|
|
Browse by Tags
All Tags » CardSpace » Infocard (RSS)
-
With few weeks of delay I finally forced in my schedule the conclusion of my little getting started series "... using Zermatt" (links to former episodes: setting up an STS for smartcard-backed managed cards & issuing smartcard-backed managed cards ). The first posts I wrote about Zermatt were all about producing identity info: today we'll take a look at consuming those info, something that will be done a lot more (there are only few mints, but an ocean of ways to spend the money they produce) and, fortunately, is also a dramatically simpler programming task. Before we go any further: Please. Read. Keith's. White paper . This series of posts is a quick & dirty guide, designed to get you started and to be easily found via search engines when you need a quick lookup: Keith's article is exhaustive & well polished, hence (together with the product documentation) should be your main reference. I am Vittorio Bertocci and I approve of this message (if you don't live in the US, nevermind :-)). Aaaaalllrighty, back to business. Thanks to the 2 former posts, we have an active STS and its associated managed card. Now we want to write a website which uses that STS for acquiring some info about our users in form of claims. Here the highest order bit is not the security paraphernalia we need to be familiar with when we work at the STS level: when designing an RP, the application biz requirements should be king. Taking that in mind, let's wear our web site dev hat and work backward Read More...
|
-
I was dividing my attention between the Scrubs special on TV & Digg on my PC, when an article titled " Experts: Passwords May Not Be a Good Online Defense " caught my eye: well, couldn't agree more!:-) It turns out that the article is from the NY Times, and it's short & sweet hence there's no need for me to summarize it here: Mr. Stross manages to capture the problem pretty effectively, also thanks to some nice quotes from Kim . P.S.: I know, I know. I still owe you an RP post for completing the Zermatt intro series started with the STS and card issuance . Keep the faith, it's coming! ;-) Read More...
|
-
It's since April that I don't write about the book (at the time we released the entire Chapter 2 on MSDN ). Last week I received notice that 2 new reviews were published: one is from the Denver Visual Studio User Group , the other is on Paul Van Brenk's blog . Both reviews are extremely nice, for which we are very grateful; I especially like the fact that in both cases the reviewers perceived our intention to deal with the problem from an holistic point of view, regardless of our affiliation with a technology or another. Thank you guys! (update: I've just stumbled in another review I didn't know about, on (in)secure magazine issue 17 . Niiiiice). In fact, in the last months various illustrious figures mentioned our book as well: David Chappell , Drummond Reed and Francis Shanahan wrote extremely nice reviews I never mentioned here until now, while I did mention the first entries from Kim and Mike . Add that to the podcast on Perspectives , the interview on channel9 with Carlo & Caleb, the podcast on SearchWinDevelopment , the bonus chapter on codeproject , the extremely nice reviews on the Amazon US page ... and again, mentions from Neil Hutson , Alexander Strauss , Feliciano Intini , Mario Fontana , ... I am sure I am forgetting something (for which I apologize). And now that I begun to hang out at Identity conferences, I can't tell you how pleasant it is to have complete strangers zeroing on you and telling you all sorts of nice things :-) I guess I am easily recognizable Read More...
|
-
We are back! I hope you had fun with the STS tutorial I posted yesterday night ; here we move a step further and examine how to equip our STS with managed card issuance logic & UI. As anticipated, this is going to be MUCH faster. If you recall, in the last post I asked you not to delete the Default.aspx page that the new web site template created for you: we are going to put our card issuance UI there. At thsi point the visual studio project should look as follows: The only new element I added is the information card image information-card.png, which will be used as the background of the information cards we'll issue. Of course nothing prevents you to get all fancy and allowing the user to upload an image for personalization purposes, but here we want to be quick & dirty (well, at least quick ;-)). The little image is below, for your viewing pleasure. Time to add some UI. Let's open Default.aspx inn the designer and let's drag some controls. <% @ Page Language ="C#" AutoEventWireup ="true" CodeFile ="Default.aspx.cs" Inherits ="_Default" %> <! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> < html xmlns ="http://www.w3.org/1999/xhtml"> < head runat ="server"> < title > Untitled Page </ title > </ head > < body > < form id ="form1" runat ="server"> < div > Managed Card Generator < br /> < br /> Card name: < asp : TextBox ID ="txtCardname" Read More...
