Monthly Archives: February 2010

Notes from Curt Devlin on Identity, Claims, and Azure Geneva from 4th Boston Azure Meeting Feb 2010

Curt Devlin keynotes 4th Boston Azure User Group meeting

Identity, Claims, Geneva, and Trust in the Cloud

This was Boston Azure meeting #4, Feb 25, 2010

(Curt’s slide deck will be made is now available (PPT 2003 format))

Some notes from Curt’s talk:

  • Azure devs need to care about claims-based-identity and federated identity
  • Geneva is Microsoft’s solution in this space
  • Perfect storm of paradigm shifts
  • Caution: Geneva is not a panacea for “Identity in the Cloud”

“The most important thing Microsoft has done in identity since they came out with ActiveDirectory” – and think about how much we rely on AD for enterprise-class apps – “it’s like air”

First two lines of every program (with nod to Kim Cameron):

  1. Who are you?
  2. What are you allowed to do?
  • The answer to the second generally depends on the answer to the first. “Identity” is an input.

Big architectural problem: the ‘net was built w/o any way of knowing who you are connecting to (http has no identity)

  • RBAC (role-based access control) is not as flexible or powerful as claims
  • Any statement that can be validated can be a claim

Microsoft’s Federated Identity Group very focused on standards. To be serious also about Azure, you need to pay deep attention to the key standards.

Azure is only cloud solution REALLY solving the SSO problem in the cloud – and into your data center. Identity must flow…

Geneva Technology stack:

  • Microsoft Federation Gateway (“ADS 2.0 in the sky”)
  • Windows Identity Foundation (some .NET namespaces)
  • Active Directory Federation Services 2.0
  • Windows CardSpace 2.0

Curt will focus for a while in his talk on Windows Identity Foundation…

Consider three parties – Security Token Service, Your App, End User

  1. Secure Token Service <=> Your App – Initial handshake uses WS-Federation (metadata, X-509 cert)
  2. End User <=> Your App – claims via WS-Policy (which Security Token Service(s) I trust)
  3. End User <=> Security Token Service – verify policy
  4. End User <=> Security Token Service – WS-Trust
  5. End User <=> Your App – lots of interactions – signed tokens, claims

ADF 2.0 – same programming model across web and desktop

RP = relying party – someone that consumes tokens

OpenID cannot help with Man-in-the-middle attacks

“Shred the token” is lingo meaning to decrypt a token.

Coded example showing implementation of Passive Federation.

  • Showed the 8 (!) prerequisites
  • Create full-trust app (Since runtime not fully baked in Azure yet – and certainly not yet in GAC)
  • Add a reference to Microsoft.IdentityModel (which is a stronger programming model than older System.IdentityModel)
  • using Microsoft.IdentityModel.Claims;
  • using System.Threading;
  • Then write like 5 lines of code…
  • Subclasses from IIdentity, IClaimsIdentity, IClaimsPrincipal (same ones used in other .NET apps)
  • WIF ASP.NET Processing Pipeline does a lot of behind-the-scenes work for us
  • IsInRole method is key
  • Then in the ASP.NET app, there is some 10 lines of key code for X-509 cert – which contains the URL (or domain, really) of the web site that the cert applies to – a problem with “localhost” and “” etc. due to mismatch – this goes in Global.asax – plus several other blocks of code…

Now for the STS (which you don’t need if you have ADFS 2.0)

  • There is a Token Service for ASP.NET visual studio template with Geneva install
  • Many coding steps here (see slides)
  • Use FedUtil (which comes with Geneva and VS 2008, VS 2010) to create a trust between your application and your STS
  • There is a lab to create your own STS

Claims-based systems externalized the work of AuthZ, AuthN to your STS – not stuck in your code.

Geneva supports delegation – embedding one token within another…

(21 people at the meeting)


Curt Devlin to Speak about Identity in the Cloud at Boston Azure Meeting

Boston Azure meeting to feature Microsoft’s Curt Devlin on Identity in the Cloud

Thursday February 25, 2010 at NERD in Cambridge, MA

The following is an update to the agenda for the upcoming Boston Azure User Group meeting this coming Thursday.

logo for

To RSVP for the meeting (helps you breeze through security and helps us have enough pizza on hand), for directions, and more details about the group, please check out

To get on the Boston Azure email list, please visit

[6:00-6:30 PM] Boston Azure Theater

The meeting activities begin at 6:00 PM with Boston Azure Theater, which is an informal viewing of some Azure-related video. This month will feature the first half of
Matthew Kerner‘s talk on Windows Azure Monitoring, Logging, and Management APIs from the November 2009 Microsoft PDC conference.

[6:30-7:00 PM] Upcoming Boston Azure Events and Firestarter

Around 6:30, Bill Wilder (that’s me) will first show off an interesting CodeProject contest, then will lead a discussion about the future of the Boston Azure user group and the upcoming All-Day-Saturday-May-8th event.

Curt Devlin will take the stage at 7:00 PM.

Before the meeting, if you want a little more context, you may wish to read Kim Cameron’s essay The Laws of Identity, which is an insightful analysis of challenges around Identity.

