|
|
Browse by Tags
All Tags » Identity » WCF (RSS)
-
Just back from vacation. The tan barely started to fade, and here I am already playing with the new shiny toy :-). Did you experiment with Zermatt by now? As Kim mentions the samples (and the documentation) are an excellent way to start, and I am sure that blog posts & tutorials will soon start mushrooming here and there in the blogosphere: here I begin my humble contribution with my first technical post about Zermatt . I had *absolutely* no hesitations when deciding which scenario I should tackle first: an active STS which handles requests backed by smartcards . I received asks about from many segments (especially about eID management from governments and high authentication levels for finance) and pretty much from everywhere in the world (especially Europe and Asia): I am really delighted to finally have a chance to give you something about that scenario that you can compile in visual studio, as opposed to the usual whiteboard sketches :-) Before we dive into the code, let me disclaim the disclaimable: as usual, the code you see in this blog is just an example and is by no mean production ready code. My purpose here is to introduce you to new ideas, so I favor readability and clarity over completeness If you consider the definition of best practices as "A technique or methodology that, through experience and research, has proven to reliably lead to a desired result" , I think I can safely say that there are no established best practices yet. Sure, there are some fixed points Read More...
|
-
Almost one year ago I briefly mentioned the Biztalk Service SDK, here and here . A new version has recently been made available: you would not believe the amount of new features that were added to it in this timeframe. The main reason of excitement for me is that this new release supports managed cards ! It's a bit late at night here in Redmond and the drowsiness makes me feel less than bright right now, so I better defer detailed explanations to tomorrow (or the weekend). Anyway, for the identirati tuned in, this basically means that the service bus offers a R-STS that will accept, among many other means of authentication, also third party's managed cards. The behavior of the R-STS can be influenced by using the Biztalk Services identity portal , or by management API; you can translate attribute claims into authorization claims (if an incoming claim has a certain value you can issue a token which tells to the ultimate destination that the caller is authorized to perform the call; you can copy the input claims directly in the issued token so that the info is preserved; and so on). "Artist" rendering below: Again, I'll be more verbose in a later post: in fact, I plan to walk you through a sample that will make you hit the ground running exactly with that feature. The managed card support is the feature that I find most appealing ( surprised ?), but in fact there are many other great additions such as X509 authentication, REST management APIs, support for multiple languages ... Read More...
|
-
Well, don't get fooled. I'm not going to make any big philosophical considerations about technology and privacy (though I may do that in the future), but I will talk about the little project I've put together after three gintonics & the MIX party at TAO . I am often on the road. When I am homesick I often open a terminal server session with one of my home machines and fire up the webcam; sometime I am in dramatically different timezones, so it's nice seeing that where I am it is dark but back in Redmond it's just dawning, and similar mellow stuff. Before leaving for Vegas I thought it would be nice to access the image directly, without having to fire up an entire remote desktop session for that. Hence I wrote some code for taking webcam snapshots (thanks Scott for putting together a nice WIA sample ), exposed it via WCF service, generated a certificate on my test CA, wrote a binding that uses cardspace... and I had it working. About 1 hour, during which I also managed to watch some futurama . Once I got to Vegas I was too busy with the MySpace session for playing with those things, but yesterday's atmosphere at TAO restored my playful/timewaster attitude: after the party I made the necessary adjustments for accessing the service from outside, calibrated the UniqueID from the selfissued I want to use for authenticating with the service... and it was done. One hour of distracted development, 30 mins of fiddling with the config file (after abundant party's beverages) and now Read More...
|
-
On the Paris-Seattle flight, coming back after 2 weeks spent stuffing myself with all sorts of food with the excuse "after all, you can't find this in USA" :) Before hurling myself back in the vortex of daily work, and celebrate the end of the year with something crazy, I want to take some time writing down some hallucinatory (=vision without execution) thoughts about omnidirectional identities . Be warned, this may be just pointless rambling at this point. Few weeks ago I chatted about this in front of a microphone with John Udell , digressing along a crazy tangent instead of answering his questions about the book (I eventually came back to Earth and answered properly :)). I don't know if he'll deem those fragments publication worthy, but just in case I'll make a brain dump here. It's not that there's much more to do in this small seat anyway (just finished the latest Eco . He didn't mention underbite at all, I'm happy). Looking back at the activities related to identity in the past year, I am glad to report that amazing progress has been done. Something that makes 2007 very different from 2006 is the kind of work that was made: in 2007 the accent was on execution. The vision behind the metasystem is still being explored, sure, like Kim's series on linkage or the discussions about display token and first law demonstrate; and I feel that conjugating the metasystem and claims in enterprise environment is an area that still need focus (especially in fighting old forma mentis that Read More...
