|
|
Browse by Tags
All Tags » CardSpace » Windows Cardspa... » Identity (RSS)
-
PDC has come and gone, and Microsoft's identity landscape has changed. New products emerged, services appeared or underwent profound transformations: but the remarkable thing is that all elements, none excluded, are part of a single,company-wide, consistent strategy that aims at putting the user in control of his/her identities . Many words will be spent about those products, singularly and as a whole. After all, a lot of people waited a long time for this moment: I know I did. I can't tell you the joy of seeing this coming together so nicely in the last months! Here I'll just give you a short vademecum the various products and services we unveiled last week during PDC, without going too much in details. As you go through my little tourist guide, always remember my disclaimer. However in the interest of clarity, in case somebody would be confused by my little landscaping stunt up there ("omg he's out of control"), below you can find the official slide that was included in each and every identity session @ PDC and shows the breadth of our identity S+S portfolio. All of those technologies were described in Kim's & your truly's session , and they all had a role in the big demo in the same session . "Geneva" Server Ah, if I'd have a coin for every time I've heard conjectures about Microsoft eventually coming out with an "STS product", whatever flavor people gave to the term at the moment, I'd need a much bigger piggy and I'd sprout my very Read More...
|
-
Identity is everywhere at this PDC2008! After the keynotes and the many breakouts, let me introduce you to the Booth. We are in the Big Room, on your right, and we are easily recognizable thanks to 1) the big "Identity for software+services" signage and 2) the fashionable pistacchio shirts we drape ourselves in. The booth has staff from DPE|Identity, from the federated identity group, from the Live Services group and from the .NET services. There's always a lot of people there super-eager to introduce you to the glamorous world of identity, and delve into the details of the new products we announced this week . Above there's a snapshot of the people you can find there this morning. Form left to right: Matt Steele. Ask him about Geneva Server, then try to make him stop. Seriously, GREAT guy. Micah LaNasa. Inflexible booth shifts controller. Implements IStarbucksCardFactory. Vittorio Bertocci, AKA Vibro.NET. For more info click here Donovan Follette. ADFS guru, the true engine behind the Big Demo (more on this later) Tom Mereckis. Marketing mastermind, fearless paladin of the Claim Based Access initiative Caleb Baker. Author and speaker extraordinaire Liam Price. Live maven, knows everything about the new Live Services Not show in the picture (because they were with customers, while we were slacking & taking the picture): Rich Randall. Dev lean on CardSpace, tomorrow he'll unveil in more details CardSpace "geneva" Marc Goodner. Historical WS-* figure, ask him for some anecdote Read More...
|
-
Almost a year has passed since TechEd EMEA; I remember giving a chalk talk on STSes and claims based identity in general, and a guy from the audience who was asking especially elaborate questions... it was clear that he was hands on and had a lot of experience in developing for CardSpace. I later learned that he was Peter, from Fun Communications , and had a great project brewing: a loyalty card system, one of the most fitting scenarios for information cards. During the last year they talked in various occasions about the topic: at last CeBit and at the European Identity Conference come to mind. This morning (blessed time zone differences) I found in my inbox a nice surprise: Fun just released to the web their loyalty card project ! From the press release : Portal for issuing virtual loyalty cards opened fun communications presents the virtual loyalty card for the Internet. Now available at www.webcard-loyalty.com - long-term customer loyalty with virtual loyalty and bonus cards. Karlsruhe, September 9, 2008 Following successful completion of the beta phase, fun communications GmbH today Tuesday opens its new portal for creating, issuing and administering virtual loyalty cards. Dealers and portal operators can generate their very own virtual loyalty and bonus cards in just three steps at www.webcard-loyalty.com. Beginning with the design and contents of the cards, over the definition of limited time voucher and discount campaigns, through to the issue of the virtual loyalty cards Read More...
