As Jason Hogg mentions in his blog post, the Geneva Identity Management Framework (renamed from Zermatt) was announced yesterday at PDC 2008.
Genvea includes:
- Geneva Framework - A .NET framework for writing interoperable, claims aware applicatoins
- Geneva STS - An STS integrated with AD. Supports issuance (finally) and consumption of Cardspace Cards.
- CardSpace Geneva - A federation client
In addition to these framework like components, there are also a couple of services (biult using Geneva) including:
-
Microsoft Federation Gateway - Provides the basis for the Microsoft Services Identity backbone - brokering access to Microsoft cloud applications and developre services
-
Microsoft Connector Services - Federates AD to the Microsoft Federation Gateway. Provides lightweight access to the federation gateway.
-
.NET Access Control Service - Next generation service (STS) that performs claims transformation. It receives authentication information and issues authz decisions. This includes a management portal and API's for managing and writing authz policies.
You can get the bits here.
I have recently been working with a client to set up a STS and stumbled upon Zermatt and was very excited to see this direction. If you are looking to build/deploy a claims-aware application and need an STS over WCF, take a look at Geneva.
NOTE: Requirements are Vista and/or Windows 2003/2008 for the installation of the Geneva Framework and Windows 2008 for installation of the Geneva STS.
I got notice today, as others did, I have once again been named a Microsoft MVP for 2008 in the area of Visual Developer - Security. Thanks again, Microsoft, and my MVP lead Rafael Munoz, and all those who have been very supportive of my community work this past year (with my speaking at several conferences, speaking at user groups, and leading a user group as well).
Happy New Year everyone!
Like Dominick Baier and Christian Weyer of Thinktecture, I also wondered why I couldn't use a UsernameToken with Transport Security in WCF v.1. I wanted to put together a simple demo for a client and that feature just wasn't there. Dominick mentions in this post it will finally be available in WCF 3.5. Great!
Once again, for the 4th year in a row, I enjoyed the one conference I make sure to book well in advance. I haven't traveled to conferences as much this year, instead focused on client-related work. This was one conference, however, I was really looking forward to attending and presenting. I am originally from the mid-west (Oklahoma) and have lived in Massachusetts for 12 years now but I always feel more at home when I go to HDC than anywhere I have visited. The layout of the area, the local convenient stores, the people, and the atmosphere remind me a great deal of what I remembered most about growing up in the mid-west.
I gave two talks (which will be posted here later today); one on Service Oriented Design Patterns and my old standby SQL Server Service Broker. My service-oriented talk was packed (and was the first talk right after Ron Jacob's keynote). I wasn't sure the best way to present the talk (as it was a first time topic for me), but my purpose was to separate out real service-orientation from sample web services and to stress you really need a good business reason to build out full SOA implementations. From the comments I heard the next morning, I seemed to have got the message across. The Service Broker talk was a little lighter in number of people, mainly because most people were attending Scott Guthrie's Orcas talk, but I was glad to see everyone in the room for my talk were new to SB and were willing to take a look. There are some nice new features in SQL Server 2008 that have been needed for awhile to make SB more mainstream so I am looking forward to see what kind of applications are developed with the technology.
I also attended Ron Jacob's talk on security. I was originally hoping to do a security talk but I saw Ron already had one slated. He did an excellent job getting everyone interested in taking a serious look at their own issues and not simply blame Microsoft or another vendor if security goes wrong. One very interesting note was Ron mentioned threat modeling but he didn't have time to speak on it at great length yet there were many questions on threat modeling (process, tools, etc.) from the audience. He asked how many have built a threat model before; I was one of two people in a packed room who held up their hand. I would have loved to have given my talk on threat modeling at this conference and will plan on submitting more security-focused topics next time. Speaking with some people at my table at breakfast the next morning, it seemed the primary interest was around threat modeling and security testing.
