Introducing Microsoft Code Name Zermatt

For a couple of years now, I've been giving talks about "claims-based identity", and "claims-aware applications". The most concrete example of a claims-based identity architecture that I've been able to show so far is Active Directory Federation Services v1 (ADFS) and Windows CardSpace. And the claims programming model I've been using is the one that shipped with WCF in the System.IdentityModel assembly.

But today I'm happy to announce that there's a new path forward in the claims world. Zermatt is the "identity framework" that I've been itching to talk about, but until today, hasn't been announced publicly.

Well, Vittorio just made the announcement just a moment ago, and now you can get your hands on this new framework. With it, you can build web applications and services that rely on claims to discover identity details about users. And you can easily build a security token service (STS) that supplies those claims. Zermatt makes this possible by supplying all of the plumbing that implements WS-Trust (for web services) and WS-Federation (for browser-based web applications). All you have to do is figure out what claims you want to issue based on what you know about the user and what you know about the application (aka relying party).

I was fortunate to be asked by the team to write the white paper introducing Zermatt to developers. You can download it here. The paper introduces the ideas behind claims-based identity, and talks about how you can use Zermatt to centralize authentication (and to some degree, authorization) in an STS, thus making it easy to achieve single sign on in your applications, and even be ready to federate with other organizations or platforms should that need arise.

Here are some highlights of what you'll find in Zermatt:

Zermatt includes a new claims programming model, with IClaimsPrincipal and IClaimsIdentity, two new interfaces that extend the existing IPrincipal and IIdentity that you already know and love from the .NET Framework. IClaimsIdentity adds a collection of claims. Zermatt's claims programming model is in many ways simpler than that in WCF - the Claim class exposes the value of claims as strings (always) and calls the value of a claim "Value", instead of "Resource" as WCF did. But the model is also more sophisticated - multi-hop delegation is supported, so one user can "Act As" another user, and the relying party will see the entire chain of delegation as a linked list of IClaimsIdentity objects.

Zermatt includes an HttpModule that you can wire into your ASP.NET application that will implement WS-Federation for you. This module (called the FAM) is a lot like the "Web Agent" from ADFS, and it makes it quite easy to build a web application that relies on claims.

Zermatt includes plumbing that sits on top of WCF and simplifies building claims-based web services and clients.

Zermatt also includes a couple of ASP.NET controls for adding SignIn functionality to websites. The first is a passive sign-in control which simply redirects the browser to an STS to get claims. The second is the highly anticipated InformationCard control that pops the user's identity selector and lets her choose which identity she wants to use.

Zermatt comes with a bunch of sample code to help you get started.

All you need to test-drive Zermatt is Visual Studio 2008 and your curiosity. Download the beta now, read the whitepaper, experiment with the samples, and see what claims-based identity is all about!

For more on Zermatt, you'll want to watch Vittorio's blog. I'll also be talking more about it in the future!