|
|
Browse by Tags
All Tags » Identity (RSS)
-
We are back! I hope you had fun with the STS tutorial I posted yesterday night ; here we move a step further and examine how to equip our STS with managed card issuance logic & UI. As anticipated, this is going to be MUCH faster. If you recall, in the last post I asked you not to delete the Default.aspx page that the new web site template created for you: we are going to put our card issuance UI there. At thsi point the visual studio project should look as follows: The only new element I added is the information card image information-card.png, which will be used as the background of the information cards we'll issue. Of course nothing prevents you to get all fancy and allowing the user to upload an image for personalization purposes, but here we want to be quick & dirty (well, at least quick ;-)). The little image is below, for your viewing pleasure. Time to add some UI. Let's open Default.aspx inn the designer and let's drag some controls. <% @ Page Language ="C#" AutoEventWireup ="true" CodeFile ="Default.aspx.cs" Inherits ="_Default" %> <! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> < html xmlns ="http://www.w3.org/1999/xhtml"> < head runat ="server"> < title > Untitled Page </ title > </ head > < body > < form id ="form1" runat ="server"> < div > Managed Card Generator < br /> < br /> Card name: < asp : TextBox ID ="txtCardname" Read More...
|
-
Just back from vacation. The tan barely started to fade, and here I am already playing with the new shiny toy :-). Did you experiment with Zermatt by now? As Kim mentions the samples (and the documentation) are an excellent way to start, and I am sure that blog posts & tutorials will soon start mushrooming here and there in the blogosphere: here I begin my humble contribution with my first technical post about Zermatt . I had *absolutely* no hesitations when deciding which scenario I should tackle first: an active STS which handles requests backed by smartcards . I received asks about from many segments (especially about eID management from governments and high authentication levels for finance) and pretty much from everywhere in the world (especially Europe and Asia): I am really delighted to finally have a chance to give you something about that scenario that you can compile in visual studio, as opposed to the usual whiteboard sketches :-) Before we dive into the code, let me disclaim the disclaimable: as usual, the code you see in this blog is just an example and is by no mean production ready code. My purpose here is to introduce you to new ideas, so I favor readability and clarity over completeness If you consider the definition of best practices as "A technique or methodology that, through experience and research, has proven to reliably lead to a desired result" , I think I can safely say that there are no established best practices yet. Sure, there are some fixed points Read More...
|
-
I am sure you already saw Kim's post about John Fontana's interview with Stuart , appeared on Network World . I like how John communicates the importance of this release, and how it positions it in the context of the broader picture. Recommended reading :) Also, the blogosphere is buzzing: if you toy with your favorite feeds or search engines, you'll find many sources chiming in or even already playing with Zermatt ... that's the spirit! See you next week ;-) Read More...
|
-
Ahh, I’ve been looking forward for this post for a looong time. We just made available for download the bits of the Beta of “Zermatt” Developer Identity Framework . “ Zermatt ” is the codename of a .NET framework that helps developers build claims-aware applications to address challenging application security requirements using a simplified application access model. Let me expand a bit on that. If you want to develop applications that take advantage of claims & identity Metasystem goodness in general, Zermatt makes your life easier by providing base classes, controls but especially capabilities & a programming model that take care of most of the plumbing for you. Regardless of the role (IP, RP, subject) or the style (Active, Passive, “ Passive-Aggressive ”), Zermatt shields you from the sheer handling of protocols & tokens and provides you with a great model for externalizing your access logic. For my loyal readers and in general to whoever worked with tokens and cardspace in general, who stormed me with mails since the TechEd EMEA demo and even earlier: this means that we can finally retire historical samples like the SimpleSTS and the TokenProcessor class . Zermatt is a fully supported developer framework that gives you those capabilities and MUCH more. How much more? Below there’s a partial list of the goodies you get: · An HttpModule (the Federated Access Module, or FAM) that takes care of handling the token processing pipeline: fully extensible & web.config-urable, Read More...