|
-
[There's not much tech content in this post. You read it all at your risk :-) the next posts will get the technical discussion back on track from where we left it a couple months ago] From the all time record of 17 posts in June, this feed dropped to next to 0 activity in the last 2 months. in fact, I wasn't sleeping at all; but it sounded nice to repurpose Mr .Friedman's excellent opening of " the world is flat " :-) and speaking of World, below there's the trajectory I followed since June. No wonder I'm Freccia Alata . Los Angeles, New York In early July I went to visit some key customers there, evangelizing the new WCF/WF Orcas features few days before the Beta2. James and Ryan did the same with the new web development, Windows Server 2008 and framework features. It was fun! Can't say much about the customers we met: all very interesting, but I have to protect their IP. I loved Roku in L.A. (thanks Mike for bringing me there), but I was seriously turned off by Little Italy in NY (looked like a tourist trap & food wasn't exceptional). Seattle As soon as I got back in the happy Washington state, I entertained my colleagues from our offices worldwide at one internal conference; I spoke about CardSpace and what's new in the 2008 wave (Orcas) for WCF & WF. I was used to come to those conferences when I was working in Microsoft Consulting Services in Italy, and I know how important for readiness those events are. As a result I prepare those sessions very seriously, and this Read More...
|
-
It's that time of the year again: the end of June marks the end of the fiscal year, and for us it's time to reflect on what we've done in the past 12 months. Vast majority of the things I've done are internal-only or with high profile customers that can't be mentioned publicly until their PR departments give the green light, hence I won't discuss those here; however I think it's interesting to share with you a summary of some of the things that I worked on, just to give you a measure of how .NET3.0 (especially CardSpace in my case) is relevant. It should give you an hint of how much impact you can have working in my group, so you'll be able to put announcements like this in the right perspective! I also hope that this will boost your confidence that the content of our upcoming book is based on very solid real world experience, earned by working daily with our key accounts in the identity space: the PG intent is tempered by immersing it in requirements from customer actually shipping solutions based on this thing that we call CardSpace. Which, by the way, is the reason for which I'm still at the computer at this time... big stuff is going on in cardspaceland! Projects, Briefings, Deep Dives This year I've worked with or briefed more than 45 enterprise companies on CardSpace/WCF/WF, good part of it at the very top of the fortune100 and global100 (ah, btw: just subscribed to Fortune. I was buying it all the times anyway). Sometimes it was just a 2 hours personalized QA, some other Read More...
|
-
Yesterday night I was going through the unresolved parts of the inbox, a fairly boring task, when Dennis rescued me: he chimed in via Messenger reminding me that a new version of the BizTalk Services SDK is out. It wasn't hard to switch my attention to something far more exciting, and I promptly installed it. If you had the old version of the SDK on your machine, I suggest uninstalling it before installing the new one. For the ones that were bold enough to play with the new binding at low level: the changes in the machine.config show how the assembly hierarchy and the object model changed: <!-- <system.serviceModel> <bindings> <relayBinding> <binding name="metadataExchangeRelayBinding" /> </relayBinding> </bindings> <client> <endpoint address="" binding="relayBinding" bindingConfiguration="metadataExchangeRelayBinding" contract="IMetadataExchange" name="net.relay" /> <metadata> <policyImporters> <extension type="Microsoft.ServiceModel.Relay.Description.RelayBindingElementImporter, Microsoft.ServiceModel.Relay, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </policyImporters> <wsdlImporters> <extension type="Microsoft.ServiceModel.Relay.Description.RelayBindingImporter, Microsoft.ServiceModel.Relay, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension type="Microsoft.ServiceModel.Relay.Description.RelayBindingElementImporter, Microsoft.ServiceModel.Relay, Read More...
