Microsoft introduces "Zermatt," a new set of class libraries for the .NET Framework that simplifies identity management.

A .NET Identity for Developers
Microsoft introduces "Zermatt," a new set of class libraries for the .NET Framework that simplifies identity management.

http://reddevnews.com/news/devnews/print.aspx?editorialsid=1102


by John K. Waters
August 2008

Microsoft has added a new set of class libraries to the .NET Framework that promises to simplify the way developers address identity management.

The latest tooling is intended to reduce .NET developers' needs to build custom identity plumbing into every new enterprise Web application and Web service. Code-named "Zermatt," Microsoft says the classes introduce a new dev model that factors the authentication and authorization piece out of connected apps.

ZermattZermatt is the latest pillar in Microsoft's identity-management framework, which also includes Windows CardSpace. The latter, a key component of .NET Framework 3.5, lets individuals manage their identities on the Web and across the enterprise. Microsoft released Zermatt -- which is code-named after the Swiss city near the Matterhorn -- for public beta last month.

Developers can use these class libriaries to implement "claims-based identity" in ASP.NET applications and Windows Communication Foundation (WCF) environments. Zermatt can be used in any Web app or Web service that uses .NET Framework 3.5, and can also be used for cross-platform-Java, for example -- claims-aware apps that are based on standard Web services.

Claims-Based Applications
At the heart of Zermatt is the claims-based programming model, says Keith Brown, author of the official Microsoft white paper on Zermatt, which can be found here. Claims, in the context of Zermatt, are pieces of information about the user that the issuer of that information asserts are valid.

In a claims-aware application, the user presents their identity to the application as a set of claims issued by an external identity system. This external system is configured to give the application everything it needs to know about the user with each request made, along with cryptographic assurance that the ID data comes from a trusted source, says Brown, who is a developer and consultant with Pluralsight LLC, a training provider specializing in Microsoft .NET technologies.

The Zermatt-built, claims-based solutions free a developer from the need to connect to any particular enterprise directory to look up user ID details, Brown explains. Instead, the user requests arrive with all the ID details the application needs to do its job.

"Most developers are not security experts," Brown says. "And generally speaking, they don't like being given the job of authenticating, authorizing and personalizing experiences for users."

Along with the claims model, the Zermatt framework comes with a set of APIs for sorting out identity claims. It also provides developers with a consistent programming experience, Microsoft says, whether they choose to build their apps in ASP.NET or in WCF environments.

Brown gives Microsoft credit for its use of standard protocols in the framework: WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML).

"Zermatt tries to provide the claims-based programming model," Brown says. It determines how to program a claim by providing an interface that extends existing interfaces that ASP.NET programmers already know about, such as IIdentity and IPrincipal, Brown adds.