Alik Levin's

Clarity, Technology, and Solving Problems | PracticeThis.com 

  • Alik Levin's

    Staging Windows Azure Cloud Applications and Service Integrated With ACS

    • 0 Comments

    Programming Windows Identity Foundation

    This post outlines my thinking on possible ways to stage application and services that are integrated with ACS.

    It’s a common practice to have at least three environments – development, test, production - when developing applications and services. Application that use ACS should not be an exception. The key question here is how to move the application between the environments and how to maintain the environments regarding ACS?

    One approach is specifically targeted at Windows Azure outlined here. In this post I’d like to explore manual options that are available. In a nut shell, there are two ways:

    1. 1 ACS namespace with 3 configured relying parties – development, test, production.
    2. 3 ACS namespaces – one per environment – and 1 relying party that represents the application.

    1 ACS Namespace 3 Relying Parties

    Consider the following diagram that represents single ACS namespace with 3 configured relying parties and key configuration elements:

    image

    • Single ACS namespace
    • 3 different relying parties with its own Return URL and realm pairs.

    What varies here is the realm of each relying party application to reflect on the environment – Dev, Test, Prod. The return URL also varies between the relying parties to reflect on the environments.

    Consider the following diagram for the application configuration that uses the above ACS configuration:

    image

    • In each environment the application shares the same trusted issuer thumbprint since it was issued by the same ACS namespace.
    • federatedAuthentication/wsFederation/issuer URL stays the same.
    • The realm changes according to the environment

    When deploying to Windows Azure staging environment the application assigned a URL that includes GUID that’s not known beforehand. It means there is no possible way to properly configure related ACS relying party. To fix this configure the Return URL of Relying Party: Test after deploying to Windows Azure. Another approach is to leverage OnStart event of the WebRole outlined here.

    3 ACS Namespaces 1 Relying Party

    Consider the following diagram that depicts three different ACS namespaces for each environment:

    image

    • 3 different ACS namespaces for each environment – Dev, Test, Prod.
    • One Relying Party in each namespace.

    What varies here is the Return URL for each Relying Party while realm is the same. Since there are different ACS namespaces the issuer is different for each one and also the signing certificate would be different. It will reflect on the configuration in the web.config file of the application.

    Consider the following diagram that depicts the key attributes in the configuration file of the application:

    image

    • Issuer thumbprint is different since it was issued by different ACS namespaces.
    • federatedAuthentication/wsFederation/issuer URL is different.
    • The realm stays the same.

    When deploying the application or a service to Windows Azure staging environment which includes GUID in the URL the ACS testing environment should be updated accordingly with relevant Return URL each time you deploy. That’s not the case though with Dev and Prod environments.

    Related

  • Alik Levin's

    How To: Use AD FS Endpoints When Developing Claims Aware WCF Services Using WIF

    • 0 Comments
    Programming Windows Identity Foundation

    This post is based on WIF Built-in Bindings Overview and AD FS Endpoints. This information should provide a more cohesive view for developers when developing claims aware WCF services using AD FS and WIF.

    There are 30 scenarios here. Working on guidance when to use what.

    WS-Trust 1.3 endpoints

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/windows Trust13WindowsMessage
    WindowsWSTrustBinding windowsTrust13MessageBinding = new WindowsWSTrustBinding();

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/windowsmixed Trust13WindowsMixed
    WindowsWSTrustBinding windowsTrust13MixedBinding = 
                           new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential);

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/windowstransport Trust13WindowsTransport
    WindowsWSTrustBinding windowsTrust13TransportBinding =
                                                                new WindowsWSTrustBinding(SecurityMode.Transport);

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/certificate Trust13CertificateMessage
    CertificateWSTrustBinding certificateTrust13MessageBinding = new CertificateWSTrustBinding();

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/certificatemixed Trust13CertificateMixed
    CertificateWSTrustBinding certificateTrust13MixedBinding = 
                            new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential);

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/certificatetransport Trust13CertificateTransport
    CertificateWSTrustBinding certificateTrust13TransportBinding = 
                                                                  new CertificateWSTrustBinding(SecurityMode.Transport);

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/username Trust13UserNameMessage
    UserNameWSTrustBinding userNameTrust13MessageBinding = new UserNameWSTrustBinding();

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/usernamemixed Trust13UserNameMixed

    UserNameWSTrustBinding userNameTrust13MixedBinding =
                             new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/usernamebasictransport Trust13UserNameBasicTransport

    UserNameWSTrustBinding userNameTrust13TransportBasicBinding =
                new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Basic);

     

    AD FS Endpoint

    WCF Binding

    N/A Trust13UserNameDigestTransport

    UserNameWSTrustBinding userNameTrust13TransportDigestBinding =
              new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Digest);

