|
|
Browse by Tags
All Tags » WCS » Architecture - WS (RSS)
-
Jon Udell recently launched a new interesting format on the website perspectives.on10.net. Perspectives is a series of in-depth conversations with passionate innovators. Most work for Microsoft; some work elsewhere; all are advancing the state of the art in areas as diverse as robotics, digital identity, e-science, and social software. Information technology is the common thread, and Perspectives appeals to the technically-minded, but the show also aims to tell stories in ways that make sense to a wider audience. Each installment of Perspectives is delivered as an audio podcast, and supplemented by a partial text transcript. The first episode was an interview with two guys from the Robotics Studio team, Tandy Trower and Henrik Frystyk Nielsen. The quality of the interview is clearly top notch, the scope of the topics strategic & forward looking but still solidly rooted in technology: Jon's editing makes things flow beautifully, and the transcript is incredibly handy for speed readers & search engines. In short, I LOVE IT :-) Hence, it is with ill-concealed pride that I announce the subject of the second episode : it is a chat I had with Jon back in December , just days before the book came out. The casus belli was the book itself, that Jon was so kind to read in prerelease version, but we ended up talking about identity on a much wider sense. We touched on certificates versus managed cards, omnidirectional vs unidirectional identities, WS-*, openID... Jon is a *great interviewer*, Read More...
|
-
(continues from Part I and Part II ) Finally we've lined up all the elements we need for understanding how we can get rid of the 1-2-3 tyranny, and deal with our business requirements directly instead of relying on an old model that forces us to perform unnecessary steps and introduces artificial dependencies. For making sense of what I write in this post you *really* need to read part I and II as well; without the right context, some of those things could be badly misinterpreted. Sorry :-) Outsourcing user authentication As much as I'd like to think that everybody is super interested in authentication, reality is that you may care very little about it. Let's say you are hosting your own blog, and comment spammers harass you. You can make their life more difficult by adding an authentication step, that will ask your readers to sign in before being able to comment. That's not a perfect system, but you know... security is a ladder. If you discouraged 70% of the spammers, you already made a great job. Or did you? Now you need to set up the authentication system, and above all maintain it. That means handling lost passwords; attacks to your credentials store, which may (read: will) contain passwords (well, hopefully hash derivations) your users are reusing with websites which feature higher value transaction; and many other annoyances. The blog example is a bit extreme on the low value gamut, but there are many other situations in which owning direct credentials authentication may Read More...
|
-
(continues from Part I ) You can consider this post and the fine grained analysis we made in Part I as a down payment for grasping the implications we'll see in Part III, which I plan to post in few hours (almost done). I was planning to have just 2 parts, but it came out far too long and I need 3 :). Here we'll see a very general architecture that can support the traditional authentication practice we described so far. Let me refresh your memory with those few key points we established last time: When we feel the need of authenticating users before giving access to our application, usually that's because we need the answer to some questions in order to execute correctly the service we are offering The question "are you a returning user" can be verified directly by using some mechanism, such as asking to the user to submit credentials . For almost all other questions we need to get an answer that satisfies us without a chance of verifying it directly in-band (messy, but if you read part I you'll understand) When we authenticate a user in "traditional" way, we essentially do three distinct things at the same time: We answer the question "are you a returning user?" by verifying the credentials We link the credentials to a profile in our archive We "dehydrate" that profile, and we use its content for answering our other questions We'll now review what are the architectural components that we customarily use for traditional authentication, that is to say what do we need for performing Read More...
|
-
In short: I show a simple class that checks the signature of self issued tokens sent on a normal HTTP connection (as opposed to HTTPS); the same class takes care of generating a UniqueID and giving access to claims. It basically covers for the NoSSL case the core functions that TokenHelper offers for the SSL case. Today for few hours I found myself living in the early 90s. I agreed with Mario to meet at Victor's , the only place where coffee meets the bar of the Italian community here in Redmond, but he wasn't there. I did the obvious thing, I called his mobile: instead of connecting with him, I talk with his wife: she tells me that he forgot the phone at home, and he was already out. That happened all the time before everybody had a cell (for my circle of friends in Italy, that means '98), but now? Luckily I had my UMPC in the borsello, so I pulled it out and fired up Visual Studio. Few days ago we were chatting about the fact that we have no samples that work without HTTPS: the TokenHelper assumes that the incoming token is encrypted, which is not the case in the NoSSL scenario. It seemed engaging enough to fill the wait... so I wrote a little proof of concept that shows how an RP could handle a token sent in clear. Remember the long post I made in September about the same topic? There I was making the point that while the content of the token may now be visible (at least in the selfissued case, the one I will consider in this post), the way of authenticating the caller is unchanged: Read More...
