Geneva Feed

You bet: there will be no distributed application without security - and the "new security" is claims-based identity: Learn it from the master of claims, WIF and ACS

thinktecture’s security expert Dominick Baier spends numerous hours every month answering questions about WIF and identity in general. Recently he put together a two day training course about WIF that covers everything he thinks is important.

The course includes extensive lab material where you take standard application and apply all kinds of claims and federation techniques and technologies like WS-Federation, WS-Trust, session management, delegation, home realm discovery, multiple identity providers, Access Control Service, REST, SWT and OAuth. The lab also includes the latest version of the thinktecture IdentityServer and you will learn how to use and customize it.

If you are looking for an open enrollment style of training, have a look here or here.
Or contact Dominick directly.


The course outline:

Day 1
Intro to Claims-based Identity & the Windows Identity Foundation
WIF introduces important concepts like conversion of security tokens and credentials to claims, claims transformation and claims-based authorization. In this module you will learn the basics of the WIF programming model and how WIF integrates into existing .NET code.

Externalizing Authentication for Web Applications
WIF includes support for the WS-Federation protocol. This protocol allows separating business and authentication logic into separate (distributed) applications. The authentication part is called identity provider or in more general terms - a security token service. This module looks at this scenario both from an application and identity provider point of view and walks you through the necessary concepts to centralize application login logic both using a standard product like Active Directory Federation Services as well as a custom token service using WIF’s API support.

Externalizing Authentication for SOAP Services
One big benefit of WIF is that it unifies the security programming model for ASP.NET and WCF. In the spirit of the preceding modules, we will have a look at how WIF integrates into the (SOAP) web service world. You will learn how to separate authentication into a separate service using the WS-Trust protocol and how WIF can simplify the WCF security model and extensibility API.

Day 2
Advanced Topics:  Security Token Service Architecture, Delegation and Federation
The preceding modules covered the 80/20 cases of WIF in combination with ASP.NET and WCF. In many scenarios this is just the tip of the iceberg. Especially when two business partners decide to federate, you usually have to deal with multiple token services and their implications in application design. Identity delegation is a feature that allows transporting the client identity over a chain of service invocations to make authorization decisions over multiple hops. In addition you will learn about the principal architecture of a STS, how to customize the one that comes with this training course, as well as how to build your own.

Outsourcing Authentication:  Windows Azure & the Azure AppFabric Access Control Service
Microsoft provides a multi-tenant security token service as part of the Azure platform cloud offering. This is an interesting product because it allows to outsource vital infrastructure services to a managed environment that guarantees uptime and scalability. Another advantage of the Access Control Service is, that it allows easy integration of both the “enterprise” protocols like WS-* as well as “web identities” like LiveID, Google or Facebook into your applications. ACS acts as a protocol bridge in this case where the application developer doesn’t need to implement all these protocols, but simply uses a service to make it happen.

Claims & Federation for the Web and Mobile World
Also the web & mobile world moves to a token and claims-based model. While the mechanics are almost identical, other protocols and token types are used to achieve better HTTP (REST) and JavaScript integration for in-browser applications and small footprint devices. Also patterns like how to allow third party applications to work with your data without having to disclose your credentials are important concepts in these application types. The nice thing about WIF and its powerful base APIs and abstractions is that it can shield application logic from these details while you can focus on implementing the actual application.

Keen on identity management and claims? Looking for a great learning resource? thinktecture StarterSTS v1 is here!

After some time of hard work, Dominick just released the v1 of thinktecture’s StarterSTS.Congrats!
Have fun browsing through a great set of best practices code for handling various scenarios when it comes to token creation, token processing, claims handling, federation, single-sign-on and more.

Free PDF Book Download: A Guide to Claims-Based Identity and Access Control – powered by thinktecture

Get it now.

thinktecture’s Dominick Baier has spent quite a lot of time helping to build this fantastic official Microsoft guide. If you need to grok the concepts and technical details about how to do claims-based identity and access control on the Windows and .NET platform, that is the PDF you should carry around all day.

Dominick put all his vast and deep experience into this project. Thanks Dom.

 p&p guide claims-based identity & access control

WIF-based applications in the wild - Dominick Baier and Christian Weyer on .NET Rocks!

In part three of .NET Rocks' virtual three part series on all things identity, claims and WIF, Dominick and I are talking about using and applying the Windows Identity Foundation and ADFSv2 in the wild, beyond the Hello Claim levels being covered elsewhere.
This interview contains a number a small tidbits gathered from several customer projects.

Hope you enjoy it - and feel free to get in touch with us when you need help in this new but exciting world.
Weyer and Baier on WIF

Your identity, my identity - our identity! thinktecture rocks you with claims & more

Dominick managed to update all our thinktecture official identity bits and pieces to the recent WIF RC.

Go and get it while it's hot!

And: if you need help with your identity management and claims-based security scenarios: we are ready for hiring (in 2010...) :)

Helpful for everybody, complex for many - explained comprehensibly: Claims-based security with WIF

thinktecture's security guru Dominick Baier is unbeaten at explaining complex matters in the security world in a simple yet effective way.
So this happend again in a recent Channel9 video recorded by German Microsoft evangelist Dariusz Parys. Dominick presents facts in the realm of claims-based security and how to solve different problems related to authentication, authorization and personalization in practice.
Beyond all the theory and standards, he mentions our very own StarterSTS which was designed and built to lower the entry bar into the sometimes not too trivial battle field of security token services and relying parties. And all this is based on the Windows Identity Foundation (WIF) - the prime API for .NET developers to solve the said identity management problems.