I would like to thank Joe and Phil for putting on another great show. Both of these guys were so busy those two days (and months before this in preparation). Like last year, a couple of the speakers and these guys went out to Drover's for great Omaha steaks. My flights into and out of Omaha were eventful -- I missed my plane when I was waiting in line to get carry-on bags checked but my luggage went ahead, and then I and everyone else coming from Omaha lost our luggage when we came into Boston on Saturday. Fortunately, I got mine last night, but I really felt for this couple on their honeymoon who were without their three suitcases for a couple of days. Hopefully they got their bags by last night as I did.
I will be speakinzg at the Heartland Developers Conference 2007, which takes place October 17-19 in Omaha, NE. This will be my 4th year speaking at the conference (I was there at the beginning) and it has continued to get bigger and better each year. Both Joe and Phil have done an excellent job in putting this together.
My topics are:
- Service-Oriented Design Patterns
- Building Queuing Database Applications with Service Broker
For the Service Broker talk, I have updated my material to include the latest changes in SQL Server 2008. This should be a great conference -- I am finally going to be able to catch the pre-conference party on Wednesday as I am flying in earlier this time. If you are at the conference, stop by and say hello.
I will be speaking at the New England Code Camp 8: Rise of the Silverlight Surfer at the Microsoft offices in Waltham, MA on September 29-30. I will be speaking on the following security topics:
- Penetration Testing of Web Applications
- Secure Code Reviews: What are the ingredients?
There is already a great lineup of talks here. Also, Chris Bowen mentioned there will be a Saturday Evening Geek Event at 7:00 pm at the Weston Hotel in Waltham (a tradition that started way back in Code Camp II). This will be my 7th New England Code Camp to be a speaker and I am really looking forward to it. If you are in the area, go register and see you this weekend!
I will be speaking on the topic: "Web Services Security: Where are we now?" this coming Wednesday, September 12, 2007, at the Boston .NET Users Group meeting at Microsoft, Waltham, MA. There has been some interesting talk lately, including this years BlackHat USA 2007 in July on the current state of web services security. I will be covering the common web services attacks developers should know about as well as current information on WS-* security, REST, and other mitigation measures. If you are in the area, stop on by, but first go register at the user group site to let them know you will be attending.
I was in a user group meeting recently with Patrick Hynds speaking about Identity and presenting demos on Windows CardSpace. Someone in the audience mentioned it would be great to see Microsoft start using this for some of their websites (I agree!). Well, here it is: LiveID + CardSpace.
Also, take a look at the latest samples for WCF, WF, and CardSpace for VS 2008 Beta 2.
I have been mostly silent for the past year as I have been busy working with a client in Western Massachusetts on a very interesting ASP.NET 2.0 project (using C# 2.0). I had the pleasure of working with one of the best teams I have seen in my career -- all were bright, willing to learn, and up to the daunting task of converting skills from pre .NET right into .NET 2.0 and object-oriented programming. I taught a course to the company earlier last year and they asked me to come and help with the architecture and final development of a very time-critical ASP.NET application. I am very, very happy to say they met their goals with the project going live last week and right on target! In the end they have a very robust, highly maintainable, flexible, and extensible architecture that met their immediate needs and certainly future needs as well.
One of the most impressive things to me was how the team caught on to designing the system with Domain Driven Design (DDD) by thinking of the business domain and translating that into objects that made sense. Also, Test Driven Development (TDD) with NUnit and TestDriven.NET (also, the testing tools that are part of ReSharper) was shown and it was caught well by the team, using Dependency Injection and other principles of DDD to test the domain without the use of the database (of course, there was some testing of the database at unit level as well, but the core objects were tested without the need of a database). Instead of building a traditional data-centric application as was most familiar, they built more of an object/domain centric application that as I said is robust and highly maintainable, flexible, and extensible. Of course, I also helped with making sure the application was secure and I put together a nice web services/SOA solution using WCF I think will grow with the company. It certainly was a great opportunity, and I am very proud to have been part of the team's accomplishments.
Now, on to other things. I look to continue speaking, training, performing secure code audits and security testing, and working on similar projects as this one. I am currently available for contract and/or other opportunities. You can contact me through my web site or the contact page of this blog if I may be of assistance.
An old favorite of mine, Jack Benny, used to be 39 forever. Today, I turned that age. Time flies ...
More Posts
Next page »