Identity management is a complex problem yet almost every application has to address it.
The world of identity management is going through a revolutions with the introduction of WS* standards. Federation, Single sign on and claim based authorization are common requirements. The question that remains open is: How should it be implemented?
Every framework has to address the identity problem. In this column I would like to introduce the .Net solution called "Windows Identity Foundation" previously known as Geneva framework.
Windows Identity Foundation (WIF) enables the .NET developers to externalize identity logic from their application, improving developer productivity, enhancing application security, and enabling interoperability. Windows Identity Foundation (WIF) can be used for on-premises software as well as cloud services. Windows Identity Foundation (WIF), which is part of the new Identity and Access products wave, gives applications a much richer and flexible way to deal with identities by introducing claims-based identity concept.
Using WIF it is easy to implement a claim based authorization systems based on industry standard protocols. WIF simplifies the creation of a security token service - STS (which is the center of every claim based system) as well as the interaction with other existing STS and resources.
Windows Identity and Access platform includes several releases.
· Active Directory Federation Services 2.0
· Windows Identity Foundation
· Windows Cardspace 2.0
ADFS 2.0
ADFS 2.0 is the next generation of Active Directory Federation Services.
At the core of ADFS 2.0 is a security token service (STS) that uses Active Directory as its identity store. The STS in ADFS 2.0 can issue security tokens to the caller using various protocols, including WS-Trust, WS-Federation and Security Assertion Markup Language (SAML) 2.0. To support old versions ADFS 2.0 STS supports both SAML 1.1 and SAML 2.0 token formats.
AD FS 2.0 is designed with a clean separation between wire protocols and the internal token issuance mechanism. Different wire protocols are transformed into a standardized object model at the entrance of the system while internally AD FS 2.0 uses the same object model for every protocol. This separation enables AD FS 2.0 to offer a clean extensibility model, independent of the intricacies of different wire protocols.
Windows Identity Foundation - System.IdentityModel
WIF is a framework for implementing claims-based identity in your applications. It can be used in any Web application or Web service, cloud or on premise applications.
The goal was to make the interaction with claims easy. It is designed to unify and simplify claims-based applications. It builds on top of WCF’s plumbing to implement WS-Trust and comes with an HttpModule called the WS-Federation Authentication Module (FAM) that make it trivial to implement WS-Federation in a browser-based application.
Using WIF it is possible to create your custom STS or connect to another identity provider with only few lines of code.
For example when you build a relying party with WIF, you’re shielded from all of the cryptographic heavy lifting. WIF decrypts the security token passed from the client, validates its signature, validates any proof keys, shreds the token into a set of claims, and presents them to you via an easy-to-consume object model.
Cardspace 2.0
Cardspace is an identity selector. To a user a Cardspace represent his identity in a simple and friendly manner. Cardspace is very much like the ID card in your wallet or a personal card you distribute to your colleagues. The card is installed on the user computer. The information contained in the card is not the user identity. The card contains the information needed to fetch the identity info from the identity provider.
Cardspace is not a new technology. It was released with .Net framework 3.0 back in 2005. Cardspace was not a huge success because it was not easy to use. WIF will change that.
WIF introduce all the plumbing needed to use Cardspace on the client and the infrastructure to build or use an identity provider on the server. In Cardspace 2.0 there are many performance improvements to assure its use will be easy and comfortable.
The identity problem is complex, the challenge is huge but on the other hand it must be easy to create applications with advanced identity capabilities.
WIF together with the Microsoft’s Identity and Access Platform allows exactly that.
Security and identity are a global issue and thus interoperability between all platforms is a necessity. Microsoft’s Identity and Access Platform is based upon well known industry standard protocols to make sure it will fully comply with the interoperability requirement.
The world of identity is going through a revolution with claim based authorization systems. If you want to be up to date I recommend to take a close look at WIF and Microsoft’s Identity and Access Platform.