|
-
Greetings from the far New Zealand :-) this is a great place, I wish I'd have more time to look around. I compensated by spending a stupid amount of money in souvenirs (all bought in about 20 mins, so without much judgement (if ever)). Yesterday I had my session on Cloud & Identity, and in few mins I'll have the one about Zermatt. While I wait to get to the podium, I'm typing this quick post to point you to a brief video interview I had with the excellent Mark Carroll: you can find it on the TechEd Live pages. Boy, I sure gesticulate a lot :-) you know how the old saying goes: if you want to reduce an Italian to silence, just tie his hands! (BTW: happy Labor Day for ev'body in the US) Read More...
|
-
I am sure you are all more than familiar with DreamSpark , the amazing (YES, amazing. Bravo Milo!) offer through which Microsoft gives access to developer & designer tools at no charge. That requires, naturally, to be able to prove that you are indeed a student. Eduserv is a not-for-profit UK-based organization that focuses on IT solutions for the education sector: their identity management solutions are used by over 4 millions of students from universities in UK & other countries. And here comes the interesting bit: Eduserv wrote an identity management component for DreamSpark integrated with their OpenAthens SP , and based on WCF & CardSpace :-) you can read about this on a recently published case study (word document here ). With all the identity talent that runs abundant in the Microsoft offices in UK (Paul MacKinnon & Planky, congrats!) it is not really a surprise to see that they are ahead of the curve, but it is most definitely a pleasure :-) congratulations to all the people involved! Read More...
|
-
The latest issue of the Architecture Journal is available for download here (I am breaking the news even before the rest of the pages are updated from issue 15 to issue16: see how much I care about you?;-)). What makes this especially interesting is that issue 16 is entirely dedicated to identity! I have to admit that I've yet to read most of the articles, but I've definitely went through 2 of them: One is an interview/profile with Kim Cameron. It's a nice read, and I am sure you'll enjoy to know more about Kim The other is an article from yours truly, titled "Claims and Identity, On-Premise and Cloud Solutions". It expands on this post , and rolls in various others Writing for the Architecture Journal is a big honor, as you can see from the list of high profile former contributors, and I am very grateful to Diego for having my article in this issue. Thanks man! And thanks also to Gianpaolo , with whom I had many deep discussions that helped me to keep the abstraction tangents to what i hope is an acceptable level :-) As usual, if you have feedback feel free to send it my way Read More...
|
-
I was dividing my attention between the Scrubs special on TV & Digg on my PC, when an article titled " Experts: Passwords May Not Be a Good Online Defense " caught my eye: well, couldn't agree more!:-) It turns out that the article is from the NY Times, and it's short & sweet hence there's no need for me to summarize it here: Mr. Stross manages to capture the problem pretty effectively, also thanks to some nice quotes from Kim . P.S.: I know, I know. I still owe you an RP post for completing the Zermatt intro series started with the STS and card issuance . Keep the faith, it's coming! ;-) Read More...
|
-
Well, it's almost one month since I wrote the last " useful " posts : you would not believe how incredibly busy I am on stuff I can't talk about just yet (but soon, very soon). In this quick update I am excited to report that I am going to speak at TechEd New Zealand & TechEd Australia ! As strange as it may sound, the 114 flights I've boarded since I moved to Corp (October 2005) never took me under the equatorial line; furthermore, it's since first grade that I'm told how cool it is that New Zealand is at the exact antipodes of Italy, has roughly a boot shape as well, etc... that's the farthest place from home I can travel to without leaving the planet :-) I am going to deliver 2 sessions , both in NZ and in AU: Identity & Cloud Services (Architecture track, level 300) The shift towards cloud computing is one of the major trends in today’s IT industry. As resources and assets are increasingly hosted off-premise, traditional strategies for access control and identity management are proving incapable of handling distributed scenarios and cross-boundary communication. This presentation briefly outlines how architectures relying on claims-based identity management, security tokens and open standards can address cloud computing scenarios with the same ease with which they can handle traditional ones. The identity capabilities of Biztalk Services will be featured as a concrete example of an application of the new paradigm. “Zermatt” Developer Framework: Putting Authentication Read More...
