Geneva framework: A better way to build a claims-based WCF service

This article is based on a pre-release version of the "Geneva" framework. All information is subject to change.

This article uses the following techniques:

Windows Communication Foundation

The "Geneva" Framework (formerly known as "Zermatt") is a new framework code for building claims-based applications and services and for implementing joint security scenarios. Its capabilities include probing capabilities for building custom security token services (STS), mechanisms to require federated authentication from ASP.net applications, and simplifying asp.net applications and Windows communication Foundation (WCF) Services The object model based on the declared authorization.

The Geneva framework also includes features that support Windows CardSpace, such as managed information card issuance, and ASP.net controls for simplifying the Windows CardSpace logon experience creation process. (For more information about Windows CardSpace, read identity: Use Windows CardSpace to secure your asp.net applications and WCF services.) Obviously, the Geneva framework contains a variety of security features, but its core functionality is claims-based security.

Although WCF has always provided native support for a claims-based security model, the Geneva framework simplifies runtime access to declarations and provides a mechanism to support claims-based authorization, so that the authorization principal is associated with the Microsoft. NET Framework To improve the experience, consistent with the role-based authorization bodies provided in. The ASP.net application leverages the Geneva framework to obtain a claims-based authorization feature that is compatible with existing ASP.net login controls that enhance role-based security. In this article, I will highlight the value of implementing a claims-based security model, describe how to get a claims-based WCF service using the Geneva framework, and compare this method with the way WCF handles claims-based security without using the Geneva framework.

Before continuing with this article, I recommend that you read the Geneva Framework white Paper for Developers, co-authored by Keith Brown and Sesha Mani. This white paper outlines the features of the Geneva framework, as well as some background on the concept of claims-based security, and describes how to enable these features (but focus on the former) in asp.net applications and WCF services. In addition, you can learn more about WCF and claims-based security in the "Security Bulletin" column published in September 2007 by Keith Brown.

Why use claims-based security?

Why do you want to move to a claims-based security model? You must know the answer to this question before you consider using the Geneva framework to implement the solution. Assuming that the definition of an application role has never changed, and that only one authentication mechanism maps security principals to those roles, role-based security is sufficient. However, a claims-based security model facilitates the design of applications and services so that they are not bound to specific credential types or to specific role groups. This is one of the value propositions based on the declarative security model.

Detaching applications and services from roles allows changes to role names and meanings without affecting the system. You can assign an authenticated user to a more granular project-declaration that applies to authorization. The declaration can be assigned based on an authenticated user, as shown in Figure 1, or it can be assigned based on the role of the authenticated user, as shown in Figure 2.

Figure 1 statement based on authenticated user assignment