Microsoft "Geneva" could be genius but skeptics abound

Microsoft late Monday announced the second beta of its cloud identity management suite of servers, code-named Geneva.

The Geneva platform is comprised of three components:

•  Geneva Framework enables developers build "claims aware" .NET applications that abstracts user authentication from the applicationGeneva Server is a security token service for IT that issues and manages claims and other tokens, manages user access, and enables easy federationWindows CardSpace Geneva helps users navigate access decisions

•  

•  

The gist of the news about second beta is three-fold. Microsoft announced several new features such as support for SharePoint 2007 R2 and integrated provisioning of the client software token (meaning a single sign-on token can be authenticated in the background as needed). The integrated provisioning is pretty cool and could go a long way toward making Geneva more attractive for enterprises. Plus, four partners had lined up to support it -- CA, Novell, SAP and Sun -- and Microsoft had increased support for SAML 2.0 (specifically  SAML 2.0 identity provider light, service provider light added support for U.S. gov't SAML 2.0 implementation). This is in addition to supporting the Microsoft-developed competitive set of standards to SAML, Web Services Specifications (known as WS*).

Microsoft Subnet recently met with Brendan Foley, director of product management at Identity & Security Business Group, and asked him a few questions about Geneva. 

Q:   Can Windows Live IDs be used with Geneva?  Also, will Windows Live ID support OpenID?

A.    Yes, Geneva supports Live ID. Windows Live ID announced in Fall ‘08 that it will become an OpenID provider near the end of 2009.

Q:   Can Geneva work with other gateways beyond the Microsoft Federation Gateway?

A.   If the gateway supports SAML 2.0 or WS-Federation, Geneva should be able to interoperate with it.

Q:   Why did Microsoft change its position on supporting SAML?

A. We listened to our customers using AD FS and made the SAML protocol support a top priority for Geneva. In beta 1 we supported many pieces of the SAML 2.0 protocol.  With beta 2 we added support for the SPLite of SAML 2.0.  Almost all the work for SAML 2.0 is complete in Beta 2, with a few features remaining to be added in the RTM release.

Q:   What other standards are we watching and possibly will support with Geneva beyond WS-* and SAML?

A.    While we have nothing to announce today, we continue to watch and investigate XACML and OpenID.

Q:    What evidence is there that Microsoft Geneva will enable the federation of identities not only to Microsoft Online Services but also to other cloud-based services like Google?  

A.    Microsoft code name Geneva supports SAML 2.0.  If the hosted application supports SAML 2.0, Geneva should be able to federate with it.  Google’s cloud-based services are on SAML 2.0, so federation should be possible; however, it’s not been tested nor are any beta customers using Geneva yet in this capacity.

But as happy as this all sounds, some industry observers say what Microsoft is doing with Geneva is off-track, particularly when it comes to the idea of federated identity management. Let's not forget that Microsoft's original support of SAML was half-hearted at best -- enough so that the company could claim to support the favored standard, but the implementation didn't allow true interoberability with other SAML products (which is the point of a standard afterall). Microsoft's announcement again hints to a less-than-full-throated support of SAML 2.0. Says Darren Platt, founder and CTO of Symplified, a product that provides security and identity management for users for multiple clouds (including, eventually, Azure).

"You can think of SAML as being composed of two primary things: 1. An open security token format called a 'SAML Assertion.' 2. Profiles and protocols that enable single sign-onand other identity-related functionality," he says. " When Microsoft implemented WS-Federation (their version of SAML that fits better into their WS-* specification set), they created a profile for single sign-on without specifying any specific security token format to use.  Instead they suggested that implementers can choose between Kerberos tickets, username/password tokens, and SAML assertions, and provided examples of how to do so.  So it is based on the fact that their WS-Federation implementation (ADFS) supports SAML tokens that they have claimed SAML support today.  This is not true SAML support and does not provide interoperable SSO based on the SAML protocol."

He adds, "As it turns out, the majority of implementations of WS-Federation (that I’m aware of) use SAML assertions/tokens.  Due to the extensibility that this token format provides, it is being used by more and more security standards, including WS-Federation (the SOAP security standard)."

The second problem with Geneva, some say, is that its claims-aware approach is interesting, but not practical. It requires that app developers add claims components to apps. Microsoft will no doubt do a great job in making its own software products claims-aware and that could drive enterprises to consider Geneva, but beyond Microsoft, the claims-aware application approach will be a hard to overcome. While Microsoft announced four partners along with its beta two release, it is far-fetched that every large-scale enterprise software maker (SAP, Oracle) will want to add claims-aware extensions to support Microsoft's Geneva security product in Microsoft's cloud.

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Windows 7 and WS2008 R2 ship date: holiday '09CIOs seem to love VMware over Hyper-VUsing offshore certified Microsoft partners? Beware of security holesWindows 7 and ISOs, Hyper-V and NLB, and SakuraMeet me in … a Meeting Workspace: Tips and Best PracticesMicrosoft OpsMgr R2 release candidate available, will ship end of June12 killer freebie SharePoint add-onsCloud computing is cheaper, greener but not yet enterprise ready .Net Services: Microsoft's key to cloud security and Java interoperability Follow Microsoft Subnet on Twitter
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.