|
-
From time to time it's healthy to challenge the assumptions, and look at (allegedly) familiar things with new eyes. Few weeks ago I had to do just that with the idea of authentication : I wanted to shake a bit an audience of architects, and make them * think* about the problem instead of relying on the stereotypes they had about it. Judging from the evals I've got, it worked :-) if you want to give it a try, check in at the door what you already know on the subject and come to play! The Tao of Authentication authentic being actually and exactly what is claimed from M-W When I say "authentication", what do you think of? No, I don't mean you identirati people, put your hands down; I mean what's the intuitive idea in the collective imagery. The typical answer you get from a generic audience is something like "it's when you check the identity of the user before giving access". That sounds in line with what traditionally happens as of today, but we'll see that there's more than meet the eye. Why do we authenticate, whatever that means? Simple. During the execution of the service we are offering we need the answer to some specific questions: the authentication phase is one of the ways in which we obtain the answer to those questions. Too abstract? Let me give you some notable examples. Questions Looks different from my usual messy sketches, eh? :) Well, that's a sample of my slides style. Some says they're too busy, some likes them... pick your camp. But I digress. Here we see our usual Read More...
|
-
Good news everyone! Our very own Mike will represent Microsoft on the OpenID Foundation board of directors, which to me seems a natural choice given all the work he has done in that space (for example, this ). Wait a minute, a Microsoft representative in the OpenID Foundation?!? If that surprises you, that means you didn't get the news : Google, IBM, Microsoft, Verisign and Yahoo joined en masse the OpenID board of directors. The future is now people! Read More...
|
-
Few days ago I've been notified that the 2nd chapter of our book "Understanding Windows CardSpace" is now available for free online , on the pages of Code Project (takes some time to load from my connection, don't give up). That's a very big chapter, for architects and business decision makers, focused on showing how the identity laws and the identity metasystem are addressing many of the challenges presented in chapter 1. It also shows the role played by WS-Trust & friends . There's not much of Windows CardSpace in this chapter, apart from its positioning as the identity selector that comes with Windows: in fact I like to think that the same text could have been used in a book about Higgins or any of the of the projects in this space. (BTW, Paul says extremely kind things about the book here . Thank you Paul !). Many of the topics in the chapter do not have a natural order of presentation, but they all sort of depend from one another in a way which was pretty difficult to disentangle. Furthermore it is important to introduce all the new concepts in the right context, in a coherent discussion, without forgetting anything important just because you approached the matter form one angle rather than another. To give you an idea of the planning effort it required, I fished from my archives one of my mindmaps for this chapter: Pretty wide, eh? I just *love* MindManager ! See, that's the essence of a discussion I had almost one year ago with my good friend Gianpaolo . We were discussing Read More...
|
-
Last week Caleb and I have been surprised in my office by Charles "Carlo" Torre and his camera. The result is an impromptu interview about CardSpace , which is currently on the front page of Channel9 (direct link here ). If you have time, take a look… we laugh a lot, but we manage to make some serious point here and there :-) and of course we mention the book , which is even on the "front frame". I have to remark that I am *always* amazed by Carlo 's skills as interviewer. He provides a fresh perspective, making the right questions, and yet he discreetly blends giving space to who is interviewed to make his point with his own personal style. And he's not afraid to put you in the spot and ask tough questions... he really takes the part of the audience. Carlo, it's always a pleasure to chat with you :-) Read More...
|
-
It turns out that the channel9 video on ws-trust was down for (quite?) some time. I am pretty surprised by the number of people that is still checking out that clip! Now it works again, provided that you view it by clicking the download button (which, by the way, points to here ) as shown in the screenshot below. The embedded video control is still not working. Thanks to everybody who raised the issue ( Adlai , now I understand your comment about the video... sorry for not getting it earlier) and to Charles who fixed the problem at record speed. Read More...
|
-
On the Paris-Seattle flight, coming back after 2 weeks spent stuffing myself with all sorts of food with the excuse "after all, you can't find this in USA" :) Before hurling myself back in the vortex of daily work, and celebrate the end of the year with something crazy, I want to take some time writing down some hallucinatory (=vision without execution) thoughts about omnidirectional identities . Be warned, this may be just pointless rambling at this point. Few weeks ago I chatted about this in front of a microphone with John Udell , digressing along a crazy tangent instead of answering his questions about the book (I eventually came back to Earth and answered properly :)). I don't know if he'll deem those fragments publication worthy, but just in case I'll make a brain dump here. It's not that there's much more to do in this small seat anyway (just finished the latest Eco . He didn't mention underbite at all, I'm happy). Looking back at the activities related to identity in the past year, I am glad to report that amazing progress has been done. Something that makes 2007 very different from 2006 is the kind of work that was made: in 2007 the accent was on execution. The vision behind the metasystem is still being explored, sure, like Kim's series on linkage or the discussions about display token and first law demonstrate; and I feel that conjugating the metasystem and claims in enterprise environment is an area that still need focus (especially in fighting old forma mentis that Read More...
