you. This module (called the FAM) is a lot like the "Web Agent" from ADFS, and it makes it quite easy to build a web application that relies on claims.

Zermatt includes plumbing that sits on top of WCF and simplifies building claims-based web services and clients.

Zermatt also includes a couple of ASP.NET controls for adding SignIn functionality to websites. The first is a passive sign-in control which simply redirects the browser to an STS to get claims. The second is the highly anticipated InformationCard control that pops the user's identity selector and lets her choose which identity she wants to use.

Zermatt comes with a bunch of sample code to help you get started.

All you need to test-drive Zermatt is Visual Studio 2008 and your curiosity. Download the beta now, read the whitepaper, experiment with the samples, and see what claims-based identity is all about!

For more on Zermatt, you'll want to watch Vittorio's blog. I'll also be talking more about it in the future!

]]> Wed, 09 Jul 2008 16:27:00 +0000 zermatt claims world claims zermatt includes includes claims-aware applications framework identity framework identity Introducing Microsoft Code Name Zermatt