|
|
Browse by Tags
All Tags » Identity » Windows Communication Foundation (RSS)
-
I am sure you are all more than familiar with DreamSpark , the amazing (YES, amazing. Bravo Milo!) offer through which Microsoft gives access to developer & designer tools at no charge. That requires, naturally, to be able to prove that you are indeed a student. Eduserv is a not-for-profit UK-based organization that focuses on IT solutions for the education sector: their identity management solutions are used by over 4 millions of students from universities in UK & other countries. And here comes the interesting bit: Eduserv wrote an identity management component for DreamSpark integrated with their OpenAthens SP , and based on WCF & CardSpace :-) you can read about this on a recently published case study (word document here ). With all the identity talent that runs abundant in the Microsoft offices in UK (Paul MacKinnon & Planky, congrats!) it is not really a surprise to see that they are ahead of the curve, but it is most definitely a pleasure :-) congratulations to all the people involved! Read More...
|
-
Just back from vacation. The tan barely started to fade, and here I am already playing with the new shiny toy :-). Did you experiment with Zermatt by now? As Kim mentions the samples (and the documentation) are an excellent way to start, and I am sure that blog posts & tutorials will soon start mushrooming here and there in the blogosphere: here I begin my humble contribution with my first technical post about Zermatt . I had *absolutely* no hesitations when deciding which scenario I should tackle first: an active STS which handles requests backed by smartcards . I received asks about from many segments (especially about eID management from governments and high authentication levels for finance) and pretty much from everywhere in the world (especially Europe and Asia): I am really delighted to finally have a chance to give you something about that scenario that you can compile in visual studio, as opposed to the usual whiteboard sketches :-) Before we dive into the code, let me disclaim the disclaimable: as usual, the code you see in this blog is just an example and is by no mean production ready code. My purpose here is to introduce you to new ideas, so I favor readability and clarity over completeness If you consider the definition of best practices as "A technique or methodology that, through experience and research, has proven to reliably lead to a desired result" , I think I can safely say that there are no established best practices yet. Sure, there are some fixed points Read More...
|
-
Ahh, I’ve been looking forward for this post for a looong time. We just made available for download the bits of the Beta of “Zermatt” Developer Identity Framework . “ Zermatt ” is the codename of a .NET framework that helps developers build claims-aware applications to address challenging application security requirements using a simplified application access model. Let me expand a bit on that. If you want to develop applications that take advantage of claims & identity Metasystem goodness in general, Zermatt makes your life easier by providing base classes, controls but especially capabilities & a programming model that take care of most of the plumbing for you. Regardless of the role (IP, RP, subject) or the style (Active, Passive, “ Passive-Aggressive ”), Zermatt shields you from the sheer handling of protocols & tokens and provides you with a great model for externalizing your access logic. For my loyal readers and in general to whoever worked with tokens and cardspace in general, who stormed me with mails since the TechEd EMEA demo and even earlier: this means that we can finally retire historical samples like the SimpleSTS and the TokenProcessor class . Zermatt is a fully supported developer framework that gives you those capabilities and MUCH more. How much more? Below there’s a partial list of the goodies you get: · An HttpModule (the Federated Access Module, or FAM) that takes care of handling the token processing pipeline: fully extensible & web.config-urable, Read More...
|
-
Almost one year ago I briefly mentioned the Biztalk Service SDK, here and here . A new version has recently been made available: you would not believe the amount of new features that were added to it in this timeframe. The main reason of excitement for me is that this new release supports managed cards ! It's a bit late at night here in Redmond and the drowsiness makes me feel less than bright right now, so I better defer detailed explanations to tomorrow (or the weekend). Anyway, for the identirati tuned in, this basically means that the service bus offers a R-STS that will accept, among many other means of authentication, also third party's managed cards. The behavior of the R-STS can be influenced by using the Biztalk Services identity portal , or by management API; you can translate attribute claims into authorization claims (if an incoming claim has a certain value you can issue a token which tells to the ultimate destination that the caller is authorized to perform the call; you can copy the input claims directly in the issued token so that the info is preserved; and so on). "Artist" rendering below: Again, I'll be more verbose in a later post: in fact, I plan to walk you through a sample that will make you hit the ground running exactly with that feature. The managed card support is the feature that I find most appealing ( surprised ?), but in fact there are many other great additions such as X509 authentication, REST management APIs, support for multiple languages ... Read More...