|
-
In short: this is the description of a sample that sends a CardSpace-obtained token to an AJAX service implemented with the new Orcas features. Few posts ago I published a tutorial about using CardSpace with Silver. While talking about it with Kushal Shah from the Workflow team, he suggested that it could be nice if we'd also demonstrate how to use CardSpace with the new RESTful capabilities of WCF: that sounded perfect for my "cardspace+<technology_of_choice>" series, hence I promply jumped on the task. The post below documents the results. Preamble Before diving into the code, let's take a moment for understanding what is this all about. The .NET framework 3.5, currently in beta , extends WCF with new capabilities explicitly designed to enable web development scenarios. There's really a lot to say on the subject, however for our context it is enough to say that you can now expose WCF services in ways that makes them extremely easy to consume from web pages. In practice, this mean that you can 1) invoke WCF services via HTTP verbs (POST and GET) and 2) handle messages in web-friendly formats, such as JSON. The macroscopic implication is that you don't need a proxy. Calling a WCF service becames a simple exercise in BLOCKED SCRIPT you gather the data from whatever UI element you need to, you create "by hand" a web request in AJAX style (with the object XMLHttpRequest or the activeXs Msxml2.XMLHTTP/Microsoft.XMLHTTP) and finally you use the results for updating selcted parts Read More...
|
-
In short: this is a step by step tutorial for creating from scratch a Workflow Service with the Beta 1 release of Visual Studio codename "Orcas". The tutorial shows how to secure the service with Windows CardSpace, how to create a client application on the fly and how to access claims from the code of a Workflow activity. Just days before the Earth-moving news at Mix , with the Beta 1 release of Visual Studio codename "Orcas" we made available another silvery technology: the Workflow Services, Silver for friends, are an exciting new technology which allows developers to blend WCF and WF for creating service-aware workflows. As in good tradition, one of the first things I thought about was how to secure those new breed of services via CardSpace: turns out that is incredibly easy, and I could explain it in a 1/2 post if I'd start from an existing workflow service project. However Silver technology is still cutting edge: so I thought it could have been useful to make a full walkthrough. EDIT: after some hours spent writing this post, I've seen that the WF overlord already covered the workflow creation part and in better details: I recommend you checking Matt's post out, especially if some of the passages below are obscure to you. The plan We'll partition the work in few steps: 1. Create the workflow project 2. Add and configure the Receive activity 3. Host the workflow in a WorkflowServiceHost 4. Configure the workflow endpoint for using CardSpace 5. Create a client project on the Read More...
|
-
Periodically I hear people having issues with debugging STS code from CardSpace based scenarios. When you invoke an STS by selecting a managed card, you do that from the private desktop; that means that you can;t access your interactive session until the call to the STS returns, but if the STS code is exactly what you want to inspect you appear to be stuck. There are a number of easy ways out from that apparent impasse: I recently shared those with a colleague, and her reaction convinced me that there's some value in sharing those on the blog. Trick 1 : Put a breakpoint in the STS code, launch your client app and get to the point in which you use the managed card. The dialog of the token request will be stuck, since you have a breakpoint that blocks your RST processing. Just cancel the request and exit the private desktop : you will find the execution stopped at your breakpoint and you can go through the STS code. Obviously if you successfully step through the entire code the token will never be returned, since you killed the client, but if your purpose is debugging the STS you should not care. Easy :-) Trick 2 : Alternatively, you can have the client in a VPC or in another physical machine. Trick 3 : (thanks to Xiao Xie for this one): if you are running on an OS which allows more than one concurrent interactive sessions, such as Windows 2003 or Longhorn Server, just create a remode desktop session on the machine itself. You can run the client from the remote desktop console, Read More...
|
-
In short: I discuss Sidebar Gadgets, and I show you how to invoke a CardSpace-protected WCF service from a simple Gadget. Full source code is provided, along with detailed commentary on the road I've followed for getting there. Added bonus: the code shows how to apply an arbitrary configuration file to WCF, an issue often encountered when hosting WCF code in processes you don't control. Sidebar Gadgets are mini applications which live in the Sidebar, a UI element on the Windows Vista desktop. They are extremely handy for keeping an eye on information you are often interested to; they are also very good at providing you a quick-reach UI for tasks you perform often. As you know I wear the server guy hat, so I'm not really the best person for explaining the advanteges of Gadget: I would suggest visiting Michael and Jaime blogs if you want more details on the subject. When I thought of how the gadget model could be useful for me, I realized that much of the information I'd like to keep an eye on happens to be confidential (like being notified if I received a wire transfer, or getting the access statistics from my website); the actions I want to take when I react to changes in those data are also requiring high security levels (like accessing a portion of my home banking for giving approval for a certain utility bill to be paid). So, would not be great if we could use CardSpace for authenticating the services accessed by a Gadget? I thought for few nights about the issue, devised a Read More...