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/kerberosmixed Trust13KerberosMixed

    KerberosWSTrustBinding kerberosTrust13MixedBinding = 
                               new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential);

     

    WS-Trust 1.3 Issued Token endpoints

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/issuedtokenasymmetricbasic256 Trust13IssuedTokenAsymmetricBasic256

    IssuedTokenWSTrustBinding issuedTokenBinding = new IssuedTokenWSTrustBinding();
    issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/issuedtokenmixedasymmetricbasic256 Trust13IssuedTokenMixedAsymmetricBasic256

    IssuedTokenWSTrustBinding issuedTokenBinding = new IssuedTokenWSTrustBinding();
    issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;
    issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/issuedtokenmixedsymmetricbasic256 Trust13IssuedTokenMixedSymmetricBasic256

    IssuedTokenWSTrustBinding issuedTokenBinding = new IssuedTokenWSTrustBinding(); 
    issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/13/issuedtokensymmetricbasic256 Trust13IssuedTokenSymmetricBasic256

     

    WS-Trust 2005 endpoints

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/windows TrustFeb2005WindowsMessage

    WindowsWSTrustBinding windowsTrustFeb2005MessageBinding = new WindowsWSTrustBinding();
    windowsTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/windowsmixed TrustFeb2005WindowsMixed

    WindowsWSTrustBinding windowsTrustFeb2005MixedBinding = 
                                new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential);
    windowsTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/windowstransport TrustFeb2005WindowsTransport

    WindowsWSTrustBinding windowsTrustFeb2005TransportBinding =
                                                                     new WindowsWSTrustBinding(SecurityMode.Transport);
    windowsTrustFeb2005TransportBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/certificate TrustFeb2005CertificateMessage

    CertificateWSTrustBinding certificateTrustFeb2005MessageBinding =
                                                                                                          new CertificateWSTrustBinding();
    certificateTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/certificatemixed TrustFeb2005CertificateMixed

    CertificateWSTrustBinding certificateTrustFeb2005MixedBinding = 
                                new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential);
    certificateTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/certificatetransport TrustFeb2005CertificateTransport

    CertificateWSTrustBinding certificateTrustFeb2005TransportBinding =
                                                                    new CertificateWSTrustBinding(SecurityMode.Transport);
    certificateTrustFeb2005TransportBinding.TrustVersion = TrustVersion.WSTrustFeb2005;


     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/username TrustFeb2005UserNameMessage

    UserNameWSTrustBinding userNameTrustFeb2005MessageBinding =
                                                                                                          new UserNameWSTrustBinding();
    userNameTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/usernamemixed TrustFeb2005UserNameMixed

    UserNameWSTrustBinding userNameTrustFeb2005MixedBinding =
                               new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
    userNameTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/usernamebasictransport TrustFeb2005UserNameBasicTransport

    UserNameWSTrustBinding userNameTrustFeb2005TransportBasicBinding = 
                   new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Basic);
    userNameTrustFeb2005TransportBasicBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    TrustFeb2005UserNameDigestTransport

    UserNameWSTrustBinding userNameTrustFeb2005TransportDigestBinding = 
                  new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Digest);
    userNameTrustFeb2005TransportDigestBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/kerberosmixed TrustFeb2005KerberosMixed

    KerberosWSTrustBinding kerberosTrustFeb2005MixedBinding =
                                   new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential);
    kerberosTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    WS-Trust 2005 Issued Token endpoints

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/issuedtokenasymmetricbasic256 TrustFeb2005IssuedTokenAsymmetricBasic256
    issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;
    issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256 TrustFeb2005IssuedTokenMixedAsymmetricBasic256
    issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;
    issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;
    issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256 TrustFeb2005IssuedTokenMixedSymmetricBasic256
    issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;
    issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

     

    AD FS Endpoint

    WCF Binding

    /adfs/services/trust/2005/issuedtokensymmetricbasic256 TrustFeb2005IssuedTokenSymmetricBasic256

    issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

  • Alik Levin's

    Cloud Identity Stories for Developers–Application Architecture Scenarios

    • 0 Comments

    Cloud Identity Scenarios and SolutionsI have packaged Cloud Identity Scenarios and Solutions for Developers into PDF document. I hope it will be easier to consume and share for you. It only includes Application Architecture scenarios. The link though provides more scenarios and solutions.

    Each scenario is organized as follows:

    • Scenario, including visual
    • Solution approach, including visual
    • Analysis
    • List of links to How-To’s
    • List of links to Code Samples
    • List to more Resources

    Grab the PDF file and use it to solve Cloud Identity related scenarios. Use TOC/Bookmarks to easily navigate the content.

    At your service!

Page 5 of 118 (354 items) «34567»