|
|
Browse by Tags
All Tags » Identity » Architecture - WS (RSS)
-
On a flight from Sydney to S.Francisco. We were supposed to leave at 1:55pm, we took off almost at 9:00pm. I am really, really pissed off and the only thing that lightens up my mood is re-reading the great comments that the Australian TechEd attendees left on as feedback for the couple of sessions I gave this week . Thanks guys for the kind words, and again thank you for dealing so nicely with my difficult accent! I haven't seen the feedback from New Zealand , yet if it's half as nice as this one I'll ask for a vacation :-) More seriously: both events were great and well worth the long flights. I got a lot of questions, both about cloud scenarios and Zermatt, and some of those are starting to recur more and more often: I "blame" it on the fact that with Zermatt finally out people have the chance of experimenting, and the questions arise more naturally. In the next hours I'll try to address some of the most recurring doubts/misconceptions, at least as long as the laptop batteries keep Live Writer alive (and the Zune shields me from the usual unusual amount of kinds I'm surrounded by). Enough into already. The first monster I'd like to poke is delegation . Why can't I reuse tokens? Now this is a question that comes out very often. Let's say that you have two services, A and B. Let's also say that your business process requires that a client C calls A, and that in turn A calls B. Picture: (yes, this time I am using ArtRage instead of OneNote. Remember, I am trying to fight Read More...
|
-
The latest issue of the Architecture Journal is available for download here (I am breaking the news even before the rest of the pages are updated from issue 15 to issue16: see how much I care about you?;-)). What makes this especially interesting is that issue 16 is entirely dedicated to identity! I have to admit that I've yet to read most of the articles, but I've definitely went through 2 of them: One is an interview/profile with Kim Cameron. It's a nice read, and I am sure you'll enjoy to know more about Kim The other is an article from yours truly, titled "Claims and Identity, On-Premise and Cloud Solutions". It expands on this post , and rolls in various others Writing for the Architecture Journal is a big honor, as you can see from the list of high profile former contributors, and I am very grateful to Diego for having my article in this issue. Thanks man! And thanks also to Gianpaolo , with whom I had many deep discussions that helped me to keep the abstraction tangents to what i hope is an acceptable level :-) As usual, if you have feedback feel free to send it my way Read More...
|
-
We are back! I hope you had fun with the STS tutorial I posted yesterday night ; here we move a step further and examine how to equip our STS with managed card issuance logic & UI. As anticipated, this is going to be MUCH faster. If you recall, in the last post I asked you not to delete the Default.aspx page that the new web site template created for you: we are going to put our card issuance UI there. At thsi point the visual studio project should look as follows: The only new element I added is the information card image information-card.png, which will be used as the background of the information cards we'll issue. Of course nothing prevents you to get all fancy and allowing the user to upload an image for personalization purposes, but here we want to be quick & dirty (well, at least quick ;-)). The little image is below, for your viewing pleasure. Time to add some UI. Let's open Default.aspx inn the designer and let's drag some controls. <% @ Page Language ="C#" AutoEventWireup ="true" CodeFile ="Default.aspx.cs" Inherits ="_Default" %> <! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> < html xmlns ="http://www.w3.org/1999/xhtml"> < head runat ="server"> < title > Untitled Page </ title > </ head > < body > < form id ="form1" runat ="server"> < div > Managed Card Generator < br /> < br /> Card name: < asp : TextBox ID ="txtCardname" Read More...