|
-
Update about the project I mentioned yesterday : last august Lup Yuen gave a presentation at the Architect Council organized by Linda , and his session was captured & published on channel9 . It's a very interesting ~30 mins, recommended! I can't deny I was super satisfied to hear him mentioning the Deep Dive and EnterpriseGo engagements as important factors for the success of the project. Especially for the DD the product group gave fantastic support, and it's great to see this recognized. Way to go guys :-) Read More...
|
-
In short: this is the description of a sample that sends a CardSpace-obtained token to an AJAX service implemented with the new Orcas features. Few posts ago I published a tutorial about using CardSpace with Silver. While talking about it with Kushal Shah from the Workflow team, he suggested that it could be nice if we'd also demonstrate how to use CardSpace with the new RESTful capabilities of WCF: that sounded perfect for my "cardspace+<technology_of_choice>" series, hence I promply jumped on the task. The post below documents the results. Preamble Before diving into the code, let's take a moment for understanding what is this all about. The .NET framework 3.5, currently in beta , extends WCF with new capabilities explicitly designed to enable web development scenarios. There's really a lot to say on the subject, however for our context it is enough to say that you can now expose WCF services in ways that makes them extremely easy to consume from web pages. In practice, this mean that you can 1) invoke WCF services via HTTP verbs (POST and GET) and 2) handle messages in web-friendly formats, such as JSON. The macroscopic implication is that you don't need a proxy. Calling a WCF service becames a simple exercise in BLOCKED SCRIPT you gather the data from whatever UI element you need to, you create "by hand" a web request in AJAX style (with the object XMLHttpRequest or the activeXs Msxml2.XMLHTTP/Microsoft.XMLHTTP) and finally you use the results for updating selcted parts Read More...
|
-
Caching is one of the topics that sooner or later arise when you reason about cardspace. If I use the same card across different applications at the same time, or in a short period of time, can't I cache the card? If with a certain application I reuse the same card all the time, can't I automate that choice so that I don't get prompted? Valid questions, that deserve detailed answers. I won't make any considerations rooted on the Laws: for example, I may say that caching is overstretching the consent of the subject, since in a single point in time the user deprives his future self of the chance of perceiving the moment in which his/her data will be disclosed. But I wasn't the one taking the decision of not implementing caching in the identity selector, the above may not be the reasons for which it's not there. For this post I will stick with what I handle best, token juggling: there are solid reasons for which certain forms of caching would not work, and those are the ones I'm gonna share here. I had this post in the pipeline since pretty long, and here it is. In CardSpace a managed card represents the ability of obtaining a token from a certain IP. If the policy of one RP accepts a token from a certain IP, the subject can 1) select the managed card that represents the corresponding token 2) take whatever steps is needed to be recognized by the IP 3) if 2 was successful the subject obtains the token from IP and, after reviewing its content, he/she can decide to send it to the RP. Read More...
|
-
In the last loooong post , the one about using CardSpace together with the new Receive activity featured by the Beta1 of the framework 3.5, I mentioned I would have attached the final solution: however I didn't do it right away, to give some incentive to actually go through the simple steps of the tutorial. Hehehe I know, I'm evil at times :-) I am now attaching the solution in this post: it is not commented nor documented, and it is very rough cut: it is exactly what I built while I was writing the tutorial. About the sample in itself. In order to keep everything as readable as possible I placed the logic for accessing the claims directly in the code activity; that would also happen in a real application, if the actions of your code activity are somewhat infuenced by the value of a claim. However if you'd be performing pure claim validation the right place to put your claim code would be the OperationValidation handler of the Receive activity (explore the properties of the Receive activity in Visual Studio and you'll find it). Thanks Matt for pointing it out Read More...
|
-
In short: this is a step by step tutorial for creating from scratch a Workflow Service with the Beta 1 release of Visual Studio codename "Orcas". The tutorial shows how to secure the service with Windows CardSpace, how to create a client application on the fly and how to access claims from the code of a Workflow activity. Just days before the Earth-moving news at Mix , with the Beta 1 release of Visual Studio codename "Orcas" we made available another silvery technology: the Workflow Services, Silver for friends, are an exciting new technology which allows developers to blend WCF and WF for creating service-aware workflows. As in good tradition, one of the first things I thought about was how to secure those new breed of services via CardSpace: turns out that is incredibly easy, and I could explain it in a 1/2 post if I'd start from an existing workflow service project. However Silver technology is still cutting edge: so I thought it could have been useful to make a full walkthrough. EDIT: after some hours spent writing this post, I've seen that the WF overlord already covered the workflow creation part and in better details: I recommend you checking Matt's post out, especially if some of the passages below are obscure to you. The plan We'll partition the work in few steps: 1. Create the workflow project 2. Add and configure the Receive activity 3. Host the workflow in a WorkflowServiceHost 4. Configure the workflow endpoint for using CardSpace 5. Create a client project on the Read More...
|
|
|
|