|
-
Well, don't get fooled. I'm not going to make any big philosophical considerations about technology and privacy (though I may do that in the future), but I will talk about the little project I've put together after three gintonics & the MIX party at TAO . I am often on the road. When I am homesick I often open a terminal server session with one of my home machines and fire up the webcam; sometime I am in dramatically different timezones, so it's nice seeing that where I am it is dark but back in Redmond it's just dawning, and similar mellow stuff. Before leaving for Vegas I thought it would be nice to access the image directly, without having to fire up an entire remote desktop session for that. Hence I wrote some code for taking webcam snapshots (thanks Scott for putting together a nice WIA sample ), exposed it via WCF service, generated a certificate on my test CA, wrote a binding that uses cardspace... and I had it working. About 1 hour, during which I also managed to watch some futurama . Once I got to Vegas I was too busy with the MySpace session for playing with those things, but yesterday's atmosphere at TAO restored my playful/timewaster attitude: after the party I made the necessary adjustments for accessing the service from outside, calibrated the UniqueID from the selfissued I want to use for authenticating with the service... and it was done. One hour of distracted development, 30 mins of fiddling with the config file (after abundant party's beverages) and now Read More...
|
-
[There's not much tech content in this post. You read it all at your risk :-) the next posts will get the technical discussion back on track from where we left it a couple months ago] From the all time record of 17 posts in June, this feed dropped to next to 0 activity in the last 2 months. in fact, I wasn't sleeping at all; but it sounded nice to repurpose Mr .Friedman's excellent opening of " the world is flat " :-) and speaking of World, below there's the trajectory I followed since June. No wonder I'm Freccia Alata . Los Angeles, New York In early July I went to visit some key customers there, evangelizing the new WCF/WF Orcas features few days before the Beta2. James and Ryan did the same with the new web development, Windows Server 2008 and framework features. It was fun! Can't say much about the customers we met: all very interesting, but I have to protect their IP. I loved Roku in L.A. (thanks Mike for bringing me there), but I was seriously turned off by Little Italy in NY (looked like a tourist trap & food wasn't exceptional). Seattle As soon as I got back in the happy Washington state, I entertained my colleagues from our offices worldwide at one internal conference; I spoke about CardSpace and what's new in the 2008 wave (Orcas) for WCF & WF. I was used to come to those conferences when I was working in Microsoft Consulting Services in Italy, and I know how important for readiness those events are. As a result I prepare those sessions very seriously, and this Read More...
|
-
It's that time of the year again: the end of June marks the end of the fiscal year, and for us it's time to reflect on what we've done in the past 12 months. Vast majority of the things I've done are internal-only or with high profile customers that can't be mentioned publicly until their PR departments give the green light, hence I won't discuss those here; however I think it's interesting to share with you a summary of some of the things that I worked on, just to give you a measure of how .NET3.0 (especially CardSpace in my case) is relevant. It should give you an hint of how much impact you can have working in my group, so you'll be able to put announcements like this in the right perspective! I also hope that this will boost your confidence that the content of our upcoming book is based on very solid real world experience, earned by working daily with our key accounts in the identity space: the PG intent is tempered by immersing it in requirements from customer actually shipping solutions based on this thing that we call CardSpace. Which, by the way, is the reason for which I'm still at the computer at this time... big stuff is going on in cardspaceland! Projects, Briefings, Deep Dives This year I've worked with or briefed more than 45 enterprise companies on CardSpace/WCF/WF, good part of it at the very top of the fortune100 and global100 (ah, btw: just subscribed to Fortune. I was buying it all the times anyway). Sometimes it was just a 2 hours personalized QA, some other Read More...
|
-
Yesterday night I was going through the unresolved parts of the inbox, a fairly boring task, when Dennis rescued me: he chimed in via Messenger reminding me that a new version of the BizTalk Services SDK is out. It wasn't hard to switch my attention to something far more exciting, and I promptly installed it. If you had the old version of the SDK on your machine, I suggest uninstalling it before installing the new one. For the ones that were bold enough to play with the new binding at low level: the changes in the machine.config show how the assembly hierarchy and the object model changed: <!-- <system.serviceModel> <bindings> <relayBinding> <binding name="metadataExchangeRelayBinding" /> </relayBinding> </bindings> <client> <endpoint address="" binding="relayBinding" bindingConfiguration="metadataExchangeRelayBinding" contract="IMetadataExchange" name="net.relay" /> <metadata> <policyImporters> <extension type="Microsoft.ServiceModel.Relay.Description.RelayBindingElementImporter, Microsoft.ServiceModel.Relay, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </policyImporters> <wsdlImporters> <extension type="Microsoft.ServiceModel.Relay.Description.RelayBindingImporter, Microsoft.ServiceModel.Relay, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension type="Microsoft.ServiceModel.Relay.Description.RelayBindingElementImporter, Microsoft.ServiceModel.Relay, Read More...
