Interoperability Feed

You bet: there will be no distributed application without security - and the "new security" is claims-based identity: Learn it from the master of claims, WIF and ACS

thinktecture’s security expert Dominick Baier spends numerous hours every month answering questions about WIF and identity in general. Recently he put together a two day training course about WIF that covers everything he thinks is important.

The course includes extensive lab material where you take standard application and apply all kinds of claims and federation techniques and technologies like WS-Federation, WS-Trust, session management, delegation, home realm discovery, multiple identity providers, Access Control Service, REST, SWT and OAuth. The lab also includes the latest version of the thinktecture IdentityServer and you will learn how to use and customize it.

If you are looking for an open enrollment style of training, have a look here or here.
Or contact Dominick directly.


The course outline:

Day 1
Intro to Claims-based Identity & the Windows Identity Foundation
WIF introduces important concepts like conversion of security tokens and credentials to claims, claims transformation and claims-based authorization. In this module you will learn the basics of the WIF programming model and how WIF integrates into existing .NET code.

Externalizing Authentication for Web Applications
WIF includes support for the WS-Federation protocol. This protocol allows separating business and authentication logic into separate (distributed) applications. The authentication part is called identity provider or in more general terms - a security token service. This module looks at this scenario both from an application and identity provider point of view and walks you through the necessary concepts to centralize application login logic both using a standard product like Active Directory Federation Services as well as a custom token service using WIF’s API support.

Externalizing Authentication for SOAP Services
One big benefit of WIF is that it unifies the security programming model for ASP.NET and WCF. In the spirit of the preceding modules, we will have a look at how WIF integrates into the (SOAP) web service world. You will learn how to separate authentication into a separate service using the WS-Trust protocol and how WIF can simplify the WCF security model and extensibility API.

Day 2
Advanced Topics:  Security Token Service Architecture, Delegation and Federation
The preceding modules covered the 80/20 cases of WIF in combination with ASP.NET and WCF. In many scenarios this is just the tip of the iceberg. Especially when two business partners decide to federate, you usually have to deal with multiple token services and their implications in application design. Identity delegation is a feature that allows transporting the client identity over a chain of service invocations to make authorization decisions over multiple hops. In addition you will learn about the principal architecture of a STS, how to customize the one that comes with this training course, as well as how to build your own.

Outsourcing Authentication:  Windows Azure & the Azure AppFabric Access Control Service
Microsoft provides a multi-tenant security token service as part of the Azure platform cloud offering. This is an interesting product because it allows to outsource vital infrastructure services to a managed environment that guarantees uptime and scalability. Another advantage of the Access Control Service is, that it allows easy integration of both the “enterprise” protocols like WS-* as well as “web identities” like LiveID, Google or Facebook into your applications. ACS acts as a protocol bridge in this case where the application developer doesn’t need to implement all these protocols, but simply uses a service to make it happen.

Claims & Federation for the Web and Mobile World
Also the web & mobile world moves to a token and claims-based model. While the mechanics are almost identical, other protocols and token types are used to achieve better HTTP (REST) and JavaScript integration for in-browser applications and small footprint devices. Also patterns like how to allow third party applications to work with your data without having to disclose your credentials are important concepts in these application types. The nice thing about WIF and its powerful base APIs and abstractions is that it can shield application logic from these details while you can focus on implementing the actual application.

Cross-device/cross-location Pub-Sub (part 3): Using Windows Azure Service Bus Topics & Subscriptions in Android with Mono for Android

And here we go with the final piece of blogging around the Windows Azure Service Bus and its cross-device, cross-location pub/sub features.

There have already been two articles about this topic (pun intended Winking smile)

Today I have built a very simple Android app with MonoDroid (aka Mono for Android) in C#. The code is essentially the same as for the iOS demo shown earlier (with MonoTouch), I just used Monodroid.Dialog to programmatically wire up the UI.


