Korean Identity Management(KIM)

지난 주 열린 Tech ED에서 마이크로소프트가 Geneva Beta2를 발표하였습니다.

Geneva는 Microsoft의 차세대 ID 개발플랫폼으로 다음 3가지 컴포넌트로 구성됩니다.

- Geneva Framework enables developers build "claims aware" .NET applications that abstracts user authentication from the application
- Geneva Server is a security token service for IT that issues and manages claims and other tokens, manages user access, and enables easy federation
- Windows CardSpace Geneva helps users navigate access decisions

이번 버전의 특징은 다음과 같습니다.[1]

- 상호호환성 지원: WS-Federation

Speaking of which, with beta 2 we’re announcing interoperability between “Geneva” and identity & access solutions from leading partners, via the SAML 2.0 and WS-Federation standards. Interoperable partner solutions include CA Federation Manager and CA SiteMinder, Novell Access Manager, SAP NetWeaver and Sun’s OpenSSO Enterprise and Fedlet software. We are issuing interoperability white papers with these partners and at TechEd this week SAP is presenting on their work with “Geneva.”

- Implementing cross-organization single sign on

Connecting people and applications with those of other business units, customers, and partners is typically costly, risky and a drag on collaboration. Through identity federation in “Geneva,” IT departments can facilitate collaboration without managing extra user accounts and passwords, or compromising security.

- Accessing hosted and cloud services

“Geneva” extends Active Directory authentication and single sign-on to cloud-based services, hosted by Microsoft or others, so IT can securely realize the flexibility and cost savings gains of hosted applications.

- Developing identity-aware applications

With the “Geneva” Framework, a developer can apply pre-built application authentication, attribute lookup and authorization for richer, more secure applications…without becoming a security expert.

- Simplifying access management

IT organizations have fewer resources to manage more and more applications that have many users, run on multiple platforms and require more complex forms of security. “Geneva” empowers IT to centrally manage access to applications of various types and apply security policy in a standard way across the enterprise.

각 컴포넌트별로 다음 항목들이 개선되었습니다.[3]

“Geneva” Server
-  New rules engine for authoring claims transformation policies
- Ability to read attributes from AD, AD LDS, and SQL out of the box, plus pluggable provider model to enable access to other attributes stores
- Group policy-based Information Card provisioning for CardSpace “Geneva” clients
- Support for SAML 2.0 SP-Lite
- Proxy to enable authentication for users on the Internet when Geneva Server is on the intranet
- Scale out via farm and load balancer topology
- Powershell commandlets
- Support for AD RMS
- Utility for federating with the Microsoft Federation Gateway

“Geneva” Framework ? IDFX
- Enhanced FedUtil Tool with local STS for easy offline development
- New Visual Studio templates for building claims-aware web applications, web services, and security token services
- Support for SharePoint 2007
- Revised token handlers
- Revised federation authentication module
- New Claims Authorization Manager API
- Updated config support

CardSpace
- Support for Group Policy-based Information Card provisioning.
- Updated management UI
- Updated card tile
- Group Policy-based way for administrator to make card selection decisions for specific sites
- Improved provisioning of X509-backed cards
- Compatible with most existing managed cards

Geneva와 SAML과의 관계가 재미있습니다. 현재는 SAML 2.0을 준용하는 Assertion을 생성하는 정도인데, SAML 토큰을 생성한다고 해서 SAML 2.0을 제대로 지원한다고 말할 수는 없습니다. 그런데 2009년 말에 정식으로 Liberty Alliance의 상호운용성 테스트를 거칠 예정이라고 합니다.[2] SPLite 버전은 SP(Service Provider)의 역할을 대부분 수용한다는 말입니다. IDP(IDentity Provider) 기능을 안한다는 것은 SAML 프로토콜을 전적으로 수용하지는 않겠다는 의미겠죠. 하지만 SAML 프로토콜로 Assertion을 받고 처리하는 기능 정도는 제공한다는 말입니다.

Q: Why did Microsoft change its position on supporting SAML?
A. We listened to our customers using AD FS and made the SAML protocol support a top priority for Geneva. In beta 1 we supported many pieces of the SAML 2.0 protocol. With beta 2 we added support for the SPLite of SAML 2.0. Almost all the work for SAML 2.0 is complete in Beta 2, with a few features remaining to be added in the RTM release.[2]

In addition, Microsoft will add certification for the Liberty Alliance implementation of SAML 2.0 when the final code of Geneva is released at the end of 2009.[4]

또한 근본적으로 claim-based 방식의 실용성에 대한 이슈도 존재합니다. 인증, 인가는 관계 기반인데, 단순히 claim 방식으로는 한계가 있지 않겠냐는 의견이 있습니다. 실제로 Microsoft의 적극적인 노력에도 불구하고, 실제로 활용되는 경우는 손으로 꼽을 정도입니다. Vista에 Cardspace가 기본으로 탑재되어 있는데도 말입니다.

Microsoft will no doubt do a great job in making its own software products claims-aware and that could drive enterprises to consider Geneva, but beyond Microsoft, the claims-aware application approach will be a hard to overcome.

Geneva 프레임워크와 관련된 동영상이 많습니다. 저도 아직 하나도 못봤습니다.

· Chuck Reeves explores the Geneva Framework structure in depth

· Sesha Mani reports on what’s new with the Geneva Framework

· Jan Alexander describes the new claims transformation language

· Matt Steele discusses what’s new in Geneva Server

http://blogs.msdn.com/vbertocci/archive/2009/05/11/geneva-beta-2-week-on-the-id-element-show.aspx

Geneva 프레임워크는 아래 주소에서 다운받을 수 있습니다.

http://blogs.msdn.com/vbertocci/archive/2009/05/11/announcing-the-identity-developer-training-kit.aspx
http://msdn.microsoft.com/evalcenter/dd440951.aspx
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0

레퍼런스
[1] http://blogs.technet.com/forefront/archive/2009/05/11/microsoft-code-name-geneva-beta-2-now-available.aspx
[2] http://www.networkworld.com/community/node/41779
[3] http://blogs.msdn.com/card/archive/2009/05/12/what-s-new-in-geneva-beta-2.aspx
[4] http://www.cio.com/article/492497/Microsoft_s_Identity_Cloud_Platform_Enters_Beta_