Zermatt is a destination in Switzerland, shown above, that benefits from what Nietzsche calls “the air at high altitudes, with which everything in animal being grows more spiritual and acquires wings”.
It's therefore a good code name for the new identity application development framework Microsoft has just released in Beta form. We used to call it IDFX internally – who knows what it will be called when it is released in final form?
Zermatt is what you use to develop interoperable identity-aware applications that run on the Windows platform. We are building the future versions of Active Directory Federation Services (ADFS) with it, and claims-aware Microsoft applications will all use it as a foundation. All capabilities of the platform are open to third party developers and enterprise customers working in Windows environments. Every aspect of the framework works over the wire with other products on other platforms.
I can't stress enough how important it is to make it easy for application developers to incororate the kind of sensible and sophisticated capabilities that this framework makes available. And everyone should understand that our intent is for this platform to interoperate fully with products and frameworks produced by other vendors and open source projects, and to help the capabilities we are developing to become universal.
I also want to make it clear that this is a beta. The goal is to involve our developer community in driving this towards final release. The beta also makes it easy for other vendors and projects to explore every nook and cranny of our implementation and advise us of problems or work to achieve interoperability.
I've been doing my own little project using the beta Zermatt framework and will write about the experience and share my code. As an architect, I can tell you already how happy I am about the extent to which this framework realizes the metasystem architecture we've worked so hard to define.
The product comes with a good White Paper for Developers by Keith Brown of Pluralsight. Here's how Zermatt's main ReadMe sets out the goals of the framework.
Building claims-aware applications
Zermatt makes it easier to build identity aware applications. In addition to providing a new claims model, it provides applications with a rich set of API’s to reason about the identity of a caller using claims.
Zermatt also provides developers with a consistent programming experience whether they choose to build their applications in ASP.NET or in WCF environments.
ASP.NET controls simplify development of ASP.NET pages for building claims-aware Web applications, as well as Passive STS’s.
Building Security Token Services (STS)
Zermatt makes it substantially easier for building a custom security token service (STS) that supports the WS-Trust protocol. These STS’s are also referred to as an Active STS.
In addition, the framework also provides support for building STS’s that support WS-Federation to enable web browser clients. These STS’s are also referred to as a Passive STS.
Creating Information Cards
Zermatt includes classes that you can use to create Information Cards – as well as STS's that support them.
There are a whole bunch of samples, and for identity geeks they are incredibly interesting. I'll discuss what they do in another post.
Follow the installation instructions!
Meanwhile, go ahead and download. I'll share one word of advice. If you want things to run right out of the digital box, then for now slavishly follow the installation instructions. I'm the type of person who never really looks at the ReadMe's – and I was chastened by the experience of not doing what I was told. I went back and behaved, and the experience was flawless, so don't make the same mistake I did.
For example, there is a master installation script in the /samples/utilities directory called “SamplesPreReqSetup.bat”. This is a miraculous piece of work that sets up your machine certs automatically and takes care of a great number of security configuration details. I know it's miraculous because initially (having skipped the readme) I thought I had to do this configuration manually. Congratulations to everyone who got this to work.
You will also find a script in each sample directory that creates the necessary virtual directory for you. You need this because of the way you are expected to use the visual studio debugger.
Using the debugger
In order to show how the framework really works, the projects all involve at least a couple of aspx pages (for example, one page that acts as a relying party, and another that acts as an STS). So you need the ability to debug multiple pages at once.
To do this, you run the pages from a virtual directory as though they were “production” aspx pages. Then you attach your debugger to the w3wp.exe process (under debug, select “Attach to a process” and make sure you can see all the processes from all the sessions. “Wake up” the w3wp.exe process by opening a page. Then you'll see it in the list).
For now it's best to compile the applications in the directory where they get installed. It's possible that if you move the whole tree, they can be put somewhere else (I haven't tried this with my own hands). But if you move a single project, it definitely won't work unless you tweak the virtual directory configuration yourself (why bother?).
I found the samples very clear, and uncluttered with a lot of “sample decoration” that makes it hard to understand the main high level points. Some of the samples have a number of components working together – the delegation sample is totally amazing – and yet it is easy, once you run the sample, to understand how the pieces fit together. There could be more documentation and this will appear as the beta progresses.
The Zermatt team is really serious about collecting questions, feedback and suggestions – and responding to them. I hope that if you are a developer interested in identity you'll take a look and send your feedback – whether you are primarily a Windows developer or not. After all, our goal remains the Identity Big Bang, and getting identity deployed and cool applications written on all the different platforms.