Introduction to Geneva - Setting up the server
Last week at TechEd I followed a couple of presentations on Geneva, the project that used to be called Zermatt. Geneva is a series of components that will make it a lot easier for developers to work with identities within their applications. It's build up from three components:
- Geneva Server: a security token service (STS) that will be responsible for supplying the identities.
- Geneva Framework: a new part of the .NET framework that will handle all of the plumbing in dealing with these identities.
- Geneva Cardspace: the client technology that will make it easier for users to reduce and handle the identities that they have to use.
The are a couple of things about Geneva that make it very powerful:
- It's based on open standards, most importantly SAML 2.0, so it can communicate with STS'es of other vendors and will increase the possibilities of fast adoption.
- Geneva server takes care of the federation of identities by setting up trust relations between STS'es.
- It will make life easier for developers because they don't have to worry where the identies come from. They will program against the same objects no matter what the origin of the identity is.
Geneva is based on someting called "claims based identities". Identities make certain claims about themselves (eg. organizational units, roles, shoe size) that can be queried from within your application.
David Chappel wrote a great white paper about this, to help you get started on the concepts.
This technology is very interesting for the company I work for. We expose an extranet and services to our customers and identity manangement is a problem we struggle with. So I decided to get some "hands on" with this technology. I will write a couple of posts about my experiences.
The first issue I ran into is the lack of availabilty of pre-installed VPC, so I had to take care of this myself. So the rest of this post will cover this topic.
I started with a fresh Win2K8 image that I downloaded from http://www.microsoft.com/vhd. Here you can find a number of virtual hard disks with severs you can try for 30 days. Very handy.
I will be coding in my host environment and using the VPC as a dedicated STS server. You get the best "network" performance between the host and the VPC by using the Microsoft loopback adapter. You can read about this here to set this up.
After setting up the network assign a fixed IP to the server. This is kind of a prerequisite when installing an active directory. Normally I just use ip-adresses to communicate between the VPC and the host, but since we will have to do a lot of SLL communication we will have to make the host names available on both ends. Using the ip-adresses will cause security warnings about the hostname not matching the certificate. You can set this up easily by editing the host files on both machines.
The first thing we wil do is setting up the Active Directory (in the current beta-version of Geneva this is the only identity source available). We will be using DcPromo to do this. DcPromo is a command-line utility that can take several parameters for automatic setup of a domain controlller. If you omit the parameters on the command-line you will be presented a wizard that will help you in a couple of steps to set this up. A good description of this proces can be found here.
After completing this you will have to install SQL Server 2005 or 2008. Geneva Server stores all policy information in this database. I choose to install SQL Express 2005, which is sufficient. You also need SP2 to run it on Win2K8.
Next thing is to activate and configure IIS. By default IIS is not activated in Win2K8. You can enable IIS in the Server Manager snap-in by adding the "web server" role. When choosing role services at least enable everything under "Application Development" and "Security". Also enable "IIS 6.0 metabase compatibility" which is required by Geneva Server. We're going to be using SSL, so we need to enable this a wel. Start the IIS manager and select the webserver node in the tree. In the details section look for the Server Certificates icon. Open it and create a self signed certificate and give it a name. Then select the Default Web Site node and select "Bindings" in the action menu on the right. Add a SLL binding using the certificate you just created.
The last step before installing the Geneva stuff is installing the .NET framework 3.5.
Now we will install the Geneva Framework and Geneva Server, both can be found here. After installing startup the Geneva Server Management snap-in. Select the "Geneva Server Configuration" node. In the middle of the screen the are four sections with a "auto configure" button:
- Click the button in the Policy Store section and select the SQL Express instance we created earlier. The policy database is created automically.
- Click the button in Service Certificates and click "ok" in the next screen. A certificate to secure the security tokens will be created for you.
- Click the button in Web Service Client Support and click "ok" in the next screen. A WS-MEX end point will be created voor WCF services to consume.
- Click the button in Web Browser Client Support and click "ok" in the next screen. This will create a passive federation web site, that can be used for authentication by other web sites.
Due to all the preparation we have done, these four steps should go smoothly. Now select "Start Geneva Server" in the action menu on the right. If everything went well your screen should look something like this:
Now your Geneva server is ready to use. I hope this has helped you set up your rig. In my next post I will explain how to use the server in your website.