28. October 2008 04:10
I sat in on a session today that showed off the "Geneva" set of identity tools. I have to say that the presentation was very well done as it showed how easy it was to take a normal ASP.NET application that was using .NET constructs like IsInRole and PrincipalPermission to do dynamic display and authorization of actions. Caleb then took that app and enabled the "Geneva" tools on it by running a wizard which updated the web.config and configuring the STS to identify the application and it's requirements for claims. Then, without changing any code, he ran the application again and the user experience didn't change! On the one hand, not very exciting, it worked just the same, but when you think about it, he claim enabled the application and the user continued to get integrated login and authorization continued to work. The claims were being populated by AD and included the group membership so IsInRole and PrincipalPermission continued to work.
Now, just using a different way to do authz wouldn't be that exciting if it still just used AD and only worked for internal users. So Caleb next configured a partner organization with a trust relationship, mapped their claims to those the application needed, and logged in as an external user (with no account needed in the local domain) and the application again needed no code changes! The user had the right access based on the claims from the partner organization and the app continued to work.
Finally, the demo included two cool features. First, to enable CardSpace, Caleb just checked a box on the STS and it was good to go. The issues of authz were all abstracted from the application. The application did not have to think about where the claims were coming from, it just programmed to the claims. Finally, the demonstration showed how the web application could use delegation to call a web service. The web application was enabled for delegation and was able to take the users credentials (claims) and call the STS to get claims for the service.
The whole "Geneva" framework includes the STS or service, the framework components you can use in your applications/services and then an update to CardSpace as well. If you are interested in claims based identity (hint: you should be if you are not) then check out the "Geneva" information and download the betas today.