|
-
It's since April that I don't write about the book (at the time we released the entire Chapter 2 on MSDN ). Last week I received notice that 2 new reviews were published: one is from the Denver Visual Studio User Group , the other is on Paul Van Brenk's blog . Both reviews are extremely nice, for which we are very grateful; I especially like the fact that in both cases the reviewers perceived our intention to deal with the problem from an holistic point of view, regardless of our affiliation with a technology or another. Thank you guys! (update: I've just stumbled in another review I didn't know about, on (in)secure magazine issue 17 . Niiiiice). In fact, in the last months various illustrious figures mentioned our book as well: David Chappell , Drummond Reed and Francis Shanahan wrote extremely nice reviews I never mentioned here until now, while I did mention the first entries from Kim and Mike . Add that to the podcast on Perspectives , the interview on channel9 with Carlo & Caleb, the podcast on SearchWinDevelopment , the bonus chapter on codeproject , the extremely nice reviews on the Amazon US page ... and again, mentions from Neil Hutson , Alexander Strauss , Feliciano Intini , Mario Fontana , ... I am sure I am forgetting something (for which I apologize). And now that I begun to hang out at Identity conferences, I can't tell you how pleasant it is to have complete strangers zeroing on you and telling you all sorts of nice things :-) I guess I am easily recognizable Read More...
|
-
We are back! I hope you had fun with the STS tutorial I posted yesterday night ; here we move a step further and examine how to equip our STS with managed card issuance logic & UI. As anticipated, this is going to be MUCH faster. If you recall, in the last post I asked you not to delete the Default.aspx page that the new web site template created for you: we are going to put our card issuance UI there. At thsi point the visual studio project should look as follows: The only new element I added is the information card image information-card.png, which will be used as the background of the information cards we'll issue. Of course nothing prevents you to get all fancy and allowing the user to upload an image for personalization purposes, but here we want to be quick & dirty (well, at least quick ;-)). The little image is below, for your viewing pleasure. Time to add some UI. Let's open Default.aspx inn the designer and let's drag some controls. <% @ Page Language ="C#" AutoEventWireup ="true" CodeFile ="Default.aspx.cs" Inherits ="_Default" %> <! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> < html xmlns ="http://www.w3.org/1999/xhtml"> < head runat ="server"> < title > Untitled Page </ title > </ head > < body > < form id ="form1" runat ="server"> < div > Managed Card Generator < br /> < br /> Card name: < asp : TextBox ID ="txtCardname" Read More...
|
-
Just back from vacation. The tan barely started to fade, and here I am already playing with the new shiny toy :-). Did you experiment with Zermatt by now? As Kim mentions the samples (and the documentation) are an excellent way to start, and I am sure that blog posts & tutorials will soon start mushrooming here and there in the blogosphere: here I begin my humble contribution with my first technical post about Zermatt . I had *absolutely* no hesitations when deciding which scenario I should tackle first: an active STS which handles requests backed by smartcards . I received asks about from many segments (especially about eID management from governments and high authentication levels for finance) and pretty much from everywhere in the world (especially Europe and Asia): I am really delighted to finally have a chance to give you something about that scenario that you can compile in visual studio, as opposed to the usual whiteboard sketches :-) Before we dive into the code, let me disclaim the disclaimable: as usual, the code you see in this blog is just an example and is by no mean production ready code. My purpose here is to introduce you to new ideas, so I favor readability and clarity over completeness If you consider the definition of best practices as "A technique or methodology that, through experience and research, has proven to reliably lead to a desired result" , I think I can safely say that there are no established best practices yet. Sure, there are some fixed points Read More...