[7:00-8:15] Featured speaker: Curt Devlin of Microsoft

Photo of Curt Devlin, Architect at Microsoft


The Azure platform presents new challenges for identity management. As developers and architects, we will still have to answer the same two perennial questions: 1) Who are you? 2) And what are you allowed to do? But the traditional on-premise approaches to authentication, authorization and identity lifecycle control are not adequate to meet these new challenges. The Geneva suite of technologies for claims-based identity management can be help because cloud computing can be thought of as a “special case” of federation, with many similar requirements. Together these two paradigms appear to be converging to create the perfect storm of paradigm shifts. However, even WIF, ADFS 2.0 and CardSpace 2.0, will only take us part way to a complete solution in the near term. This session will provide a simple recipe for claims-based identity management in Azure using Geneva, discuss some of the most important reasons why this is necessary, and finally some of the shortcomings we will still have to contend with on the road ahead. The aim is to educate, motivate, and caution.

About Curt Devlin

Curt Devlin is currently an architect in Microsoft DPE (Developer & Platform Evangelism) focusing on distributed solutions across many industries and customer segments. Curt is a Microsoft veteran of many technology wars, with more than 20 years of experience developing solutions on the Windows and .NET. platforms. He is also a dyed-in-the-wool New Englander with avid interests in sailing, skiing and nearly everything else.

Curt blogs as the philosophical architect, plus you can check out his MSDN articles Enterprise Authorization Strategy and SaaS Capacity Planning: Transaction Cost Analysis Revisited.

Curt’s blog post announcing his participation in this meeting:

Steve Krug on Rocket Surgery Made Easy from Dec 2010 BostonCHI Meeting

Rocket Surgery Made Easy

Steve Krug speaks at BostonCHI

Notes from 08-Dec-2009 meeting

  • Steve’s new book – Rocket Surgery Made Easy – due in bookstores in a couple of weeks – material from this talk will be in his book…
  • Passed a copy of his book around through the audience for quick peek
  • 150 or so people in attendance

Writing process

  1. writing process: collect years of notes
  2. need deadlines to force you to write (and finish)
  3. collect relevant articles for each chapter and post them all on a wall
  4. once you’ve begun to panic, start throwing things overboard
  5. Outline, write, iterate
  6. get help
  7. throw things overboard (save for next book?)
  8. FAQ at the end of every chapter – good idea
  9. Doing usability (vs How to Think About Usability)

Doing Usability

  1. A morning a month – that’s all we ask
  2. Run tests – with whole team – at our site – scheduled monthly and well ahead of time – and debrief immediately after over lunch
    1. maybe do right before iteration planning
    2. company-sponsored lunch
  3. Start earlier than you think makes sense
  4. The sooner you get information, the better use you can make of that information
  5. Don’t wait until the site is “finished” – test it as soon as it is testable
  6. Don’t worry that “you already know about the problems”
  7. If you have nothing built, test other people’s sites
  8. Are you working on the site? –> Yes ==> test now!
  9. Recruit loosely and grade on a curve
  10. Beware implied domain knowledge
  11. Some testing can be done w/o your target audience
  12. Usability testers say many things that are similar to what therapists say – “what did you expect to happen when you did that?”
  13. Keep yourself out of it! It is about the user and what the user being tested is thinking.
  14. Make it a spectator sport
  15. Get everyone to come and watch the test – frequently the observers suddenly just “get it” that they are not their users
  16. Have high quality snacks. Keep the sessions short and compact. Do them on site. Make it easy for everyone to join in, hard to have a good reason to skip it.
  17. Record sessions with Camtasia ($300). Get a good USB desktop microphone ($25). Don’t record user’s face (“useless and distracting”). Use a screen sharing service (like GotoMeeting, $40/month?) to control the UI. High quality audio is important, and should be channeled to the observation room via GotoMeeting or Skype.
  18. Focus ruthlessly on a small number of the most important problems
  19. Serious because everyone will come across them, or serious because for those who do encounter them will be seriously impeded.
  20. Don’t feel you need to come up with the “perfect” fix
  21. Ask everyone in the observation room to write down the three most important issues they observed. These are raised at the debriefing session over lunch.
  22. When fixing problems, always do the least you can do ™
  23. Prioritize the list, then work your way down the list until you run out of time/resources
  24. Sometimes a tweak is better than a redesign – don’t get suckered into a redesign – the perfect is the enemy of the good!
  25. Focus on the smallest change we think we can make to address the problem we observed
  26. Q&A
  27. Remote Testing?
  28. Remote testing is handy – saves travel time, recruiting pool grows, … do over skype or GotoMeeting.
  29. How to get it off the ground? Try a group usability test of competitor’s site – everyone can get behind that. Do one and hope people get enthused about it. Make the cost of swinging by to watch the testing really small.
  30. Be very cautious about asking users how to fix the problems they’ve encountered. “Users are not designers.” “Hopefully you know a lot more than they do about design.” Listen to them, but be careful that they’re ideas are not well thought out. The purpose of testing is to “inform your design intelligence”.