|
-
Just back from vacation. The tan barely started to fade, and here I am already playing with the new shiny toy :-). Did you experiment with Zermatt by now? As Kim mentions the samples (and the documentation) are an excellent way to start, and I am sure that blog posts & tutorials will soon start mushrooming here and there in the blogosphere: here I begin my humble contribution with my first technical post about Zermatt . I had *absolutely* no hesitations when deciding which scenario I should tackle first: an active STS which handles requests backed by smartcards . I received asks about from many segments (especially about eID management from governments and high authentication levels for finance) and pretty much from everywhere in the world (especially Europe and Asia): I am really delighted to finally have a chance to give you something about that scenario that you can compile in visual studio, as opposed to the usual whiteboard sketches :-) Before we dive into the code, let me disclaim the disclaimable: as usual, the code you see in this blog is just an example and is by no mean production ready code. My purpose here is to introduce you to new ideas, so I favor readability and clarity over completeness If you consider the definition of best practices as "A technique or methodology that, through experience and research, has proven to reliably lead to a desired result" , I think I can safely say that there are no established best practices yet. Sure, there are some fixed points Read More...
|
-
Ahh, I’ve been looking forward for this post for a looong time. We just made available for download the bits of the Beta of “Zermatt” Developer Identity Framework . “ Zermatt ” is the codename of a .NET framework that helps developers build claims-aware applications to address challenging application security requirements using a simplified application access model. Let me expand a bit on that. If you want to develop applications that take advantage of claims & identity Metasystem goodness in general, Zermatt makes your life easier by providing base classes, controls but especially capabilities & a programming model that take care of most of the plumbing for you. Regardless of the role (IP, RP, subject) or the style (Active, Passive, “ Passive-Aggressive ”), Zermatt shields you from the sheer handling of protocols & tokens and provides you with a great model for externalizing your access logic. For my loyal readers and in general to whoever worked with tokens and cardspace in general, who stormed me with mails since the TechEd EMEA demo and even earlier: this means that we can finally retire historical samples like the SimpleSTS and the TokenProcessor class . Zermatt is a fully supported developer framework that gives you those capabilities and MUCH more. How much more? Below there’s a partial list of the goodies you get: · An HttpModule (the Federated Access Module, or FAM) that takes care of handling the token processing pipeline: fully extensible & web.config-urable, Read More...
|
-
One year ago we had a brief wall-to-wall exchange with Keith about the need of having consumer (as non-developer) info about CardSpace. The Information Card Foundation is doing a great job at handling those info for the general concept of information card. Specifically for Windows CardSpace, I am happy to announce that we now have a consumer friendly home for Windows CardSpace ! I am especially fond of the two videos ( home & work ) from the UK crew; and big kudos to Eileen for the entire effort. Take it to a spin and let us know what you think! Note to self: How come that I'm blogging more when I am in vacation than when I am working? Long flights & jetlag, I guess... ;-) Read More...
|
-
On the Seattle-Paris flight. I've just posted the piece about validation-authentication-authorization , and i am a bit bothered by the fact that I was unable to delve into greater details for what concerns the authoriZation part. In particular, I'd like to address one of the misunderstandings which can derive from transporting verbatim the knowledge of Kerberos & "unattended" security in general to the world of user centered identity management. Some of you claimaniacs may find the stuff below pretty obvious: I do. But judging from some heated argument I had about this, it may turn out that it is not that obvious after all so it's worth to write it down. How often should your application ask for a token? It may seem a silly question, and you may be tempted to reply with the answer that my wife gets when she asks to her auntie how often she should turn the roast: "as often as needed". Not the most actionable answer, I'm sure you'll concur :-). As in good tradition, let's take few steps back and look at the bigger picture. When you sit at your workstation and log in your domain, if your local network uses kerberos you get your nice ticket granting ticket (TGT); from that moment on, every time you take a ride on your network carnival (access a share, a portal, a printer...) the network software takes care of using the TGT for getting a ticket for you, which is specialized for the resource you are accessing. Everything happens seamlessly, and the user is lulled in blissful ignorance Read More...
|
-
Flying back from S.Diego, after attending a great edition of Catalyst. I should probably write down my impressions before they fade, like it happened with the IIW, but there's in fact something (only mildly related) that bugged me for quite some time and I just want to flush it out of my system before going in vacation (somehow I feel that my old time Italian friends would not appreciate me blabbering about tokens, especially if I do it with my mouth full of focaccia al formaggio :-)). Ok, the story is somewhat similar to the " credentials are not identities " and returning user woes discussed in the Tao of authentication : it's a matter of agreeing on the semantic of terms that in the pre-token era had a simpler meaning, but that today need a richer/more rigorous definition. In summary: in practice , what RPs and STSes are supposed to do with incoming tokens? The answer lies in asking ourselves why we asked for a token in the first place. Perhaps the RP wants to see if the subject is allowed to sign in and start a session; an STS wants to know if the subject is worthy of being issued with the token he is requesting; and again, the RP may want to verify the the user has the necessary rights for performing a certain action (one may argue that this is a generalization of the signin case; I sort of agree, but later I'll make things more complicated). Even if we'd live in a world fueled only by shared secrets, there would be different cases to handle. If the RP is a simple password-protected Read More...
