Today, we would like to announce the release of the WF Security Pack CTP 1 on http://wf.codeplex.com.  Where did it come from?  Quite simply, from you: real WF 4 customers who have spent time banging their heads against the wall trying to get certain security scenarios working with WF 4.  From your feedback, we’ve put together this Activity Pack to fill in some gaps that you have identified.  Let’s take a quick look at what is covered.

The Microsoft WF Security Pack CTP 1 is a set of 7 security-related activities, designers, and the associated source code based on WF 4 and the Windows Identity Foundation (WIF).  The scenarios we targeted were the following:

  • Impersonating a client identity in the workflow.
  • In-workflow authorization, such as PrincipalPermission and validation of Claims.
  • Authenticated messaging using ClientCredentials specified in the workflow, such as username/password or a token retrieved from a Security Token Service (STS).
  • Flowing a client security token through a middle-tier workflow service to a back-end service (claims-based delegation) using WS-Trust features (ActAs).

Now, my question for you is: are these the right set of scenarios to target for the next .NET framework release?  What is missing?  Which is the most important?  Again, we want your feedback so that we can make the right decisions for the long-term benefit of the product.  Use the Discussions tab, our WF 4 Forums, a carrier pigeon, whatever it takes to get us some feedback.

Ok, here are three great ways to get started:

  1. Download the WF Security Pack CTP 1 from wf.codeplex.com, add a reference to the Microsoft.Security.Activities.dll in your WF 4 project, and check out the “Security” tab in the Toolbox.
  2. Take a quick read through the User Guide introduction to get a feel for what is included.
  3. Download the WF Security Pack CTP 1 Source code, open up the WorkflowSecurityPack.sln, and take a look at the activity APIs and the rest of the moving pieces of the implementation.

In the next couple of weeks, we’ll take an in-depth look at these scenarios and how you can use the WF Security Pack CTP 1 in your projects.  Stay tuned for that content here on The .NET Endpoint & on zamd.net (special thanks to Zulfiqar Ahmed, Microsoft Consultant, for his help in building this Activity Pack!).

UPDATE: Note: For many server-side scenarios, the WF Security Pack is not required in order to integrate WF 4 & WIF; see Zulfiqar's blog post on this topic for a simple walkthrough.  The WF Security Pack simply demonstrates how to enable other middle-tier and client-side scenarios using WF calling other web services via a STS.