|
-
Just back from vacation. The tan barely started to fade, and here I am already playing with the new shiny toy :-). Did you experiment with Zermatt by now? As Kim mentions the samples (and the documentation) are an excellent way to start, and I am sure that blog posts & tutorials will soon start mushrooming here and there in the blogosphere: here I begin my humble contribution with my first technical post about Zermatt . I had *absolutely* no hesitations when deciding which scenario I should tackle first: an active STS which handles requests backed by smartcards . I received asks about from many segments (especially about eID management from governments and high authentication levels for finance) and pretty much from everywhere in the world (especially Europe and Asia): I am really delighted to finally have a chance to give you something about that scenario that you can compile in visual studio, as opposed to the usual whiteboard sketches :-) Before we dive into the code, let me disclaim the disclaimable: as usual, the code you see in this blog is just an example and is by no mean production ready code. My purpose here is to introduce you to new ideas, so I favor readability and clarity over completeness If you consider the definition of best practices as "A technique or methodology that, through experience and research, has proven to reliably lead to a desired result" , I think I can safely say that there are no established best practices yet. Sure, there are some fixed points Read More...
|
-
Ahh, I’ve been looking forward for this post for a looong time. We just made available for download the bits of the Beta of “Zermatt” Developer Identity Framework . “ Zermatt ” is the codename of a .NET framework that helps developers build claims-aware applications to address challenging application security requirements using a simplified application access model. Let me expand a bit on that. If you want to develop applications that take advantage of claims & identity Metasystem goodness in general, Zermatt makes your life easier by providing base classes, controls but especially capabilities & a programming model that take care of most of the plumbing for you. Regardless of the role (IP, RP, subject) or the style (Active, Passive, “ Passive-Aggressive ”), Zermatt shields you from the sheer handling of protocols & tokens and provides you with a great model for externalizing your access logic. For my loyal readers and in general to whoever worked with tokens and cardspace in general, who stormed me with mails since the TechEd EMEA demo and even earlier: this means that we can finally retire historical samples like the SimpleSTS and the TokenProcessor class . Zermatt is a fully supported developer framework that gives you those capabilities and MUCH more. How much more? Below there’s a partial list of the goodies you get: · An HttpModule (the Federated Access Module, or FAM) that takes care of handling the token processing pipeline: fully extensible & web.config-urable, Read More...
|
-
On the Seattle-Paris flight. I've just posted the piece about validation-authentication-authorization , and i am a bit bothered by the fact that I was unable to delve into greater details for what concerns the authoriZation part. In particular, I'd like to address one of the misunderstandings which can derive from transporting verbatim the knowledge of Kerberos & "unattended" security in general to the world of user centered identity management. Some of you claimaniacs may find the stuff below pretty obvious: I do. But judging from some heated argument I had about this, it may turn out that it is not that obvious after all so it's worth to write it down. How often should your application ask for a token? It may seem a silly question, and you may be tempted to reply with the answer that my wife gets when she asks to her auntie how often she should turn the roast: "as often as needed". Not the most actionable answer, I'm sure you'll concur :-). As in good tradition, let's take few steps back and look at the bigger picture. When you sit at your workstation and log in your domain, if your local network uses kerberos you get your nice ticket granting ticket (TGT); from that moment on, every time you take a ride on your network carnival (access a share, a portal, a printer...) the network software takes care of using the TGT for getting a ticket for you, which is specialized for the resource you are accessing. Everything happens seamlessly, and the user is lulled in blissful ignorance Read More...
|
-
Flying back from S.Diego, after attending a great edition of Catalyst. I should probably write down my impressions before they fade, like it happened with the IIW, but there's in fact something (only mildly related) that bugged me for quite some time and I just want to flush it out of my system before going in vacation (somehow I feel that my old time Italian friends would not appreciate me blabbering about tokens, especially if I do it with my mouth full of focaccia al formaggio :-)). Ok, the story is somewhat similar to the " credentials are not identities " and returning user woes discussed in the Tao of authentication : it's a matter of agreeing on the semantic of terms that in the pre-token era had a simpler meaning, but that today need a richer/more rigorous definition. In summary: in practice , what RPs and STSes are supposed to do with incoming tokens? The answer lies in asking ourselves why we asked for a token in the first place. Perhaps the RP wants to see if the subject is allowed to sign in and start a session; an STS wants to know if the subject is worthy of being issued with the token he is requesting; and again, the RP may want to verify the the user has the necessary rights for performing a certain action (one may argue that this is a generalization of the signin case; I sort of agree, but later I'll make things more complicated). Even if we'd live in a world fueled only by shared secrets, there would be different cases to handle. If the RP is a simple password-protected Read More...
