Using Geneva in for authentication in your website is called "passive federation". It relies on other factors like redirection and javascript to perform it's actions. "Active federation", like you can do in services or smart clients, can implement the WS-trust protocol directly. For more information read this excelent white paper by Keith Brown.
In my previous post, I explained how to set-up a Geneva server, that we're going to use in this scenario. We're going to use a sample application that is present in the "Samples"-folder of the Geneva Framework, the "Simple claims-aware web application using managed STS". This site contains no more than a default.aspx that shows information about the logged on identy. It has no logon page of itself. To use the Geneva STS as the identity server we have to make some changes to the web.config. The web-application has to know where it can find the STS, information to validate the tokens it receives and which claims the application will be using. Fortunately, you don't have to write it yourself. You can use the FedUtil-tool that can be found in the Geneva framework folder.
First you have to point the tool to the web.config file it needs to update and enter the url of the web-application (this has to be a SSL-url, be sure to match the casing of the vdir or you get problems). You also have to select a certificate the application can use to sign the tokens it sends itself (you can use the SSL-certificate). On the next page you have to give a reference to the metadata of the STS. The url of the metadata is: https://[hostname]/FederationMetadata/2007-06/FederationMetadata.xml.
If you have problemes retrieving the metadata, it could be that there are problems with your SLL certificate. Do no use the ip-address in the url, but the host-name. If your SSL certificate is self-created like mine you also have to import it to the browsers "Trusted Root Certification Authorities" (Tools > Internet Options > Content > Certificates).
In the next screen you select the claims that your application needs and the STS offers, in this case you can select them all:
After finishing the wizard the FedUtil-tool has inserted the needed nformation in the config-file. It also has created a metadata.xml file that contains the information the STS will need to communicate with the client.
From the STS side we want to control which applications are using the services. You can do this by adding a "relying party" to the STS in the Geneva Server Management tool. On the first screen you're required to enter the URL to the metadata-file in the client application. This is the file we just created using the FedUtil tool.
Again, if the tool has problems retrieving the metadata this probably has to do with the SSL certificate. The solution is the same as described above, but now by adding the SLL-certificate of the client-application to the browser of the server.
In the next screen just add a name and description for the relying party. Then select the claims we want to expose (in this case leave them all selected) and save the relying party.
This is all the configuration we need to do. From the client startup your website. If all went wel, you will be presented the folowing screen:
When you look closely to the url you can see that this a url on the STS server. Choose the sign-in option on the left and after that for username/password. Enter an username and password from the server and you will be redirected to the default page of your application (I modified the code a little to show all claims available).
If your browser enters an endless loop after siging in, you have probably entered the name of the vdir of your application in the incorrected casing. Everytime you enter the name of the vdir the casing has to be exactly the same as in IIS.
This is all there a is for a basic authentication scenario. In a next post I will show how the use the identiy and the claims in code.
Last week at TechEd I followed a couple of presentations on Geneva, the project that used to be called Zermatt. Geneva is a series of components that will make it a lot easier for developers to work with identities within their applications. It's build up from three components:
- Geneva Server: a security token service (STS) that will be responsible for supplying the identities.
- Geneva Framework: a new part of the .NET framework that will handle all of the plumbing in dealing with these identities.
- Geneva Cardspace: the client technology that will make it easier for users to reduce and handle the identities that they have to use.
The are a couple of things about Geneva that make it very powerful:
- It's based on open standards, most importantly SAML 2.0, so it can communicate with STS'es of other vendors and will increase the possibilities of fast adoption.
- Geneva server takes care of the federation of identities by setting up trust relations between STS'es.
- It will make life easier for developers because they don't have to worry where the identies come from. They will program against the same objects no matter what the origin of the identity is.
Geneva is based on someting called "claims based identities". Identities make certain claims about themselves (eg. organizational units, roles, shoe size) that can be queried from within your application.
David Chappel wrote a great white paper about this, to help you get started on the concepts.
This technology is very interesting for the company I work for. We expose an extranet and services to our customers and identity manangement is a problem we struggle with. So I decided to get some "hands on" with this technology. I will write a couple of posts about my experiences.
The first issue I ran into is the lack of availabilty of pre-installed VPC, so I had to take care of this myself. So the rest of this post will cover this topic.
I started with a fresh Win2K8 image that I downloaded from http://www.microsoft.com/vhd. Here you can find a number of virtual hard disks with severs you can try for 30 days. Very handy.
I will be coding in my host environment and using the VPC as a dedicated STS server. You get the best "network" performance between the host and the VPC by using the Microsoft loopback adapter. You can read about this here to set this up.
After setting up the network assign a fixed IP to the server. This is kind of a prerequisite when installing an active directory. Normally I just use ip-adresses to communicate between the VPC and the host, but since we will have to do a lot of SLL communication we will have to make the host names available on both ends. Using the ip-adresses will cause security warnings about the hostname not matching the certificate. You can set this up easily by editing the host files on both machines.
The first thing we wil do is setting up the Active Directory (in the current beta-version of Geneva this is the only identity source available). We will be using DcPromo to do this. DcPromo is a command-line utility that can take several parameters for automatic setup of a domain controlller. If you omit the parameters on the command-line you will be presented a wizard that will help you in a couple of steps to set this up. A good description of this proces can be found here.
After completing this you will have to install SQL Server 2005 or 2008. Geneva Server stores all policy information in this database. I choose to install SQL Express 2005, which is sufficient. You also need SP2 to run it on Win2K8.
Next thing is to activate and configure IIS. By default IIS is not activated in Win2K8. You can enable IIS in the Server Manager snap-in by adding the "web server" role. When choosing role services at least enable everything under "Application Development" and "Security". Also enable "IIS 6.0 metabase compatibility" which is required by Geneva Server. We're going to be using SSL, so we need to enable this a wel. Start the IIS manager and select the webserver node in the tree. In the details section look for the Server Certificates icon. Open it and create a self signed certificate and give it a name. Then select the Default Web Site node and select "Bindings" in the action menu on the right. Add a SLL binding using the certificate you just created.
The last step before installing the Geneva stuff is installing the .NET framework 3.5.
Now we will install the Geneva Framework and Geneva Server, both can be found here. After installing startup the Geneva Server Management snap-in. Select the "Geneva Server Configuration" node. In the middle of the screen the are four sections with a "auto configure" button:
- Click the button in the Policy Store section and select the SQL Express instance we created earlier. The policy database is created automically.
- Click the button in Service Certificates and click "ok" in the next screen. A certificate to secure the security tokens will be created for you.
- Click the button in Web Service Client Support and click "ok" in the next screen. A WS-MEX end point will be created voor WCF services to consume.
- Click the button in Web Browser Client Support and click "ok" in the next screen. This will create a passive federation web site, that can be used for authentication by other web sites.
Due to all the preparation we have done, these four steps should go smoothly. Now select "Start Geneva Server" in the action menu on the right. If everything went well your screen should look something like this:
Now your Geneva server is ready to use. I hope this has helped you set up your rig. In my next post I will explain how to use the server in your website.