|
-
One year ago we had a brief wall-to-wall exchange with Keith about the need of having consumer (as non-developer) info about CardSpace. The Information Card Foundation is doing a great job at handling those info for the general concept of information card. Specifically for Windows CardSpace, I am happy to announce that we now have a consumer friendly home for Windows CardSpace ! I am especially fond of the two videos ( home & work ) from the UK crew; and big kudos to Eileen for the entire effort. Take it to a spin and let us know what you think! Note to self: How come that I'm blogging more when I am in vacation than when I am working? Long flights & jetlag, I guess... ;-) Read More...
|
-
On the Seattle-Paris flight. I've just posted the piece about validation-authentication-authorization , and i am a bit bothered by the fact that I was unable to delve into greater details for what concerns the authoriZation part. In particular, I'd like to address one of the misunderstandings which can derive from transporting verbatim the knowledge of Kerberos & "unattended" security in general to the world of user centered identity management. Some of you claimaniacs may find the stuff below pretty obvious: I do. But judging from some heated argument I had about this, it may turn out that it is not that obvious after all so it's worth to write it down. How often should your application ask for a token? It may seem a silly question, and you may be tempted to reply with the answer that my wife gets when she asks to her auntie how often she should turn the roast: "as often as needed". Not the most actionable answer, I'm sure you'll concur :-). As in good tradition, let's take few steps back and look at the bigger picture. When you sit at your workstation and log in your domain, if your local network uses kerberos you get your nice ticket granting ticket (TGT); from that moment on, every time you take a ride on your network carnival (access a share, a portal, a printer...) the network software takes care of using the TGT for getting a ticket for you, which is specialized for the resource you are accessing. Everything happens seamlessly, and the user is lulled in blissful ignorance Read More...
|
-
Flying back from S.Diego, after attending a great edition of Catalyst. I should probably write down my impressions before they fade, like it happened with the IIW, but there's in fact something (only mildly related) that bugged me for quite some time and I just want to flush it out of my system before going in vacation (somehow I feel that my old time Italian friends would not appreciate me blabbering about tokens, especially if I do it with my mouth full of focaccia al formaggio :-)). Ok, the story is somewhat similar to the " credentials are not identities " and returning user woes discussed in the Tao of authentication : it's a matter of agreeing on the semantic of terms that in the pre-token era had a simpler meaning, but that today need a richer/more rigorous definition. In summary: in practice , what RPs and STSes are supposed to do with incoming tokens? The answer lies in asking ourselves why we asked for a token in the first place. Perhaps the RP wants to see if the subject is allowed to sign in and start a session; an STS wants to know if the subject is worthy of being issued with the token he is requesting; and again, the RP may want to verify the the user has the necessary rights for performing a certain action (one may argue that this is a generalization of the signin case; I sort of agree, but later I'll make things more complicated). Even if we'd live in a world fueled only by shared secrets, there would be different cases to handle. If the RP is a simple password-protected Read More...
|
-
No, Harry Seldon has nothing to do with it :-) The establishment of the Information Card Foundation is a milestone in the road of a better Internet. In their own words: Information Cards are the new way to control your personal data and identity on the web. The Information Card Foundation is a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information. See Mike's entry for an interesting retrospective on how events built up to this great result. Read More...
|
-
Next week is Catalyst time. It will be a nice time to raise my head a bit from all the super interesting (but sometime exhausting) stuff we're brewing here in Redmond, which is leaving me little (zero?) time for blogging. It's always very nice to have a chance to spend time with other identirati, there's nothing better than that for preventing groupthink. Last field trip, the IIW , was truly great in that respect: discussions with *** Hardt , Drummond , Paul , Ryan , Axel , Andy and Pam , stimulating sessions from Bob & Pat ... and many others. In fact, those events are great for getting back in touch with the reality of the market. When you work with super early adopters and you spend your lunches discussing with colleagues fine subtleties of claims and token ecologies, it's easy to forget that out there there are still shadow accounts & passwords on post-its. That's what I realized during this IIW : probably for many people a lot of the stuff I write here comes across as abstract as the gliders in the game of Life . Just so you know, I am planning to be MUCH more concrete in the next entries.. that is, if I find the time to blog ;-) after the conference I'm off to Italy, where I hope to relax for few days in my home town gaining back the 4 Kg I've lost specifically for being able to stuff myself during vacation :-) If you are coming to Catalyst and you want to chat, you can find me at the Microsoft Hospitality Suite on Wednesday evening in the classic blue navy event Read More...