|
-
In short: this is the description of a sample that sends a CardSpace-obtained token to an AJAX service implemented with the new Orcas features. Few posts ago I published a tutorial about using CardSpace with Silver. While talking about it with Kushal Shah from the Workflow team, he suggested that it could be nice if we'd also demonstrate how to use CardSpace with the new RESTful capabilities of WCF: that sounded perfect for my "cardspace+<technology_of_choice>" series, hence I promply jumped on the task. The post below documents the results. Preamble Before diving into the code, let's take a moment for understanding what is this all about. The .NET framework 3.5, currently in beta , extends WCF with new capabilities explicitly designed to enable web development scenarios. There's really a lot to say on the subject, however for our context it is enough to say that you can now expose WCF services in ways that makes them extremely easy to consume from web pages. In practice, this mean that you can 1) invoke WCF services via HTTP verbs (POST and GET) and 2) handle messages in web-friendly formats, such as JSON. The macroscopic implication is that you don't need a proxy. Calling a WCF service becames a simple exercise in BLOCKED SCRIPT you gather the data from whatever UI element you need to, you create "by hand" a web request in AJAX style (with the object XMLHttpRequest or the activeXs Msxml2.XMLHTTP/Microsoft.XMLHTTP) and finally you use the results for updating selcted parts Read More...
|
-
In short: this is a step by step tutorial for creating from scratch a Workflow Service with the Beta 1 release of Visual Studio codename "Orcas". The tutorial shows how to secure the service with Windows CardSpace, how to create a client application on the fly and how to access claims from the code of a Workflow activity. Just days before the Earth-moving news at Mix , with the Beta 1 release of Visual Studio codename "Orcas" we made available another silvery technology: the Workflow Services, Silver for friends, are an exciting new technology which allows developers to blend WCF and WF for creating service-aware workflows. As in good tradition, one of the first things I thought about was how to secure those new breed of services via CardSpace: turns out that is incredibly easy, and I could explain it in a 1/2 post if I'd start from an existing workflow service project. However Silver technology is still cutting edge: so I thought it could have been useful to make a full walkthrough. EDIT: after some hours spent writing this post, I've seen that the WF overlord already covered the workflow creation part and in better details: I recommend you checking Matt's post out, especially if some of the passages below are obscure to you. The plan We'll partition the work in few steps: 1. Create the workflow project 2. Add and configure the Receive activity 3. Host the workflow in a WorkflowServiceHost 4. Configure the workflow endpoint for using CardSpace 5. Create a client project on the Read More...
|
-
Periodically I hear people having issues with debugging STS code from CardSpace based scenarios. When you invoke an STS by selecting a managed card, you do that from the private desktop; that means that you can;t access your interactive session until the call to the STS returns, but if the STS code is exactly what you want to inspect you appear to be stuck. There are a number of easy ways out from that apparent impasse: I recently shared those with a colleague, and her reaction convinced me that there's some value in sharing those on the blog. Trick 1 : Put a breakpoint in the STS code, launch your client app and get to the point in which you use the managed card. The dialog of the token request will be stuck, since you have a breakpoint that blocks your RST processing. Just cancel the request and exit the private desktop : you will find the execution stopped at your breakpoint and you can go through the STS code. Obviously if you successfully step through the entire code the token will never be returned, since you killed the client, but if your purpose is debugging the STS you should not care. Easy :-) Trick 2 : Alternatively, you can have the client in a VPC or in another physical machine. Trick 3 : (thanks to Xiao Xie for this one): if you are running on an OS which allows more than one concurrent interactive sessions, such as Windows 2003 or Longhorn Server, just create a remode desktop session on the machine itself. You can run the client from the remote desktop console, Read More...
