|
|
Browse by Tags
All Tags » Infocard » Windows Communication Foundation (RSS)
-
I am sure you are all more than familiar with DreamSpark , the amazing (YES, amazing. Bravo Milo!) offer through which Microsoft gives access to developer & designer tools at no charge. That requires, naturally, to be able to prove that you are indeed a student. Eduserv is a not-for-profit UK-based organization that focuses on IT solutions for the education sector: their identity management solutions are used by over 4 millions of students from universities in UK & other countries. And here comes the interesting bit: Eduserv wrote an identity management component for DreamSpark integrated with their OpenAthens SP , and based on WCF & CardSpace :-) you can read about this on a recently published case study (word document here ). With all the identity talent that runs abundant in the Microsoft offices in UK (Paul MacKinnon & Planky, congrats!) it is not really a surprise to see that they are ahead of the curve, but it is most definitely a pleasure :-) congratulations to all the people involved! Read More...
|
-
Just back from vacation. The tan barely started to fade, and here I am already playing with the new shiny toy :-). Did you experiment with Zermatt by now? As Kim mentions the samples (and the documentation) are an excellent way to start, and I am sure that blog posts & tutorials will soon start mushrooming here and there in the blogosphere: here I begin my humble contribution with my first technical post about Zermatt . I had *absolutely* no hesitations when deciding which scenario I should tackle first: an active STS which handles requests backed by smartcards . I received asks about from many segments (especially about eID management from governments and high authentication levels for finance) and pretty much from everywhere in the world (especially Europe and Asia): I am really delighted to finally have a chance to give you something about that scenario that you can compile in visual studio, as opposed to the usual whiteboard sketches :-) Before we dive into the code, let me disclaim the disclaimable: as usual, the code you see in this blog is just an example and is by no mean production ready code. My purpose here is to introduce you to new ideas, so I favor readability and clarity over completeness If you consider the definition of best practices as "A technique or methodology that, through experience and research, has proven to reliably lead to a desired result" , I think I can safely say that there are no established best practices yet. Sure, there are some fixed points Read More...
|
-
Ahh, I’ve been looking forward for this post for a looong time. We just made available for download the bits of the Beta of “Zermatt” Developer Identity Framework . “ Zermatt ” is the codename of a .NET framework that helps developers build claims-aware applications to address challenging application security requirements using a simplified application access model. Let me expand a bit on that. If you want to develop applications that take advantage of claims & identity Metasystem goodness in general, Zermatt makes your life easier by providing base classes, controls but especially capabilities & a programming model that take care of most of the plumbing for you. Regardless of the role (IP, RP, subject) or the style (Active, Passive, “ Passive-Aggressive ”), Zermatt shields you from the sheer handling of protocols & tokens and provides you with a great model for externalizing your access logic. For my loyal readers and in general to whoever worked with tokens and cardspace in general, who stormed me with mails since the TechEd EMEA demo and even earlier: this means that we can finally retire historical samples like the SimpleSTS and the TokenProcessor class . Zermatt is a fully supported developer framework that gives you those capabilities and MUCH more. How much more? Below there’s a partial list of the goodies you get: · An HttpModule (the Federated Access Module, or FAM) that takes care of handling the token processing pipeline: fully extensible & web.config-urable, Read More...
|
-
Almost one year ago I briefly mentioned the Biztalk Service SDK, here and here . A new version has recently been made available: you would not believe the amount of new features that were added to it in this timeframe. The main reason of excitement for me is that this new release supports managed cards ! It's a bit late at night here in Redmond and the drowsiness makes me feel less than bright right now, so I better defer detailed explanations to tomorrow (or the weekend). Anyway, for the identirati tuned in, this basically means that the service bus offers a R-STS that will accept, among many other means of authentication, also third party's managed cards. The behavior of the R-STS can be influenced by using the Biztalk Services identity portal , or by management API; you can translate attribute claims into authorization claims (if an incoming claim has a certain value you can issue a token which tells to the ultimate destination that the caller is authorized to perform the call; you can copy the input claims directly in the issued token so that the info is preserved; and so on). "Artist" rendering below: Again, I'll be more verbose in a later post: in fact, I plan to walk you through a sample that will make you hit the ground running exactly with that feature. The managed card support is the feature that I find most appealing ( surprised ?), but in fact there are many other great additions such as X509 authentication, REST management APIs, support for multiple languages ... Read More...