|
-
How does the tendency of information to aggregate relate to digital identity? Read More...
|
-
Ahh, terminology: joy and sorrow of our kind. There are some expressions that are very catchy and we use all the time, but that do not always serve well the purpose of communicating our thoughts. Take the usage of "passive" in the context of identity management; we tend to use it every time a web browser is in the picture, but that can be extremely confusing: if you just mean "I am talking about a web app" but you audience understands "he is going to use WS-Federation", you can be sure that things will get messy pretty quickly. In fact when I use CardSpace with a web app I am riding a passive client, but I obtain my token via proper WS-Trust traffic (thanks to our friendly identity selector) and I shove it directly in the first POST I send, without following the gracious redirect dance that WS-Federation would require. That's what I like to jokingly call passive-aggressive :-) For the ones among you that are not super familiar with this space, after the pic I restate the same but with extra context. Almost 5 years ago we published WS-Federation 1.0. To quote Don , THE authority on the topic: WS-Federation extends WS-Trust to provide a flexible federated identity architecture with clean separation between trust mechanisms, security token formats, and the protocol for obtaining tokens. This architecture enables a reusable token service model and protocol to address the identity requirements of both web applications and web services in a variety of trust relationships. Trivializing Read More...
|
-
Kim just posted a great piece about "an account this week describing an attack on the use of CardSpace within Internet Explorer". I won't add anything, because his post is just perfect as it is: I strongly suggest you go read it in its entirety . Here a quote: "Students at Ruhr Universitat Bochum in Germany have published an account this week describing an attack on the use of CardSpace within Internet Explorer. Their claim is to “confirm the practicability of the attack by presenting a proof of concept implementation“. I’ve spent a fair amount of time reproducing and analyzing the attack. The students were not actually able to compromise my safety except by asking me to go through elaborate measures to poison my own computer (I show how complicated this is in a video I will post next). For the attack to succeed, the user has to bring full administrative power to bear against her own system. It seems obvious that if people go to the trouble to manually circumvent all their defenses they become vulnerable to the attacks those defenses were intended to resist. In my view, the students did not compromise CardSpace." Read More...
|
-
I am horribly behind schedule with my blog, I still have to post a wrapup of IIW but didn't find the time so far; however I want to quickly comment on the recent coverage of the Fedlet (see Pat himself here and Paul here ). I attended the nice IIW session during which Pat demonstrated the fedlet. I found it interesting and strangely familiar.At a certain point I could not help myself and asked: "Pat, just for the sake of expressing things in the terminology of a domain I am comfortable with: would it be fair to say that the fedlet is a resource STS?". Pat thought for a moment about it, then nodded vigorously (& translated for the rest of the audience :-)). If that's the case, I concur that it is a very agile tool for handling claim transformation without "polluting" the entire directory with local settings while still keeping the resource itself clear from identity management code. That's exactly why I love R-STSes! I would assume that things said here and here apply, with the obvious adaptations for the technological differences Read More...
|
-
Protecting the private space that makes each of us unique... Read More...
|
-
In the last week or so Paul Madsen made at least a couple of posts with strong visual components: one that resumed my old 2005 post on a notation for message crypto, the other on Feynman diagrams . Nice! Paul, when I am in that mood I find especially pleasant to thumb through Tufte : I highly recommend it. Like Paul, in a former life I dealt with completely different stuff: I spent few years on computational geometry first , and on scientific visualization later. I am absolutely in love with what I do now ( proof ?), but I still have some residual forma mentis from those times. There's nothing on TV until Friday (can't wait for the next Battlestar Galactica!), and I am not focused enough to make real work; hence for this post I will indulge my inner geek a bit. On the topic of notation and diagrams, I often wonder if it would be of value to find an expressive representation of the claim propagation pattern. Would a circuit-like notation work? Or a network flow would work better? The main idea can be simple: all the claims inserted in the circuit must be there for a reason, since at a certain point the policy of an RP requested them; so for every claim produced there must be a piece of biz logic that eventually uses ("consumes") it. Hence IPs are sources and RPs are sinks; an initial coarse simplification may indirectly factor out subjects, by assuming that an RP-IP edge is in the schema if the subject chose to disclose. Let's take the example of one RP that implements a content Read More...
|
|
|
|