Microsoft's Geneva Server: Hailstorm done right

Hard lessons for Google, Facebook and Microsoft


Microsoft delivers the missing piece

Geneva Server is this missing piece. It makes any Active Directory an STS for CardSpace. Geneva will also interoperate with other identity providers that support WS-Trust or SAML 2.0, the two key standards in this space. SAML 2.0 support is new.

"One more barrier is gone when it comes to you and me federating," said Cameron. The significance of federation is that applications can work with multiple identity providers. Geneva lets you create web applications that authenticate users against both your directory service, and those of partners, even if the web server is outside the corporate network.

Microsoft has announced its own Federation Gateway, which lets organizations sign into Live Services using their own Active Directory, using a cut-down version of Geneva called Microsoft Services Connector.

Geneva will not necessarily sweep all before it. One snag is that CardSpace clients are not common outside IE, though there is an Information Card Foundation promoting broader adoption. Another problem is that the Geneva Framework, a library that simplifies development, is only for .NET.

Why doesn't Microsoft just use OpenID? "We've been big supporters of OpenID," Cameron said. "It's just another federation protocol. It doesn't use cryptography, it just uses DNS. That means it's subject to all the attacks that DNS is subject to.

"That's OK in certain environments. OpenID because of its nature is phishable. That raises people's consciousness of what is possible. We can also give them solutions like CardSpace."

He added Microsoft is enabling all its Live ID accounts to act as OpenID accounts. What about accepting OpenID log-ins? "That's under investigation. We're doing it already with HealthVault but that's with OpenID providers who follow Kim's rules. They provide the option of strong authentication.

Geneva is set for full release in the second half of 2009. It has the potential to solve real problems in the enterprise and deserves more attention than Microsoft has given it at this PDC.

The question now: Will the company really give Geneva the resources, the marketing, and the public adoption on Microsoft's own properties that it needs to succeed? Or will it continue to languish like the original CardSpace? Sometimes Microsoft is its own worst enemy. ®


Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading

Biting the hand that feeds IT © 1998–2022