|
-
Well, don't get fooled. I'm not going to make any big philosophical considerations about technology and privacy (though I may do that in the future), but I will talk about the little project I've put together after three gintonics & the MIX party at TAO . I am often on the road. When I am homesick I often open a terminal server session with one of my home machines and fire up the webcam; sometime I am in dramatically different timezones, so it's nice seeing that where I am it is dark but back in Redmond it's just dawning, and similar mellow stuff. Before leaving for Vegas I thought it would be nice to access the image directly, without having to fire up an entire remote desktop session for that. Hence I wrote some code for taking webcam snapshots (thanks Scott for putting together a nice WIA sample ), exposed it via WCF service, generated a certificate on my test CA, wrote a binding that uses cardspace... and I had it working. About 1 hour, during which I also managed to watch some futurama . Once I got to Vegas I was too busy with the MySpace session for playing with those things, but yesterday's atmosphere at TAO restored my playful/timewaster attitude: after the party I made the necessary adjustments for accessing the service from outside, calibrated the UniqueID from the selfissued I want to use for authenticating with the service... and it was done. One hour of distracted development, 30 mins of fiddling with the config file (after abundant party's beverages) and now Read More...
|
-
It's that time of the year again: the end of June marks the end of the fiscal year, and for us it's time to reflect on what we've done in the past 12 months. Vast majority of the things I've done are internal-only or with high profile customers that can't be mentioned publicly until their PR departments give the green light, hence I won't discuss those here; however I think it's interesting to share with you a summary of some of the things that I worked on, just to give you a measure of how .NET3.0 (especially CardSpace in my case) is relevant. It should give you an hint of how much impact you can have working in my group, so you'll be able to put announcements like this in the right perspective! I also hope that this will boost your confidence that the content of our upcoming book is based on very solid real world experience, earned by working daily with our key accounts in the identity space: the PG intent is tempered by immersing it in requirements from customer actually shipping solutions based on this thing that we call CardSpace. Which, by the way, is the reason for which I'm still at the computer at this time... big stuff is going on in cardspaceland! Projects, Briefings, Deep Dives This year I've worked with or briefed more than 45 enterprise companies on CardSpace/WCF/WF, good part of it at the very top of the fortune100 and global100 (ah, btw: just subscribed to Fortune. I was buying it all the times anyway). Sometimes it was just a 2 hours personalized QA, some other Read More...
|
-
In short: this is the description of a sample that sends a CardSpace-obtained token to an AJAX service implemented with the new Orcas features. Few posts ago I published a tutorial about using CardSpace with Silver. While talking about it with Kushal Shah from the Workflow team, he suggested that it could be nice if we'd also demonstrate how to use CardSpace with the new RESTful capabilities of WCF: that sounded perfect for my "cardspace+<technology_of_choice>" series, hence I promply jumped on the task. The post below documents the results. Preamble Before diving into the code, let's take a moment for understanding what is this all about. The .NET framework 3.5, currently in beta , extends WCF with new capabilities explicitly designed to enable web development scenarios. There's really a lot to say on the subject, however for our context it is enough to say that you can now expose WCF services in ways that makes them extremely easy to consume from web pages. In practice, this mean that you can 1) invoke WCF services via HTTP verbs (POST and GET) and 2) handle messages in web-friendly formats, such as JSON. The macroscopic implication is that you don't need a proxy. Calling a WCF service becames a simple exercise in BLOCKED SCRIPT you gather the data from whatever UI element you need to, you create "by hand" a web request in AJAX style (with the object XMLHttpRequest or the activeXs Msxml2.XMLHTTP/Microsoft.XMLHTTP) and finally you use the results for updating selcted parts Read More...