Let's go and watch!

Hilfreich für alle, komplex für viele, verständlich erklärt: Claims-basierte Sicherheit mit WIF

thinktecture's Sicherheits-Guru Dominick Baier versteht es immer wieder, komplexe Sachverhalte im Security-Umfeld einfach aber effektiv darzulegen.
So auch wieder geschehen im Channel9-Video, welches Dariusz Parys von Microsoft Deutschland mit ihm gedreht hat. Dominick erklärt die Sachverhalte im Umfeld von Claims-basierter Sicherheit und wie man damit Probleme rund um Authentifizierung, Autorisierung und auch Personalisierung in der Praxis lösen kann.
Neben all der Theorie wird auch unser StarterSTS erwähnt, der den Eintieg in die Claims-Welt erleichtern und den scheinbaren Schrecken vor Identity Providern und Relying Parties nehmen soll. Und alles auf Basis der Windows Identity Foundation (WIF).

Auf zum Video!

thinktecture auf der BASTA! Herbst 2009

Es lohnt sich auf die BASTA! zu kommen, auch weil viele thinktects anwesend sein werden :)

Dominick Baier:
  • Sessions:
    • X509-Zertifikate – Lösungen statt Probleme!
      23.09.2009 | 14:00 - 15:15 Uhr
    • Single Sign-On für ASP.NET-Webanwendungen
      23.09.2009 | 15:45 - 17:00 Uhr
  • Workshop:
    • Verteilt, sicher, pragmatisch – Wie fange ich an?
      25.09.2009 | 09:00 - 16:30 Uhr

Richard Blewett:
  • Sessions:
    • Generics, Lambdas and Extension Methods - Beyond List
      22.09.2009 | 14:00 - 15:15 Uhr
    • Contract-First Design with WCF
      22.09.2009 | 15:30 - 16:45 Uhr
    • Generics, Lambdas and Extension Methods - Beyond List
      23.09.2009 | 14:00 - 15:15 Uhr

Jörg Neumann:
  • Sessions:
    • Design und Realisierung von sicheren Add-in-Modellen
      23.09.2009 | 10:15 - 11:30 Uhr
    • Transactions 2.0
      23.09.2009 | 17:15 - 18:30 Uhr
    • Dynamische Verbindungen mit WPF Data Binding
      24.09.2009 | 10:15 - 11:30 Uhr

Ingo Rammer:
  • Sessions:
    • .NET Production Debugging - Erste Schritte
      22.09.2009 | 09:30 - 10:45 Uhr
    • Advanced Debugging with Visual Studio
      22.09.2009 | 15:30 - 16:45 Uhr
    • Tasks and Threading in .NET 4.0
      24.09.2009 | 08:30 - 09:45 Uhr

Christian Weyer:
  • Sessions:
    • WCF - Tipps und Tricks
      22.09.2009 | 09:30 - 10:45 Uhr
    • WCF 4.0: Was ist neu?
      22.09.2009 | 11:15 - 12:30 Uhr
    • .NET Service Bus: Grenzenlose Kommunikation
      22.09.2009 | 17:15 - 18:30 Uhr
  • Workshop:
    • Verteilt, sicher, pragmatisch – Wie fange ich an?
      25.09.2009 | 09:00 - 16:30 Uhr

Wir freuen uns auf Sie und viele interessante Gespräche und Diskussionen in Mainz!

thinktecture Security Token Service Starter Kit - or: "Look ma: even *I* can have a STS!"

We are happy to announce the thinktecture Security Token Service (STS) Starter Kit. It shows how to build a basic yet powerful STS based on Geneva Framework (Beta 2) which integrates with all the nice and powerful ASP.NET-isms like membership, roles and profiles.

thinktecture STS Starter Kit
thinktecture STS Starter Kit IIS config
thinktecture STS Starter Kit

The heart of the STS is configured with a simple web.config entry like this:

<starterSTS siteName="thinktecture Security Token Service Starter Sample"
              enableMixedWSTrust="false" />

Read Dominick's blog post for more details and please make sure to watch the Setup & Overview screencast.
Any feedback is highly appreciated!

Geneva-based WS-Federation metadata document generation wizard (or: "Oops, I did it again!")

Starting with Beta 2 of the Geneva Framework there is nice support of metadata-driven behavior and code generation. We (Mr. Security himself and me) came across some situations where one wants to generate manually the WS-Federation metadata document and then use this XML e.g. with the fedutil.exe tool or the integrated Geneva tooling inside Visual Studio.
I couldn't resist and build a wizard which helps generating the metadata document... sorry :) Feels like Groundhog Day.

Here we go.

WS-Federation Metadata document generator - page 1

WS-Federation Metadata document generator - page 2

WS-Federation Metadata document generator - page 3

WS-Federation Metadata document generator - page 4

WS-Federation Metadata document generator - page 5

WS-Federation Metadata document generator - page 6

WS-Federation Metadata document generator - page 7

WS-Federation Metadata document generator - page 8

WS-Federation Metadata document generator - page 9

Note: I am using the DevExpress wizard control and dependent assemblies. Therefore the size of the ZIP is rather big (too big, IMHO) - sorry.

For whom it may help: Download.