|
-
Ahh, terminology: joy and sorrow of our kind. There are some expressions that are very catchy and we use all the time, but that do not always serve well the purpose of communicating our thoughts. Take the usage of "passive" in the context of identity management; we tend to use it every time a web browser is in the picture, but that can be extremely confusing: if you just mean "I am talking about a web app" but you audience understands "he is going to use WS-Federation", you can be sure that things will get messy pretty quickly. In fact when I use CardSpace with a web app I am riding a passive client, but I obtain my token via proper WS-Trust traffic (thanks to our friendly identity selector) and I shove it directly in the first POST I send, without following the gracious redirect dance that WS-Federation would require. That's what I like to jokingly call passive-aggressive :-) For the ones among you that are not super familiar with this space, after the pic I restate the same but with extra context. Almost 5 years ago we published WS-Federation 1.0. To quote Don , THE authority on the topic: WS-Federation extends WS-Trust to provide a flexible federated identity architecture with clean separation between trust mechanisms, security token formats, and the protocol for obtaining tokens. This architecture enables a reusable token service model and protocol to address the identity requirements of both web applications and web services in a variety of trust relationships. Trivializing Read More...
|
-
Kim just posted a great piece about "an account this week describing an attack on the use of CardSpace within Internet Explorer". I won't add anything, because his post is just perfect as it is: I strongly suggest you go read it in its entirety . Here a quote: "Students at Ruhr Universitat Bochum in Germany have published an account this week describing an attack on the use of CardSpace within Internet Explorer. Their claim is to “confirm the practicability of the attack by presenting a proof of concept implementation“. I’ve spent a fair amount of time reproducing and analyzing the attack. The students were not actually able to compromise my safety except by asking me to go through elaborate measures to poison my own computer (I show how complicated this is in a video I will post next). For the attack to succeed, the user has to bring full administrative power to bear against her own system. It seems obvious that if people go to the trouble to manually circumvent all their defenses they become vulnerable to the attacks those defenses were intended to resist. In my view, the students did not compromise CardSpace." Read More...
|
-
Well, I really really enjoyed going to RSA. As I foresaw, more than the event itself I really appreciated the chance of meeting with very smart people: the Concordia and the OSIS events were truly exceptional in this sense. Axel captured some of that spirit here . Just to mention a few notable encounters: I spent some quality time with Pat Patterson , mainly discussing the book. I really really appreciated his honesty and his feedback, he truly read the book with attention and his remarks were always on point: we'll make sure to incorporate them in the next revision of the book, and in fact some of the points he rose are so important that I may blog about them for clarifying. I just loved the chance of seeing things through his eyes, discussing mainly with colleagues carries the risk of falling in groupthink and I feel this was very beneficial for me. Unfortunately we didn't have more occasions of sharing our views, but I hope there will be other chances soon. Thanks Pat! I finally met the famous Pamela Dingle :-) Pam is great, her passion on those matters unparalleled. She gave a great presentation on the IdM, despite it was in the earliest slot the day after the Ping party (great party BTW, thanks Andre'). We had various discussions during the RSA week. For what I can tell she has a clear predisposition to the interface & interactive aspect, while I concentrate more on the protocol angle: that makes us very good conversation buddies ;) Vijay from FuGen showed me a great Read More...
|
-
The Cardspace landing page on MSDN has now a reference (link at the very top) to a PDF copy of the chapter 2 of " Understanding Windows CardSpace ", which features the series layout for side comments & perspective boxes (mentioned here ). Thanks to everybody who helped making this happen. Enjoy! :-) Read More...
|
-
Few weeks ago Caleb and I had a nice phone interview with Jack Vaughan, during which we gave a short intro to CardSpace and mentioned the book ; the result is a 6 mins podcast (available here ). Thanks Jack & SearchWinDevelopment ! Read More...
|
-
Almost one year ago I briefly mentioned the Biztalk Service SDK, here and here . A new version has recently been made available: you would not believe the amount of new features that were added to it in this timeframe. The main reason of excitement for me is that this new release supports managed cards ! It's a bit late at night here in Redmond and the drowsiness makes me feel less than bright right now, so I better defer detailed explanations to tomorrow (or the weekend). Anyway, for the identirati tuned in, this basically means that the service bus offers a R-STS that will accept, among many other means of authentication, also third party's managed cards. The behavior of the R-STS can be influenced by using the Biztalk Services identity portal , or by management API; you can translate attribute claims into authorization claims (if an incoming claim has a certain value you can issue a token which tells to the ultimate destination that the caller is authorized to perform the call; you can copy the input claims directly in the issued token so that the info is preserved; and so on). "Artist" rendering below: Again, I'll be more verbose in a later post: in fact, I plan to walk you through a sample that will make you hit the ground running exactly with that feature. The managed card support is the feature that I find most appealing ( surprised ?), but in fact there are many other great additions such as X509 authentication, REST management APIs, support for multiple languages ... Read More...
|
|
|
|