|
-
Ahh, I’ve been looking forward for this post for a looong time. We just made available for download the bits of the Beta of “Zermatt” Developer Identity Framework . “ Zermatt ” is the codename of a .NET framework that helps developers build claims-aware applications to address challenging application security requirements using a simplified application access model. Let me expand a bit on that. If you want to develop applications that take advantage of claims & identity Metasystem goodness in general, Zermatt makes your life easier by providing base classes, controls but especially capabilities & a programming model that take care of most of the plumbing for you. Regardless of the role (IP, RP, subject) or the style (Active, Passive, “ Passive-Aggressive ”), Zermatt shields you from the sheer handling of protocols & tokens and provides you with a great model for externalizing your access logic. For my loyal readers and in general to whoever worked with tokens and cardspace in general, who stormed me with mails since the TechEd EMEA demo and even earlier: this means that we can finally retire historical samples like the SimpleSTS and the TokenProcessor class . Zermatt is a fully supported developer framework that gives you those capabilities and MUCH more. How much more? Below there’s a partial list of the goodies you get: · An HttpModule (the Federated Access Module, or FAM) that takes care of handling the token processing pipeline: fully extensible & web.config-urable, Read More...
|
-
One year ago we had a brief wall-to-wall exchange with Keith about the need of having consumer (as non-developer) info about CardSpace. The Information Card Foundation is doing a great job at handling those info for the general concept of information card. Specifically for Windows CardSpace, I am happy to announce that we now have a consumer friendly home for Windows CardSpace ! I am especially fond of the two videos ( home & work ) from the UK crew; and big kudos to Eileen for the entire effort. Take it to a spin and let us know what you think! Note to self: How come that I'm blogging more when I am in vacation than when I am working? Long flights & jetlag, I guess... ;-) Read More...
|
-
On the Seattle-Paris flight. I've just posted the piece about validation-authentication-authorization , and i am a bit bothered by the fact that I was unable to delve into greater details for what concerns the authoriZation part. In particular, I'd like to address one of the misunderstandings which can derive from transporting verbatim the knowledge of Kerberos & "unattended" security in general to the world of user centered identity management. Some of you claimaniacs may find the stuff below pretty obvious: I do. But judging from some heated argument I had about this, it may turn out that it is not that obvious after all so it's worth to write it down. How often should your application ask for a token? It may seem a silly question, and you may be tempted to reply with the answer that my wife gets when she asks to her auntie how often she should turn the roast: "as often as needed". Not the most actionable answer, I'm sure you'll concur :-). As in good tradition, let's take few steps back and look at the bigger picture. When you sit at your workstation and log in your domain, if your local network uses kerberos you get your nice ticket granting ticket (TGT); from that moment on, every time you take a ride on your network carnival (access a share, a portal, a printer...) the network software takes care of using the TGT for getting a ticket for you, which is specialized for the resource you are accessing. Everything happens seamlessly, and the user is lulled in blissful ignorance Read More...
|
-
Flying back from S.Diego, after attending a great edition of Catalyst. I should probably write down my impressions before they fade, like it happened with the IIW, but there's in fact something (only mildly related) that bugged me for quite some time and I just want to flush it out of my system before going in vacation (somehow I feel that my old time Italian friends would not appreciate me blabbering about tokens, especially if I do it with my mouth full of focaccia al formaggio :-)). Ok, the story is somewhat similar to the " credentials are not identities " and returning user woes discussed in the Tao of authentication : it's a matter of agreeing on the semantic of terms that in the pre-token era had a simpler meaning, but that today need a richer/more rigorous definition. In summary: in practice , what RPs and STSes are supposed to do with incoming tokens? The answer lies in asking ourselves why we asked for a token in the first place. Perhaps the RP wants to see if the subject is allowed to sign in and start a session; an STS wants to know if the subject is worthy of being issued with the token he is requesting; and again, the RP may want to verify the the user has the necessary rights for performing a certain action (one may argue that this is a generalization of the signin case; I sort of agree, but later I'll make things more complicated). Even if we'd live in a world fueled only by shared secrets, there would be different cases to handle. If the RP is a simple password-protected Read More...
|
|
|
|