Microsoft "Geneva" could be genius but skeptics abound
By Microsoft Subnet on Tue, 05/12/09 - 12:36pm.
Microsoft late Monday announced the second beta of its cloud identity management suite of servers, code-named Geneva.
The Geneva platform is comprised of three components:
• Geneva Framework enables developers build "claims aware" .NET applications that abstracts user authentication from the application
• Geneva Server is a security token service for IT that issues and manages claims and other tokens, manages user access, and enables easy federation
• Windows CardSpace Geneva helps users navigate access decisions
The gist of the news about second beta is three-fold. Microsoft announced several new features such as support for SharePoint 2007 R2 and integrated provisioning of the client software token (meaning a single sign-on token can be authenticated in the background as needed). The integrated provisioning is pretty cool and could go a long way toward making Geneva more attractive for enterprises. Plus, four partners had lined up to support it -- CA, Novell, SAP and Sun -- and Microsoft had increased support for SAML 2.0 (specifically SAML 2.0 identity provider light, service provider light added support for U.S. gov't SAML 2.0 implementation). This is in addition to supporting the Microsoft-developed competitive set of standards to SAML, Web Services Specifications (known as WS*).
Microsoft Subnet recently met with Brendan Foley, director of product management at Identity & Security Business Group, and asked him a few questions about Geneva.
Q: Can Windows Live IDs be used with Geneva? Also, will Windows Live ID support OpenID?
A. Yes, Geneva supports Live ID. Windows Live ID announced in Fall ‘08 that it will become an OpenID provider near the end of 2009.
Q: Can Geneva work with other gateways beyond the Microsoft Federation Gateway?
A. If the gateway supports SAML 2.0 or WS-Federation, Geneva should be able to interoperate with it.
Q: Why did Microsoft change its position on supporting SAML?
A. We listened to our customers using AD FS and made the SAML protocol support a top priority for Geneva. In beta 1 we supported many pieces of the SAML 2.0 protocol. With beta 2 we added support for the SPLite of SAML 2.0. Almost all the work for SAML 2.0 is complete in Beta 2, with a few features remaining to be added in the RTM release.
Q: What other standards are we watching and possibly will support with Geneva beyond WS-* and SAML?
A. While we have nothing to announce today, we continue to watch and investigate XACML and OpenID.
Q: What evidence is there that Microsoft Geneva will enable the federation of identities not only to Microsoft Online Services but also to other cloud-based services like Google?
A. Microsoft code name Geneva supports SAML 2.0. If the hosted application supports SAML 2.0, Geneva should be able to federate with it. Google’s cloud-based services are on SAML 2.0, so federation should be possible; however, it’s not been tested nor are any beta customers using Geneva yet in this capacity.
But as happy as this all sounds, some industry observers say what Microsoft is doing with Geneva is off-track, particularly when it comes to the idea of federated identity management. Let's not forget that Microsoft's original support of SAML was half-hearted at best -- enough so that the company could claim to support the favored standard, but the implementation didn't allow true interoberability with other SAML products (which is the point of a standard afterall). Microsoft's announcement again hints to a less-than-full-throated support of SAML 2.0. Says Darren Platt, founder and CTO of Symplified, a product that provides security and identity management for users for multiple clouds (including, eventually, Azure).
"You can think of SAML as being composed of two primary things: 1. An open security token format called a 'SAML Assertion.' 2. Profiles and protocols that enable single sign-onand other identity-related functionality," he says. " When Microsoft implemented WS-Federation (their version of SAML that fits better into their WS-* specification set), they created a profile for single sign-on without specifying any specific security token format to use. Instead they suggested that implementers can choose between Kerberos tickets, username/password tokens, and SAML assertions, and provided examples of how to do so. So it is based on the fact that their WS-Federation implementation (ADFS) supports SAML tokens that they have claimed SAML support today. This is not true SAML support and does not provide interoperable SSO based on the SAML protocol."