This is the entire code for the app:

   1:  [Activity(Label = "DroidServiceBusSubscriber",
   2:    MainLauncher = true, Icon = "@drawable/icon")]
   3:  public class MainActivity : Activity
   4:  {
   5:      private ListView lv;
   6:      private DialogAdapter da;
   7:      private RootElement menu;
   8:      private Section messages;
   9:      private BrokeredMessaging broker;
  10:      private string sbNamespace = "YOUR_SB_NS";
  11:      private string issuerName = "owner";
  12:      private string issuerSecret = "YOUR_OWNER_ISSUERKEY";
  13:      private string topicName = "newstopic";
  14:      private string subscriptionName = "androidsubscription";
  16:      protected override void OnCreate(Bundle bundle)
  17:      {
  18:          base.OnCreate(bundle);
  20:          InitBroker();
  21:          SetupUI();
  22:          RegisterMessagesHandler();
  23:      }
  25:      private void InitBroker()
  26:      {
  27:          broker = new BrokeredMessaging(sbNamespace);
  28:          broker.GetToken(issuerName, issuerSecret);
  29:      }
  31:      private void SetupUI()
  32:      {
  33:          messages = new Section("Messages");
  34:          menu = new RootElement("Service Bus Subscriber")
  35:          {
  36:              messages
  37:          };
  39:          da = new DialogAdapter(this, menu);
  40:          lv = new ListView(this) { Adapter = da };
  42:          SetContentView(lv);            
  43:      }
  45:      private void RegisterMessagesHandler()
  46:      {
  47:          Task.Factory.StartNew(() =>
  48:          {
  49:              while (true)
  50:              {
  51:                  try
  52:                  {
  54:                      var message = broker.ReceiveAndDeleteMessage(topicName + 
  55:                        "/Subscriptions/" + subscriptionName);
  57:                      if (!String.IsNullOrWhiteSpace(message))
  58:                      {
  59:                          RunOnUiThread(delegate
  60:                          {
  61:                              messages.Elements.Add(new StringElement(message));
  62:                              da.NotifyDataSetChanged();
  63:                          });
  64:                      }
  66:                  }
  67:                  catch (Exception ex)
  68:                  {
  69:                      Console.WriteLine(ex);
  70:                  }
  71:              }
  72:          });
  73:      }
  74:  }


And the ServiceBusBrokeredMessaging class is exactly copied and pasted from the MonoTouch project to the VS 2010 project for MonoDroid.

Here is the client app solution (you will need Mono for Android for Visual Studio):

Hope this helps.

Hosting a public web site (ASP.NET) and an internal services site (WCF) in one Windows Azure web role – sample code

Alright. I got some emails asking for the actual project and code for the blog post over here.

Imagine you want to host some (Web) services in an IIS web site inside your Windows Azure compute web role. In addition, you also want to host your web application/portal in another web site in Full IIS in the *same* web role. […]

Here is a working solution (based on Windows Azure Tools for VS 2010 1.6).
Hope this helps.

Cross-device/cross-location Pub-Sub (part 2): Using Windows Azure Service Bus Topics & Subscriptions in Windows Phone (7.1)

In the previous post I showed how to use MonoTouch and C# on iOS devices to subscribe to the Windows Azure Service Bus’s topics and subscriptions features.

This time it is a Windows Phone (Mango) client app.

The sending / publishing application is still the same Console application from the last post:


And the nice part about the WP app is that Kellabyte already did the major work for wrapping the Service Bus queues, topics, and subscriptions REST API (also check out her awesome Continuous Client demo which uses the Service Bus). Smile

With her code in place the actual subscribing inside my WP app to the messages in my Service Bus subscriptions is a piece of cake:

   1:  public MainPage()
   2:  {
   3:      InitializeComponent();
   5:      InitBroker();
   6:  }
   8:  private void InitBroker()
   9:  {
  10:      token = new Token(sbNamespace, issuerName, issuerSecret);
  11:      token.Requested += new EventHandler<TokenEventArgs>(token_Requested);
  12:      token.Request();
  13:  }
  15:  private void token_Requested(object sender, TokenEventArgs e)
  16:  {
  17:      topic = new Topic(token, topicName);
  19:      RegisterMessagesHandler();
  20:  }
  22:  private void RegisterMessagesHandler()
  23:  {
  24:      subscription = new Subscription(topic, subscriptionName);
  25:      subscription.MessageRecieved += 
  26:                    new EventHandler<SubscriptionMessageEventArgs>(
  27:                      subscription_MessageRecieved);
  28:      subscription.ReceiveMessage();
  29:  }
  31:  private void subscription_MessageRecieved(object sender, SubscriptionMessageEventArgs e)
  32:  {
  33:      var message = e.Message;
  35:      try
  36:      {
  37:          if (!String.IsNullOrWhiteSpace(message))
  38:          {
  39:              Dispatcher.BeginInvoke(() =>
  40:              {
  41:                  mainContentPanel.RowDefinitions.Add(
  42:                      new RowDefinition { Height = new GridLength(35) });
  44:                  var pos = mainContentPanel.RowDefinitions.Count - 1;
  46:                  var txt = new TextBlock();
  47:                  txt.Text = message;
  48:                  mainContentPanel.Children.Add(txt);
  49:                  Grid.SetColumn(txt, 0);
  50:                  Grid.SetRow(txt, pos);
  51:              });
  52:          }
  53:      }
  54:      catch (Exception ex)
  55:      {
  56:          Console.WriteLine(ex);
  57:      }
  59:      subscription.ReceiveMessage();
  60:  }

