A paradigm shift is underway for how .NET solution developers work with identity and authentication. The shift is not only in the tools and recommended design patterns for validating user identity (authentication) and managing role-based permissions for what a user is allowed to do (authorization). While many of the seeds and shoots for this change have been underway for some time, critical mass is near.
As Chappell explains, a domain-based orientation means that an application assumes that user identity is going to be tied to the domain where the user and the application both reside. Federated identity, on the other hand, means that there could be a mix of domains and technologies with established trust relationships, and we would like our applications to work in this diverse environment.
The concept of federated identity and federated authentication, however, is not the only key differentiator for claims-based authentication. Another key concept is the centralization of the responsibility for issuing "claims." Just as the federated approach is the opposite of the currently predominant domain-based approach, centralized claims management is the opposite of the common distributed approach, where each application is responsible for looking up the claims it needs based on the identity of the user.
Think of an application looking up the user's group memberships, email address, job title, etc. in Active Directory. That's domain-based: not only is the application tightly coupled to one identity authority (Active Directory) but the application also needs to know how to find the data it needs on its own--and possibly even stores some of that information itself, resulting in yet another copy of the identity in the application's own data store.
In a claims-based system, the application has a means to declare what information of this sort it needs (that is, which claims it requires to be provided) and the security token service (SDS) can simply take care of providing that information inside the token it provides. This isolates the application from the source of the claims, be it Active Directory or something else, and couples instead to the token.
In the current approach, every application must solve this common problem over and over again. Think of all the applications in your enterprise; most likely each one has its own custom code for handling authentication. The new centralized approach of a claims-based STS means that applications can piggyback on these central capabilities.
Yet another aspect of identity covered in the new paradigm is the concept of users having multiple digital identities, something that is already common in the world at large, but which has not yet been especially significant in a purely business context. Many analysts believe that use of multiple digital identities is authentication scenarios is going to become more common. Microsoft has invested significantly in this idea, which is at the center of the CardSpace technology (see Chappell white papers linked above).
A key set of technologies from Microsoft in this landscape has until recently been referred to by its code name: Geneva. At the most recent Worldwide Partner Conference, Microsoft
announced new official names for the
Geneva technologies:
- “Geneva” Framework will become Windows Identity Foundation and provides developers pre-built .NET security logic for building claims-aware applications, enhancing either ASP.NET or WCF applications
- “Geneva” Server will become Active Directory Federation Services and is a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access
- Windows CardSpace “Geneva” will become Windows Cardspace for helping users navigate access decisions and for developers to build customer authentication experiences for users
Several other technologies from Microsoft are relevant to this new paradigm:
- Active Directory (AD) Lightweight Directory Services
- Identity Life-Cycle Manager (ILM)
- Active Directory Rights-Management Services (RMS)
- Windows Communication Foundation
- The .NET runtime System.DirectoryServices namespace
Identity and authorization, of course, are only one part of an overall security strategy. Claims-based authentication and the new technologies listed above can be considered from a more full security perspective in the context of Microsoft's "
Business Ready Security" initiative, which aims to, "help both partners and customers [of Microsoft] 1) protect everywhere and access anywhere, 2) integrate and extend security across the enterprise, and 3) simplify the security experience and manage compliance." Business Ready Security is largely built around the
Forefront technology.
Consider Northridge your partner for taking advantage of these new opportunities to improve security and enhance user experiences.