Geneva is the new WCF Security

Geneva has evolved to not only a an extension to WCF/ASP.NET for STS/token related things – it also changes how base WCF security works – to the better IMO. Let me give you an example:

Trusted certificate issuers
When doing client certificate based authentication you always had three choices for validating those certs: PeerTrust, ChainTrust and Custom. I wrote about these options in detail (here). Typically you ended up writing some custom validation because both Peer- and ChainTrust is often  not what you want (and there are also some differences when it comes to message vs transport based security – see here, here and here).

Once you opt-in to the Geneva model – you will realize that client certificates start to break. This is because Geneva has a built-in way to restrict allowed CAs to a specified list, and by default this list is enforced – and empty. The background here is, that Geneva has this concept of an “issuer registry” – basically a mechanism how to map issuers (usually certificate issuers) to a name – the name is then placed on the Issuer property of claims. There are two built-in registry classes: the SimpleIssuerNameRegistry (which simply uses the CA’s subject name and has no restrictions) and the ConfigurationBasedIssuerNameRegistry (which enforces the list I mentioned above).

To specify a list of allowed issuers, you have to put something like this in config:

issuerNameRegistry type=Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, …>
add name=LeastPrivilege CA
thumbprint=“…” />

This has the effect that only certificates issued by a CA in the trustedIssuers list will be allowed “in”. If you don’t want that restriction – or already have other validation code down the line – you can use the simple name registry. Another option is of course to write your own registry class.

Another big simplification with Geneva comes to custom token/credential types (ever tried adding a new credential type of WCF? Even really simple things require you to write 10+ classes and a good understanding how they relate to each other). With Geneva’s concept of SecurityTokenHandlers this gets much easier.

So in summary – Geneva replaces parts of the WCF security system, simplifies it and makes it easier to extend – even if you are not using a security token service. I like that.

This entry was posted in IdentityModel, WCF. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s