|
-
Ahh, terminology: joy and sorrow of our kind. There are some expressions that are very catchy and we use all the time, but that do not always serve well the purpose of communicating our thoughts. Take the usage of "passive" in the context of identity management; we tend to use it every time a web browser is in the picture, but that can be extremely confusing: if you just mean "I am talking about a web app" but you audience understands "he is going to use WS-Federation", you can be sure that things will get messy pretty quickly. In fact when I use CardSpace with a web app I am riding a passive client, but I obtain my token via proper WS-Trust traffic (thanks to our friendly identity selector) and I shove it directly in the first POST I send, without following the gracious redirect dance that WS-Federation would require. That's what I like to jokingly call passive-aggressive :-) For the ones among you that are not super familiar with this space, after the pic I restate the same but with extra context. Almost 5 years ago we published WS-Federation 1.0. To quote Don , THE authority on the topic: WS-Federation extends WS-Trust to provide a flexible federated identity architecture with clean separation between trust mechanisms, security token formats, and the protocol for obtaining tokens. This architecture enables a reusable token service model and protocol to address the identity requirements of both web applications and web services in a variety of trust relationships. Trivializing Read More...
|
-
Kim just posted a great piece about "an account this week describing an attack on the use of CardSpace within Internet Explorer". I won't add anything, because his post is just perfect as it is: I strongly suggest you go read it in its entirety . Here a quote: "Students at Ruhr Universitat Bochum in Germany have published an account this week describing an attack on the use of CardSpace within Internet Explorer. Their claim is to “confirm the practicability of the attack by presenting a proof of concept implementation“. I’ve spent a fair amount of time reproducing and analyzing the attack. The students were not actually able to compromise my safety except by asking me to go through elaborate measures to poison my own computer (I show how complicated this is in a video I will post next). For the attack to succeed, the user has to bring full administrative power to bear against her own system. It seems obvious that if people go to the trouble to manually circumvent all their defenses they become vulnerable to the attacks those defenses were intended to resist. In my view, the students did not compromise CardSpace." Read More...
|
-
I am horribly behind schedule with my blog, I still have to post a wrapup of IIW but didn't find the time so far; however I want to quickly comment on the recent coverage of the Fedlet (see Pat himself here and Paul here ). I attended the nice IIW session during which Pat demonstrated the fedlet. I found it interesting and strangely familiar.At a certain point I could not help myself and asked: "Pat, just for the sake of expressing things in the terminology of a domain I am comfortable with: would it be fair to say that the fedlet is a resource STS?". Pat thought for a moment about it, then nodded vigorously (& translated for the rest of the audience :-)). If that's the case, I concur that it is a very agile tool for handling claim transformation without "polluting" the entire directory with local settings while still keeping the resource itself clear from identity management code. That's exactly why I love R-STSes! I would assume that things said here and here apply, with the obvious adaptations for the technological differences Read More...
|
-
In the last week or so Paul Madsen made at least a couple of posts with strong visual components: one that resumed my old 2005 post on a notation for message crypto, the other on Feynman diagrams . Nice! Paul, when I am in that mood I find especially pleasant to thumb through Tufte : I highly recommend it. Like Paul, in a former life I dealt with completely different stuff: I spent few years on computational geometry first , and on scientific visualization later. I am absolutely in love with what I do now ( proof ?), but I still have some residual forma mentis from those times. There's nothing on TV until Friday (can't wait for the next Battlestar Galactica!), and I am not focused enough to make real work; hence for this post I will indulge my inner geek a bit. On the topic of notation and diagrams, I often wonder if it would be of value to find an expressive representation of the claim propagation pattern. Would a circuit-like notation work? Or a network flow would work better? The main idea can be simple: all the claims inserted in the circuit must be there for a reason, since at a certain point the policy of an RP requested them; so for every claim produced there must be a piece of biz logic that eventually uses ("consumes") it. Hence IPs are sources and RPs are sinks; an initial coarse simplification may indirectly factor out subjects, by assuming that an RP-IP edge is in the schema if the subject chose to disclose. Let's take the example of one RP that implements a content Read More...
