Nicholas Allen's Indigo Blog

Windows Communication Foundation From the Inside

Browse by Tags

Tagged Content List
  • Blog Post: Claims Visualization

    Dominick Baier has a visualization for claims in the Visual Studio debugger. I’m not sure what other details to provide. It takes an identity and description for a claim and describes the issuer, metadata, and properties that make up the claim.
  • Blog Post: Starter STS Sample

    Dominick Baier has put up the completed StarterSTS sample that demonstrates how to write, configure, and use a realistic security token service. The token service is built using Windows Identity Foundation and provides authentication based on the ASP.NET identity provider model. Although the StarterSTS...
  • Blog Post: Fix to Allow Providing Outgoing Supporting Tokens

    I've sufficiently recovered from running the last week-long series covering fixes for WCF to do another one. This week I'll again be covering fixes for WCF that may be hard to find and explaining the details behind each problem. A primary token provides security to a message by signing the message...
  • Blog Post: Fix to Disable Transport Security with Message Credentials

    I've sufficiently recovered from running the last week-long series covering fixes for WCF to do another one. This week I'll again be covering fixes for WCF that may be hard to find and explaining the details behind each problem. This is another fix that adds the feature of using message security...
  • Blog Post: Fix to Disable Security on Responses

    I've sufficiently recovered from running the last week-long series covering fixes for WCF to do another one. This week I'll again be covering fixes for WCF that may be hard to find and explaining the details behind each problem. The first fix is a new feature added to allow secure message security...
  • Blog Post: Identity and Access Control Guide

    The patterns and practices group at Microsoft has released an online guide to claims-based identity and access control. The guide is targeted at developers and architects of web services on Windows that require user-identity information. Windows Identity Foundation and Active Directory federation are...
  • Blog Post: Identity and Federation Services Releases

    Windows Identity Foundation is an add-on for .Net 3.5 that provides support for building applications that use claims-based security. Claims-based security is the model used to implement single sign on, federation, delegation, and similar types of cross-boundary security scenarios in modern systems....
  • Blog Post: Web Security Interviews

    The folks at .Net Rocks have been doing a number of interviews over the past few months on web service security as part of their regularly running show. These are very casual conversations, each about an hour long, covering a variety of topics with the day's guests. Show 486: Michelle Leroux Bustamante...
  • Blog Post: Federating from Silverlight

    I've had a few people ask whether the WCF subset in Silverlight supports message-level security. The answer currently is not very much. The security support is limited to basically the facilities that you'd expect to have for any other browser based application, primarily HTTPS and common browser HTTP...
  • Blog Post: Load Balanced Web Service Bindings

    What options can I use with WSHttpBinding to make it friendlier to load balancing? The primary difficulty encountered when using WSHttp with a load balancer is that WSHttp is easy to configure to produce application-level sessions between the client and service. Many load balancers support the...
  • Blog Post: SAML Client Credentials

    Dominick Baier put up an article yesterday showing how to use client generated SAML tokens for providing client credentials. This is more a demonstration of the capabilities of Geneva for credential and claim handling than a practical code library to use. I think the use of client generated SAML tokens...
  • Blog Post: Updates to Reliable, Secure, and Transacted Standards Close to Approval

    Updated versions of the standards for reliable message, message security, and distributed transactions have completed public review and are headed to a final vote. I expect all of these standards updates to be approved and see official publication of the new versions in February. WS-SecurityPolicy...
  • Blog Post: Common Problems Composing Security with Streaming

    Security and streaming are two features that often do not get along with each other. Although the concepts are not inherently in conflict, their implementations often do things that cause problems for the optimal execution of the other. You may have seen that the message security channel, like the...
  • Blog Post: WCF Security Guide Released

    If you've been following along, I have mentioned the WCF security guide project being worked on in the patterns and practices team a few times now. After months of drafts and betas, the complete guide is now ready for official release. The WCF security guide is available as a free download.
  • Blog Post: Help with Security Programming

    Security programming today tends to contain large amount of plumbing code to handle the modeling, management, and evaluation of identities. An identity is the basis of many common security operations, such as authentication, personalization, authorization, and access control. There are a variety of different...
  • Blog Post: Security Session Inactivity

    What does the InactivityTimeout on a secure channel do? The inactivity timeout on a message security channel controls how long the channel will allow pending security sessions to linger in its cache before giving up on them. This is completely different from the inactivity timeout on a reliable...
  • Blog Post: Improving Web Services Security Beta Guide

    The WCF Security Guide content that I've mentioned a few times before is now done with early drafts and has been rolled up into a beta release of the full book. There's a ton of content in the real thing on top of what you've been seeing in the drafts. You can download the beta of the full security...
  • Blog Post: Updates to WCF Security Guidance

    After the first announcement for the WCF Security Guidance Project , the amount of content has grown tremendously. Here's a summary of what's new over the last month. Seven new application scenarios: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem TCP) ...
  • Blog Post: Messaging Additions in Orcas, Part 2

    Continuing on with the theme of messaging additions in Orcas, today I'll look at some more of the protocols and community-driven features that were added. WS Atomic Transaction 1.1 . Transactions tie together multiple participants in a distributed application. The framework of transactions...
  • Blog Post: WCF Security Guidance Project

    The patterns & practices team at Microsoft has put together their first release of guidance for WCF security . They've included how-to guides and videos that walk you through a number of security tasks, such as working with certificates and configuring role providers. The overall guide is still...
  • Blog Post: Configuring Protection Level

    Is it possible to configure the protection level for message parts at runtime? Only certain configurations make doing this particularly easy. When using transport security with Windows credentials, the WindowsStreamSecurityBindingElement allows you to directly set the protection level (changing...
  • Blog Post: Customizing Exceptions for Validation

    How do I customize the exception text sent back from a custom password validator? If you've looked at the documentation for UserNamePasswordValidator, then the instructions tell you to implement the validator by overriding the Validate method and throwing a SecurityTokenValidationException if you...
  • Blog Post: Scopes of Encryption

    This article is primarily an introduction on protecting message data since the topic overall seems to cause some confusion. The source of confusion is what it means for a service to define a contract for protecting data. Data protection flows from two different directions and at a variety of different...
  • Blog Post: Augmenting Security Requests

    How can I add some additional information to the request when contacting a token server? Looking at the schema for a RequestSecurityToken message, there clearly is some extensibility space intended for providing additional information in the request. We'll ignore the fact that the actual schema...
  • Blog Post: Finding Data in Client Certificates

    Can I pass additional user data, such as identity information, in a message secured with a client certificate? This question looks like an earlier one about Windows credentials but has some subtle differences that make it come out with a different answer. The two key differences are: We're talking...
Page 1 of 2 (38 items) 12