|
-
In short: this is a step by step tutorial for creating from scratch a Workflow Service with the Beta 1 release of Visual Studio codename "Orcas". The tutorial shows how to secure the service with Windows CardSpace, how to create a client application on the fly and how to access claims from the code of a Workflow activity. Just days before the Earth-moving news at Mix , with the Beta 1 release of Visual Studio codename "Orcas" we made available another silvery technology: the Workflow Services, Silver for friends, are an exciting new technology which allows developers to blend WCF and WF for creating service-aware workflows. As in good tradition, one of the first things I thought about was how to secure those new breed of services via CardSpace: turns out that is incredibly easy, and I could explain it in a 1/2 post if I'd start from an existing workflow service project. However Silver technology is still cutting edge: so I thought it could have been useful to make a full walkthrough. EDIT: after some hours spent writing this post, I've seen that the WF overlord already covered the workflow creation part and in better details: I recommend you checking Matt's post out, especially if some of the passages below are obscure to you. The plan We'll partition the work in few steps: 1. Create the workflow project 2. Add and configure the Receive activity 3. Host the workflow in a WorkflowServiceHost 4. Configure the workflow endpoint for using CardSpace 5. Create a client project on the Read More...
|
-
Periodically I hear people having issues with debugging STS code from CardSpace based scenarios. When you invoke an STS by selecting a managed card, you do that from the private desktop; that means that you can;t access your interactive session until the call to the STS returns, but if the STS code is exactly what you want to inspect you appear to be stuck. There are a number of easy ways out from that apparent impasse: I recently shared those with a colleague, and her reaction convinced me that there's some value in sharing those on the blog. Trick 1 : Put a breakpoint in the STS code, launch your client app and get to the point in which you use the managed card. The dialog of the token request will be stuck, since you have a breakpoint that blocks your RST processing. Just cancel the request and exit the private desktop : you will find the execution stopped at your breakpoint and you can go through the STS code. Obviously if you successfully step through the entire code the token will never be returned, since you killed the client, but if your purpose is debugging the STS you should not care. Easy :-) Trick 2 : Alternatively, you can have the client in a VPC or in another physical machine. Trick 3 : (thanks to Xiao Xie for this one): if you are running on an OS which allows more than one concurrent interactive sessions, such as Windows 2003 or Longhorn Server, just create a remode desktop session on the machine itself. You can run the client from the remote desktop console, Read More...
|
-
If you are watching the Card-space, I'm sure you didn't miss it: the Otto Store smart client application, announced during TechEd Europe and VSLive, is now up and running. You can download and install it from there . This news is relevant to this blog in different ways. The Otto store is the first application available on the internet to use managed cards. It is the first application to secure web services call via CardSpace. And among the customers I have worked with in the last year, Otto is the first one to release a CardSpace based application. Hoooray! It was a pleasure to work with everybody on the project, I can't tell you the satisfaction of seeing all this beautifully coming together. I could fill the entire post just with juicy annedoctes, like the time when me and Jaime (the great guy who dealt with the WPF parts here in Corp) flew in Germany for the first ADS: we took an early cab from downtown Munich to the offices, and it was the very first ride of the very first work day of our extremely young driver. A 20 mins drive became a 45 mins tour in the foggy & frozen countryside around Munich, with the driver increasily panicking: the GPS was banned by his company policy, so I could not pull out my beloved Universal and give him a hand. He was very brave and professional! In the end we did it to the meeting, though with some delay: looking at he app today, anyway, looks like that delay didn't really matter that much. But you're not interested in annedoctes, are you: Read More...
|
-
Dennis and his team just went live with, no pun intended, the all new & improved live labs STS !! While the former incarnation was a pure resource STS, this is a full fledged Identity Provider STS. If you have a Live ID, you can go throught the easy steps of the registration and get your very own live labs managed card. You have a choice of 2 authentication factors: self issued cards and username/password. Youc an then register the certificate of your RP, and you're all set. You can start playing with it from the very start! I am truly happy of this, you can finally get a direct feeling of what an identity authority is and how to incorporate it in your experiments. Unfortunately I don't have much time now to give more detailed instructions, but I'll do that as soon as I have a second. In the meanwhile, please remember: this is a lab, don't expect commercial-grade assurances. Below a screenshot of my indentity selector after the newly imported live labs card Great job Dennis et al! I suspect that there's the hand of Hervey as well :-) Read More...
