I’m working on a new project at work, and part of my role as architect is to decide how we’re going to build authentication and authorisation. This will be a desktop smart client application deployed via ClickOnce that will use web services (hosted by us at our datacentre) to operate, with a dash of local caching for offline operation where applicable. We already have an ASP.NET website that has auth/authz behind it, so ideally I’d like to build on that.
After much internetting, I re-discovered Windows Identity Foundation (WIF), having heard a little about it on a DotNetRocks episode some time back. I like the concepts – separating auth/authz from your applications and instead obtaining tokens containing the claims the user has.
Sounds great. In theory.
In practice, it’s appears WIF suffers from “Over-engineering Microsoft Giddyness” syndrome. I’ve watched various WCF Pluralsight videos (which are excellent, by the way) to try and get a basis of understanding for WIF, but when I really got into WIF itself, it’s too much for my small brain to cope with.
Essentially I’ve worked out that I want to have an “Identity Provider” that my desktop app can authenticate with, and that will return a security token in exchange for a valid username and password. I then want to be able to pop that token into subsequent calls to the other WCF services, which will then investigate the claims supplied in that token to establish whether the user can carry out those operations or not. However it seems writing my own Identity Provider that works off our user store is, ahem, “non-trivial”. There are a few choices of existing ones out there in the world., but it all seems like over-kill to me.
So I’m going to steal the idea and Build My Own. I’ll have a WCF service that is accessed via SSL that will return a token containing various information (“claims” in WIF parlance) about the user in exchange for a valid username and password. This token will then be made available in the SOAP headers of calls to our other web services (also accessed via SSL, so it’s okay 
).
I know what some of my readers will be thinking – that there’s a reason for the engineering that’s gone into WIF. The truth is that this approach should work just as well. I’ll need to have a think about possibly signing the token and encrypting it so that the web services can be confident the data hasn’t been tampered with or otherwise intercepted, but I’m willing to be my small brain comes up with The Simplest Thing That Could Possibly Work. A key tenant of Domain Driven Design, and something else I’m going to strive for on this project.
Hi Neil,
I’d be interested in understanding what led you to think that writing your own IP from scratch would be easier than using the WIF classes and model for that. We normally suggest caution when you write your own STS because it is such a vital part of one architecture and building secure/available/manageable/scalable services is a hard exercise per se, which is why you are normally better off by using a product whihc does that. BUT: if you decide that you want to build something froms cratch anyway, it is WAY easier to use the classes and the model already baked in: you won;t have to worry about signatures, encryption, data model for the claims, putting them in and out of the current principal, and so on.
Also, the material you’ve been using could be updated (I saw it stillr efers to “geneva”, thatw as 2 years ago). I would recommend you take a look at the labs in the identity training kit, they contain many labs which use simple custom identity providers that can give you a starting point: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0
Good luck!
V.
Oh I don’t think writing a WIF-scale IP would be easier, I’m saying that I need a component that does a similar job but without the “enterprisey” nature of WIF. My problem in fact is that I’m working on a project largely by myself that needs clients to authenticate with a server, and I need to use our existing auth/authz data (as used by our existing systems). I don’t want to buy in a large-scale enterprisey IP, so I need to “build my own”. I’m going to take your advice to work through those labs and see about creating a custom IP using WIF classes at least, and see where to go from there.
Essentially my concern was that I don’t have enough time or a large enough brain to fully grok WIF, but I’ll give it another go.
I suggest looking at the lab \Labs\MembershipAndFederation, which shows how you can take an existing web site with an authentication system already in place and transform it into one IP. There we start from the ASP.NET membership, but the approach will work with any redirect based authentication scheme
I’m in the midst of researching WIF, ADFS2, & AD LDS to replace existing authentication at our enterprise. We have user accounts in two separate legacy silos in addition to Active Directory. What I’d like to do is use these frameworks and create our own STS (by extending SecurityTokenService — http://tinyurl.com/63npsav) to authenticate accounts against AD LDS.
Is this different from the approach you’re trying?
Generally I don’t read post on blogs, however I wish to say that this write-up very compelled me to take a look at and do it! Your writing taste has been amazed me. Thanks, very great post.
I want to show some appreciation to the writer for bailing
me out of this type of challenge. Because of searching throughout the the web
and meeting views that were not pleasant, I thought my life was gone.
Existing without the solutions to the problems you’ve sorted out by means of your main post is a serious case, as well as ones that might have negatively affected my career if I had not discovered your blog post. Your own personal natural talent and kindness in maneuvering all the pieces was invaluable. I’m not sure what I would have done if I had not encountered such a
thing like this. I’m able to at this time look ahead to my future. Thank you very much for your high quality and sensible guide. I won’t
hesitate to endorse the blog to any individual
who should have recommendations about this situation.
Hey There. I found your blog using msn. This is an extremely well written article.
I’ll make sure to bookmark it and return to read more of your useful info. Thanks for the post. I will certainly comeback.
I know this web site gives quality dependent content and extra information,
is there any other web page which gives such stuff in quality?
I loved as much as you will receive carried out right here.
The sketch is tasteful, your authored material stylish.
nonetheless, you command get got an impatience over that
you wish be delivering the following. unwell unquestionably come more formerly again as exactly the same nearly a lot often inside case
you shield this hike.
Attractive section of content. I just stumbled upon your
weblog and in accession capital to say that I acquire in
fact enjoyed account your blog posts. Anyway I will be
subscribing to your feeds or even I success you get admission to persistently fast.
continuously i used to read smaller articles which as well clear their motive, and that is also happening with this piece of writing which I
am reading at this time.
hey there and thank you for your information – I have definitely picked up anything new from right here.
I did however expertise some technical issues using this
site, since I experienced to reload the website
many times previous to I could get it to load correctly.
I had been wondering if your web host is OK? Not that I
am complaining, but sluggish loading instances times will very frequently affect your placement
in google and could damage your quality score if ads and marketing
with Adwords. Well I’m adding this RSS to my e-mail and could look out for a lot more of your respective interesting content. Ensure that you update this again soon.