And the (again) super spectacular result is that all the messages are being sucked from my subscription and displayed on the phone:


Voila. Sorry – not so exciting as last time. Anyway, here is the download:

Hope this helps.

Cross-device/cross-location Pub-Sub: Using Windows Azure Service Bus Topics & Subscriptions in iOS with MonoTouch

Windows Azure has seen some updates over the past weekend. One small update is that the Service Bus and Access Control Service are no longer marketed inside the Windows Azure AppFabric brand but are now a substantial part of Windows Azure core.

The Windows Azure Service Bus has two basic feature sets:

  • relayed messaging (through the Service Bus Relay service)
  • brokered messaging (through queues, topics, subscriptions (and the deprecated message buffers)

In this post I show you how to use part of Service Bus’ REST API to create a cross-platform & cross-location publish & subscribe app by leveraging topics and subscriptions.

First of all, let’s launch the wonderful Service Bus Explorer tool and look at my Service Bus namespace:


As we can see there are no topics and subscriptions (and also no queues).

What we are going to do is have a .NET console app running on Windows to create a topic and a subscription on the Service bus with the REST API and send messages to the topic. Here is the essential piece of code to do this:

   1:  var broker = new BrokeredMessaging (serviceNamespace);
   3:  try
   4:  {
   5:      token = broker.GetToken (issuerName, issuerSecret);
   7:      string topicName = "newstopic";
   8:      string subscriptionName = "iphonesubscription";
  10:      broker.CreateTopic(topicName);
  11:      broker.CreateSubscription(topicName, subscriptionName);
  13:      while (true)
  14:      {
  15:          broker.SendMessage (topicName, "Hello " + Guid.NewGuid ().ToString ());
  16:          Thread.Sleep (5000);                    
  17:      }
  18:  }
  19:  catch (WebException we)
  20:  ...

Admitted, the actual heavy work is inside the BrokeredMessaging class. This class is just a simple wrapper around the REST API, and you can see some basic operations using WebClient to talk to the Service Bus in the AppFabric SDK samples (e.g. the Management Operations using REST sample).

The BrokeredMessaging helper class can be found in the sample projects download at the end of this post.

After we retrieved a token from ACS we create a topics and a subscription and send out messages in a loop:


These messages are sent to the Service Bus to a durable topic (which uses queues underneath). As long as there is no subscriber which gets and deletes the messages from the subscription we can see the messages sent to the topic in the Service Bus Explorer – here we have sent out 4 messages from the Console application:



Now let’s use a subscriber to get the messages from the subscription. My goal was to have a native iOS app but built with C# entirely. Therefore I fired up MonoTouch and created a very simple iPhone app. For the super-sophisticated UI I used MonoTouch.Dialog, a highly recommend UI library to quickly create any forms-over-data user interface for iOS apps.

In order to talk to the Service Bus the MonoTouch project was using the exact same BrokeredMessaging class as my Windows console application. The joy of MonoTouch.

Again, the essential code (after getting a token from ACS) to get and delete messages from the SB subscription looks like this (the messages object is the list of elements in the UI to display the messages).

private void RegisterMessagesHandler ()
    Task.Factory.StartNew (() =>
        while (true)
                var message = broker.ReceiveAndDeleteMessage (topicName + 
                   "/Subscriptions/" + subscriptionName);
                if (!String.IsNullOrWhiteSpace (message))
                    InvokeOnMainThread (delegate 
                        messages.Elements.Add (new StringElement (message));
                        dvc.TableView.ReloadData ();
            catch (Exception ex)
                Console.WriteLine (ex);                

Note: it may not be wise to store the Service Bus owner and shared secret directly in the device’s app – you know… or at least store it in the Keychain (sample with MT:

To convince you that there is no magic or cheating going on, this is the code from BrokeredMessaging  to get the message from the subscription (and also delete it):

   1:  public string ReceiveAndDeleteMessage (string relativeAddress)
   2:  {
   3:      string fullAddress = baseAddress + relativeAddress + 
   4:        "/messages/head" + "?timeout=60";
   6:      Console.WriteLine ("\nRetrieving message from {0}", fullAddress);
   8:      var webClient = new WebClient ();
   9:      webClient.Headers [HttpRequestHeader.Authorization] = token;
  11:      var response = webClient.UploadData (fullAddress, 
  12:        "DELETE", new byte[0]);
  13:      var responseStr = Encoding.UTF8.GetString (response);
  15:      Console.WriteLine (responseStr);
  17:      return responseStr;
  18:  }

Note: Console.WriteLine(…) is the mechanism in MonoTouch to write to debug output. Well…

Whenever we get a real and non-empty message we add it to the list view of our simple iOS app. Voila:


And to prove that everything worked as expected, the subscription is now empty and no more messages are in there:


Bingo! Smile

Windows Azure Service Bus (together with the Windows Azure Access Control Service) enables us to send messages in an async manner to durable storage in the Cloud and subscribing to those messages (via topics and subscriptions) with literally any device, any platform, from any location!

The sample projects for VS 2010 and MonoTouch can be downloaded:

Hope this helps.

Claims-based security today - “Can this get even better?” Yes, it can: thinktecture IdentityServer 1.0 released

Dominick Baier, maestro of all-things-security, has finally launched the official successor of our successful thinktecture StarterSTS.
Now, all new, all better Smile


thinktecture IdentityServer is an open source security token service based on Microsoft .NET, ASP.NET MVC, WCF and WIF.

High level features

  • Multiple protocols support (WS-Trust, WS-Federation, OAuth2, WRAP, JSNotify, HTTP GET)
  • Multiple token support (SAML 1.1/2.0, SWT)
  • Out of the box integration with ASP.NET membership, roles and profile
  • Support for username/password and client certificates authentication
  • Support for WS-Federation metadata
  • Support for WS-Trust identity delegation
  • Extensibility points to customize configuration and user management handling

Go and grab it, read the docs – and please give feedback.

Materials for my sessions at Software Architect 2011

As promised in and after the sessions at the wonderful Software Architect 2011 conference in London:

  • Designing & building services the web & HTTP way with WCF 4.5 (Slides  |  Samples [this is the CodePlex Preview 5 branch with samples)
  • Windows Azure platform for Architects (Slides)

Thank you to everybody attending and giving such nice feedback. Hope to see you next time around.

Unterlagen & Demos zu meinen Sessions & Workshop auf der BASTA! 2011

So – die BASTA! ist vorbei und wir von thinktecture hatten mal wieder eine super Zeit in Mainz. Danke an das Team von S&S Media und vor allem an die Teilnehmer!

Hier finden Sie die Folien und Beispiele zu meinen Sessions und dem Workshop auf der Herbst-BASTA! 2011:

  • Nicht nur Web: Android und iOS Apps mit HTML5 und Co. (Slides | Samples)
  • Kommunikation über die Cloud: Windows Azure AppFabric Service Bus (Slides | Samples)
  • Offen für's "Web": Web APIs mit WCF in .NET 4.0+ (Slides | Samples [this is the Preview 5 branch with samples])
  • Hands-On Windows Azure Platform: Ihr Tag in der Cloud [mit Dominick Baier] (Samples)


Wenn Fragen sind wie immer eine EMail an mich (schauen Sie einfach in den Slides nach…). Danke.

Bis bald!

Erm, what’s happening? Updating Windows Azure role configuration

Sometimes the question shows up why the change of configuration of a Windows Azure deployment does not take effect immediately (whatever that means Smile).

If you change the configuration (via the portal or via the management API) of your Windows Azure deployment then the change will happen almost immediately.
Well, not exactly.

The change will be rolled out to the instances using upgrade domains.


Source: Ryan Dunn’s TechEd 2010 presentation “Deploying, Troubleshooting, Managing and Monitoring Applications on Windows Azure”

For each upgrade domain a status change event will be raised and the instance can decide whether it will handle the change or whether it needs to be restarted.
Once the instances in that upgrade domain have reported that they are ready (either by handling the change, or by coming back online after restarting) then the fabric controller will move to the next upgrade domain.

Hope this helps.