Menu
I'm building an application where the requirements seem standard issue (at least to me)... I have a Web.UI based on asp .net mvc & clients from iphone, andriod & blackberry.
So the sensible thing to do is to move all my business logic into a services layer that can be accesses over http. This services layer must accept requests with a user context (identity) and in some nice way perform authorization consistently no matter which type of client is communicating with it (I hope?).
Over a year a go I did a 3 month gig that employed W.I.F. (Windows Identity Foundation) in a hybrid on-premises & cloud architecture. I liked it. The 3 things that struck a chord were (1) externalizing authentication and not caring how it was done, (2) removing authorization logic from business logic, (3) Claims based authorization.
Over the last year I've heard and watch all about Rest Services the 'new cool hippy way of doing things'. So I though great, let's try that. After I started to play around & get coding, I started getting really confused (and subsequently read for about 10 hours yesterday without writing another line of c#). I'm still confused about all the SOAP vs REST, WS.* vs Http, SAML vs SWT babble. I don't really want this thread to be about that because there is enough of that speak on stackoverflow, but I feel like I've got a choice between two camps, when it doesn't really feel like I want one or the other but bits from each?
To me the 3 points I mentioned above about WIF don't seem like concepts that should be tied to WS.* ? But I'm getting the feeling that they, or at least how WIF comes at the moment makes them, without some expert tweaking (e.g. I came across this post only written a few days ago - http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/).
The other areas I don't know much about is are my clients (iphone, andriod, blackberry) capable of playing with WIF, is it the same STS that throws a SAML token to them and they behave just like a browser and pass it back in a header just like any other client? Yes I'm going to have to find out, but if this is a deal breaker with W.I.F and I find out straight after posting this, then at least I can focus away from it.
Finally to throw one more thing in the mix. I don't really want to think about any of this. I want to use a 3rd party authentication / identity provider - http://www.janrain.com/products/engage - which I believe uses OpenID. Can this fit into W.I.F. or do I just create a new SAML token from the OpenID and use WIF from that moment on.
I guess at the end of this babble, I want to come back to where I started because it's getting more and more complicated the more questions I ask and the more options I consider.
Is having a services layer (on WCF) that talks to different non-.net clients that requires identity context and authorization so strange? If you've build something like this, how did you approach it?
283
ASP.NET Identity is Microsoft's user management library for ASP.NET. It includes functionality such as password hashing, password validation, user storage, and claims management. It usually also comes with some basic authentication, bringing its own cookies and multi-factor authentication to the party.
N-tiered refers to the "distributed" layers of a system (i.e. server and client), whereas n-layered refers to the layers in a self-contained program; although the two are often used interchangeably, some suggest that there is a significant difference (like the one I mentioned above), as seen on the first paragraphs on ...
Three-layer architecture is dividing the project into three layers that are User interface layer, business layer and data(database) layer where we separate UI, logic, and data in three divisions.
ASP.NET Identity is the membership system for authentication and authorization of the users by building an ASP.NET application. ASP.NET Identity is the membership system for authentication and authorization of the users by building an ASP.NET application.
When you have many devices, one way to get the same solution working across all of them, is to target the lowest common denominator.
Assuming that all your clients support cookies. One way of doing this would:
Not quite as elegant as using SAML tokens, but it does work cross platform / devices.
IPhone supports cookies http://support.apple.com/kb/HT1675
Blackberry supports cookies http://docs.blackberry.com/en/developers/deliverables/11844/feature_cookie_storage_438273_11.jsp
50
I'm going to take a crack at answering your question slightly more abstractly...
Before I begin, my background is MS biased so there may be equal (or better) options available from other sources.
Two references that I found very useful:
1) A Guide to Claims-based Identity and Access Control
http://msdn.microsoft.com/en-us/library/ff423674.aspx
2) Programming Windows Identity Foundation
Author: Vittorio Bertocci Available in hard copy of kindle formats
There are alot of other sources but these two cover several scenarios and give good background info for anyone that wants to get up to speed with your starting point.
I encourage other posters to fill in any gaps or mistatements :) I'm glossing over a slew of technical details to focus on the question asked.
The way I break federated identity down is, roughly, as follows:
An STS is responsible for verifying the identity of a user and vouching for some claims. It does this by either providing (1) a signed blob containing the claims or (2) a unique identifier that a 3rd party can use to lookup the claims.
An application that wants to provide a user with a service can "trust" an STS to provide it with claims it can use to work with the user appropriately, thus aleviating it of the responsibility of verifying the user (among other things such as maintaining centralized meta-data but I digress).
There is also the ability for an STS to "trust" another STS, basically saying "If you say this person is Joe Smith and they have X, Y and Z roles, then I'll vouch for what you say!"
So to paraphrase:
App(s) "trust" an STS { which can in turn "trust" another STS } to provide it/them Claim(s)
** Switching Gears **
SOAP vs REST
At the end of the day SOAP and REST are both Service types, lets call them Claims consumers. They both want someone to give them a bucket full of claims so they can do their work and send back some stuff. Additionally, both service types can be presented with claims via query string using a token (assuming the service can handle some url rewriting) or via a header (HTTP for REST and SOAP for, well, SOAP services). Either way the goal is the same: Transmit the claims or the UID to the App.
WS* vs HTTP
These (along with TCP/IP, SSL, secret decoder rings, etc) are methods of passing information back and forth, albeit with varying degrees of certainty that someone in the middle can't find a way to impersonate the user.
SAML vs SWT
These (along with base 64 encoding, xml, simple text, etc) are both methods of serializing claims. These two just happen to conform to standards that the others don't so everyone can speak the same language.
** Getting back to the point **
Each of those technology combinations are valid (depending on the application, some are less secure, others are easier to implement, others work better on lower level devices, etc) and are just one person's way of doing the job vs another's.
So if I have a .Net application that has been served a set of claims in SAML fomat over a WS* pipeline the end result is that the applciation has [claims in SAML].
With some processing these can be transformed into [claims in SWT].
The new claims can then be packaged up and sent via HTTP/SSL to a Java application.
IF the Java application "trusts" the same STS (or an STS that "trusts" the .Net apps STS) then it opens up the claims and does its work.
The expert tweaking you mention has to happen, the question is simply by whom and how transparant is it
The idea of having services on disparate platforms/devices/applications/etc is not strange at all, that's exactly the kind of scenario all this stuff is being built to address
I am in the process of trying to build something like what you are asking about so I've been working on the same kind of issues myself.
The Engage service you mentioned allows you to associate your application's users with outside sources and can be used to authenticate those users... ala "I see you authenticated with google as [email protected], I know you as John Walker with an id of 4321, oh, look, you changed your favorite color setting in google to blue... carry on!"
What it doesn't do is provide claims to your application that are specific to your application (unless all you need to know comes from the google data in which case you're likely building a mash up and not an LOB application...
Another scenario:
Another place that I would direct you to is the AppFabric Access Control service offered by Microsoft. (http://msdn.microsoft.com/en-us/library/ee732536.aspx) disclaimer: I haven't used it yet but, it looks like it does the kinds of translations you are looking for with a lot of the meat hidden away for you.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