|
-
On a flight between Seattle and Tokyo. I've just put down The Big Switch , and decided it's time to write about cloud computing and how identity management is going to play a key role for the success of the new paradigm. As you go though this post, please remember that (as always) you are reading my personal opinions/views and not a press release from my employer :-) Cloud Computing: a nanointroduction The word "Cloud" is well on its way to be one of the most hyped & overloaded term in the recent history of IT: just enter "Cloud Computing" in your search engine of choice and be prepared to navigate a huge result set. A good way of ramping up on the topic would be to read the recent Forrester report " Is Cloud Computing Ready for the Enterprise? "; or, if you are less technical, you can start by reading the aforementioned The Big Switch (as long as you read those *** grano salis , without ever turning off your critical thinking module). For the purpose of understanding this post, I'll give you here my usual oversimplified stance: Cloud Computing is mainly a new deployment model. Let's say you are the solution architect of an enterprise, and you are in the process of setting up a new capability for your company. As usual, the two big alternatives are build the solution yourself, buy it as a service if available or all the intermediate approaches which combine the two. If you decide to build even just a little piece of the solution, you are implicitly stepping up for running Read More...
|
-
On the 23rd I'll be in Singapore, practically my third home, and will present at the Singapore's Regional Architect Forum (the famous RAF). There is something in that country that charmed me already during my first visit in '89, and every time I have half a chance I try to go visit. Meeting my good pal Linda is certainly one of the things I like of going to Singapore: you would no believe the staggering amount of great work she gets done, all without ever losing her smile :-) A close second would be the levels of the customers & the industry in general there. Singapore's IT is often ahead of the curve, which makes it a perfect audience for very new ideas and approaches. That's why I am looking forward to present on S+S, cloud services and how the new paradigms are already affecting the way in which we deal with identity management. I will also give a chalktalk about the internet service bus , I hope to elicit some deep discussion and explore with Singapore's architects the implications of architecting solutions with tools like the ISB (without ever forgetting the identity aspect, of course). Also in this case Gianpaolo will present on S+S. I am sure he will provide a lot of food for thought, I can't think of anybody more qualified for explaining the topic. besides, his sessions are always fun :-) see you there! Read More...
|
-
In a couple of weeks I'll be in Kuala Lumpur, at the IASA's IT Architect Regional Forum Conference ; I will present on identity in the context of S+S and cloud services, which happens to be the topic that intrigues me the most nowadays. I am really excited for the session, but even more so for the chance of meeting fellow architects and discuss how these new ideas apply to their scenarios. Also: I never went to Kuala Lumpur, and I am very very curious about everything. I'll be there with my good friend Gianpaolo , who will present (surprise surprise) on S+S. I had an exclusive preview of his session, and it's *great*. Don't miss it. Looking forward to be there and spend some time with him and Aaron ! Read More...
|
-
I am delighted to announce a slight change in my role: from now on I'll focus on identity architecture, especially in the context of S+S and cloud services. YEEEEEES!!! If you are a regular reader of this blog you may have gotten the impression it was already the case. Actually, for the last three years I worked with enterprise early adopters and connected systems (WCF, WF, CardSpace). If you ever read a case study on those, chances are I may have worked on the project in some form: I had the chance of working with the best and see a wiiide range of scenarios, I loved it (most recent example here ). It's simply that when it came to blogging I just loved to dig deep in identity topics , then the articles and the book , the sessions , so... I now have the chance of staying on the topic full time. Fantastic :-) P.S.: recently Mike challenged me to surprise everybody and make a post of just three lines (I think he was poking fun at me for the the unmanageable length of this , this and this ). I thought I could do it with this post, but it turns out I am actually unable to... scary :-) Read More...
|
|
|
|