|
-
In short: I discuss Sidebar Gadgets, and I show you how to invoke a CardSpace-protected WCF service from a simple Gadget. Full source code is provided, along with detailed commentary on the road I've followed for getting there. Added bonus: the code shows how to apply an arbitrary configuration file to WCF, an issue often encountered when hosting WCF code in processes you don't control. Sidebar Gadgets are mini applications which live in the Sidebar, a UI element on the Windows Vista desktop. They are extremely handy for keeping an eye on information you are often interested to; they are also very good at providing you a quick-reach UI for tasks you perform often. As you know I wear the server guy hat, so I'm not really the best person for explaining the advanteges of Gadget: I would suggest visiting Michael and Jaime blogs if you want more details on the subject. When I thought of how the gadget model could be useful for me, I realized that much of the information I'd like to keep an eye on happens to be confidential (like being notified if I received a wire transfer, or getting the access statistics from my website); the actions I want to take when I react to changes in those data are also requiring high security levels (like accessing a portion of my home banking for giving approval for a certain utility bill to be paid). So, would not be great if we could use CardSpace for authenticating the services accessed by a Gadget? I thought for few nights about the issue, devised a Read More...
|
-
If you are watching the Card-space, I'm sure you didn't miss it: the Otto Store smart client application, announced during TechEd Europe and VSLive, is now up and running. You can download and install it from there . This news is relevant to this blog in different ways. The Otto store is the first application available on the internet to use managed cards. It is the first application to secure web services call via CardSpace. And among the customers I have worked with in the last year, Otto is the first one to release a CardSpace based application. Hoooray! It was a pleasure to work with everybody on the project, I can't tell you the satisfaction of seeing all this beautifully coming together. I could fill the entire post just with juicy annedoctes, like the time when me and Jaime (the great guy who dealt with the WPF parts here in Corp) flew in Germany for the first ADS: we took an early cab from downtown Munich to the offices, and it was the very first ride of the very first work day of our extremely young driver. A 20 mins drive became a 45 mins tour in the foggy & frozen countryside around Munich, with the driver increasily panicking: the GPS was banned by his company policy, so I could not pull out my beloved Universal and give him a hand. He was very brave and professional! In the end we did it to the meeting, though with some delay: looking at he app today, anyway, looks like that delay didn't really matter that much. But you're not interested in annedoctes, are you: Read More...
|
-
Dennis and his team just went live with, no pun intended, the all new & improved live labs STS !! While the former incarnation was a pure resource STS, this is a full fledged Identity Provider STS. If you have a Live ID, you can go throught the easy steps of the registration and get your very own live labs managed card. You have a choice of 2 authentication factors: self issued cards and username/password. Youc an then register the certificate of your RP, and you're all set. You can start playing with it from the very start! I am truly happy of this, you can finally get a direct feeling of what an identity authority is and how to incorporate it in your experiments. Unfortunately I don't have much time now to give more detailed instructions, but I'll do that as soon as I have a second. In the meanwhile, please remember: this is a lab, don't expect commercial-grade assurances. Below a screenshot of my indentity selector after the newly imported live labs card Great job Dennis et al! I suspect that there's the hand of Hervey as well :-) Read More...
|
-
Well, what a alliterative title :-) I've been asked in several occasions how to use managed cards, and specifically the simple STS sample , together with the surprisingly popular WPF smartclient sample . It is not especially difficult: few changes in the configuration and you're all set. The only nuisances arise from the fact that when you set up a full end to end CardSpace scenario sample on a single machine you are basically trying to sing, play the guitar and the drums at the same time: setting up SSL for RPs and IPs, tweaking the hosts file for mapping website names to IPs, setting up certificates and permissions, making sure that web proxies and ISA will not sabotage your "artificial" connectivity, setting up virtual directories for CRLs and logotypes... those are all things that need to be done. In this case we can make some serious semplification by not adding any virtual directory, since all moving parts live in a dedicated process (RPs and STS in their own console app, the client in the WPF app). That would mean no logotypes and no CRL, though. While for the sake of the example we can go around the former, the latter has the potential of upsetting WCF big time; we'll how to mitigate that. Just remember that logotypes and CRL would be something you don't want to give up in production, here we are simply trying to see CardSpace in action. In this post I am making the assumption that you set up the simple STS at the address , and that it is secured by a certificate with Read More...
|
|
|
|