|
-
If you are watching the Card-space, I'm sure you didn't miss it: the Otto Store smart client application, announced during TechEd Europe and VSLive, is now up and running. You can download and install it from there . This news is relevant to this blog in different ways. The Otto store is the first application available on the internet to use managed cards. It is the first application to secure web services call via CardSpace. And among the customers I have worked with in the last year, Otto is the first one to release a CardSpace based application. Hoooray! It was a pleasure to work with everybody on the project, I can't tell you the satisfaction of seeing all this beautifully coming together. I could fill the entire post just with juicy annedoctes, like the time when me and Jaime (the great guy who dealt with the WPF parts here in Corp) flew in Germany for the first ADS: we took an early cab from downtown Munich to the offices, and it was the very first ride of the very first work day of our extremely young driver. A 20 mins drive became a 45 mins tour in the foggy & frozen countryside around Munich, with the driver increasily panicking: the GPS was banned by his company policy, so I could not pull out my beloved Universal and give him a hand. He was very brave and professional! In the end we did it to the meeting, though with some delay: looking at he app today, anyway, looks like that delay didn't really matter that much. But you're not interested in annedoctes, are you: Read More...
|
-
Well, what a alliterative title :-) I've been asked in several occasions how to use managed cards, and specifically the simple STS sample , together with the surprisingly popular WPF smartclient sample . It is not especially difficult: few changes in the configuration and you're all set. The only nuisances arise from the fact that when you set up a full end to end CardSpace scenario sample on a single machine you are basically trying to sing, play the guitar and the drums at the same time: setting up SSL for RPs and IPs, tweaking the hosts file for mapping website names to IPs, setting up certificates and permissions, making sure that web proxies and ISA will not sabotage your "artificial" connectivity, setting up virtual directories for CRLs and logotypes... those are all things that need to be done. In this case we can make some serious semplification by not adding any virtual directory, since all moving parts live in a dedicated process (RPs and STS in their own console app, the client in the WPF app). That would mean no logotypes and no CRL, though. While for the sake of the example we can go around the former, the latter has the potential of upsetting WCF big time; we'll how to mitigate that. Just remember that logotypes and CRL would be something you don't want to give up in production, here we are simply trying to see CardSpace in action. In this post I am making the assumption that you set up the simple STS at the address , and that it is secured by a certificate with Read More...
|
-
Well, what a week :) Monday and Tuesdsay, @ S.Diego for the Gartner Healthcare Summit . Ben Flock (mighty PSA!), Chris Henchey (COO & Cofounder of Choicelinx ) and I presented a case study about cross entity authentication in Healthcare. The session was largely based on the learnings derived from a WCF early adoption project we had with Cigna/Choicelinx: incidentally, the case study of that project is out :) let me know if you like the picture! During the session, though, we demonstrated the next step: that is to say, CardSpace-enabling the scenario and seeing dev times becoming from small (with WCF) to risible. I am truly impressed with Chris: in my experience his openness to completely novel ideas is something that is not easy to find in his environment. I'm truly honored we copresented! Anyway, as soon as I was back I had an internal CardSpace show&tell with colleagues form another division. It was supposed to be 30 mins, but we ended up doing 1:30 :-) yes, I'm horribly verbose, but to my defense nobody stopped me! And we came out with very interesting questions, though. Then, the craziest times of all: I had to prepare for the EMEA tour I'm doing. Not that easy! Close mails, review docs, push out the WPF/WCF smartclient secured with cardspace with caching , install vista RTM.... vista is not a difficult install per se, actually it was a breeze: it's that my machines are practically protesic extensions of my brain, and if something malfunctions... it's a problem. So Read More...
|
-
Hello everybody. It's some time that I have this sample in the buffer: I am publishing now in a rush, since this sundaly I leave for 2 weeks in EU for some nice CardSpace briefings here and there. I won't be on mail very much, so I hope you will hold most questions for when I will be back in Redmond :-) I would really love to speak at lenght about this, but I really don't have much time (I have also to mention all the ones that helped, and the list is long!:)). For the time being I am including an exerpt of the sample documentation: later I'll go deeper on it. Enjoy :) Vittorio --------------------------------------------- Windows CardSpace, WCF and Token Caching Windows CardSpace provides a consistent experience across web and rich client scenarios. Windows Communication Foundation (WCF) supports CardSpace out of the box, supplying a powerful means of handling authentication in web service based applications: users enjoy an easy experience that shields them from the complexities of WS-Policy, while WCF receives a token for securing the messages. The WCF programming model stores credentials on a per-channel basis: hence, in normal conditions the user would be prompted to choose a card as many times as a channel is created and used. WCF extensibility model, however, offers an easy way of modifying this behavior. The sample presented here demonstrates how a simple WPF application can leverage CardSpace for securing the access to two different WCF web services, prompting the user Read More...
|
|
|
|