He adds, "As it turns out, the majority of implementations of WS-Federation (that I’m aware of) use SAML assertions/tokens. Due to the extensibility that this token format provides, it is being used by more and more security standards, including WS-Federation (the SOAP security standard)."
The second problem with Geneva, some say, is that its claims-aware approach is interesting, but not practical. It requires that app developers add claims components to apps. Microsoft will no doubt do a great job in making its own software products claims-aware and that could drive enterprises to consider Geneva, but beyond Microsoft, the claims-aware application approach will be a hard to overcome. While Microsoft announced four partners along with its beta two release, it is far-fetched that every large-scale enterprise software maker (SAP, Oracle) will want to add claims-aware extensions to support Microsoft's Geneva security product in Microsoft's cloud.
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Windows 7 and WS2008 R2 ship date: holiday '09
CIOs seem to love VMware over Hyper-V
Using offshore certified Microsoft partners? Beware of security holes
Windows 7 and ISOs, Hyper-V and NLB, and Sakura
Meet me in … a Meeting Workspace: Tips and Best Practices
Microsoft OpsMgr R2 release candidate available, will ship end of June
12 killer freebie SharePoint add-ons
Cloud computing is cheaper, greener but not yet enterprise ready
.Net Services: Microsoft's key to cloud security and Java interoperabilityFollow Microsoft Subnet on Twitter
- About Microsoft Subnet Blog
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community, and is written by Online Community editor Julie Bort. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter. The newsletter includes news generated by the Microsoft Subnet community as well as other Microsoft news stories published by Network World.
- Archives
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- Blog Roll
-
- Microsoft Subnet Home Page
- http://www.networkworld.com/subnets/microsoft/
- All Microsoft Subnet bloggers
- http://www.networkworld.com/community/blogs/microsoft/feed
- ActiveWin
- http://www.activewin.com
- Blake Handler The Road to Know Where
- http://bhandler.spaces.live.com/
- Dmitry's PowerBlog
- http://dmitrysotnikov.wordpress.com/
- Doug Brown,DABCC
- http://www.dabcc.com
- Ed Bott's Windows Expertise
- http://www.edbott.com/weblog/
- Joseph Tartakoff Microsoft Blog
- http://blog.seattlepi.nwsource.com/microsoft/
- Long Zheng istartedsomething
- http://www.istartedsomething.com/
- Mini-Microsoft
- http://minimsft.blogspot.com/
- Paul Thurrott's Supersite for Windows
- http://www.winsupersite.com
- Robert McLaws WindowsNow
- http://www.windows-now.com
- Scobleizer
- http://scobleizer.com/
- Techmeme
- http://www.techmeme.com/
- Todd Bishop's Microsoft Blog
- http://www.techflash.com/Microsoft
Sponsored Links
- Turn your desk phone and mobile phone into one with Sprint Mobile Integration.- Sprint
- Discover the Four Trends Driving the Future of Data Centers - Emerson Network Power
- Visit Oberon for more information- Oberon Wireless
- Next-generation firewalls control applications and prevent threats.- Palo Alto Networks
- Troubleshoot in Minutes! Search & Report on all Network data - Free Download.- Splunk Inc.
- MoneyGram leverages Windows/Novell InteropAbility- Novell Microsoft
- VTI puts Windows & Novell interoperability to work- Novell Microsoft
- Educational Wi-Fi Reference Poster Program to help get you up to speed on Wi-Fi Standards, including 802.11n- Xirrus
- Driving Operational Efficiency in the Datacenter- Microsoft
- FREE Encryption Tool - Encrypt and share your confidential files easily- Sophos
-
Network World, Inc
The Leader in Network Knowledge
Microsoft responds
Microsoft PR contacted Microsoft Subnet today to clarify some ascertains and questions we raised. Microsoft reiterated that it is supporting SAML 2.0 in a way that has been proven interoperable with several partners. It also says Geneva 2.0 will not require developers to re-write their applications. See the full response here. http://www.networkworld.com/community/node/42111
Post new comment