|
-
Well, what a alliterative title :-) I've been asked in several occasions how to use managed cards, and specifically the simple STS sample , together with the surprisingly popular WPF smartclient sample . It is not especially difficult: few changes in the configuration and you're all set. The only nuisances arise from the fact that when you set up a full end to end CardSpace scenario sample on a single machine you are basically trying to sing, play the guitar and the drums at the same time: setting up SSL for RPs and IPs, tweaking the hosts file for mapping website names to IPs, setting up certificates and permissions, making sure that web proxies and ISA will not sabotage your "artificial" connectivity, setting up virtual directories for CRLs and logotypes... those are all things that need to be done. In this case we can make some serious semplification by not adding any virtual directory, since all moving parts live in a dedicated process (RPs and STS in their own console app, the client in the WPF app). That would mean no logotypes and no CRL, though. While for the sake of the example we can go around the former, the latter has the potential of upsetting WCF big time; we'll how to mitigate that. Just remember that logotypes and CRL would be something you don't want to give up in production, here we are simply trying to see CardSpace in action. In this post I am making the assumption that you set up the simple STS at the address , and that it is secured by a certificate with Read More...
|
-
Well, what a week :) Monday and Tuesdsay, @ S.Diego for the Gartner Healthcare Summit . Ben Flock (mighty PSA!), Chris Henchey (COO & Cofounder of Choicelinx ) and I presented a case study about cross entity authentication in Healthcare. The session was largely based on the learnings derived from a WCF early adoption project we had with Cigna/Choicelinx: incidentally, the case study of that project is out :) let me know if you like the picture! During the session, though, we demonstrated the next step: that is to say, CardSpace-enabling the scenario and seeing dev times becoming from small (with WCF) to risible. I am truly impressed with Chris: in my experience his openness to completely novel ideas is something that is not easy to find in his environment. I'm truly honored we copresented! Anyway, as soon as I was back I had an internal CardSpace show&tell with colleagues form another division. It was supposed to be 30 mins, but we ended up doing 1:30 :-) yes, I'm horribly verbose, but to my defense nobody stopped me! And we came out with very interesting questions, though. Then, the craziest times of all: I had to prepare for the EMEA tour I'm doing. Not that easy! Close mails, review docs, push out the WPF/WCF smartclient secured with cardspace with caching , install vista RTM.... vista is not a difficult install per se, actually it was a breeze: it's that my machines are practically protesic extensions of my brain, and if something malfunctions... it's a problem. So Read More...
|
-
Hello everybody. It's some time that I have this sample in the buffer: I am publishing now in a rush, since this sundaly I leave for 2 weeks in EU for some nice CardSpace briefings here and there. I won't be on mail very much, so I hope you will hold most questions for when I will be back in Redmond :-) I would really love to speak at lenght about this, but I really don't have much time (I have also to mention all the ones that helped, and the list is long!:)). For the time being I am including an exerpt of the sample documentation: later I'll go deeper on it. Enjoy :) Vittorio --------------------------------------------- Windows CardSpace, WCF and Token Caching Windows CardSpace provides a consistent experience across web and rich client scenarios. Windows Communication Foundation (WCF) supports CardSpace out of the box, supplying a powerful means of handling authentication in web service based applications: users enjoy an easy experience that shields them from the complexities of WS-Policy, while WCF receives a token for securing the messages. The WCF programming model stores credentials on a per-channel basis: hence, in normal conditions the user would be prompted to choose a card as many times as a channel is created and used. WCF extensibility model, however, offers an easy way of modifying this behavior. The sample presented here demonstrates how a simple WPF application can leverage CardSpace for securing the access to two different WCF web services, prompting the user Read More...
|
|
|
|