Hello! We’re happy to announce that Programming Windows Identity Foundation, by Vittorio Bertocci, is now available. See this post for the book’s Contents at a Glance, Introduction, and other information.
Get hands-on guidance for using Windows Identity Foundation (WIF) to solve common authentication, authorization, and customization issues in Web applications and services. The author—a key member of the WIF engineering team at Microsoft—demonstrates how to apply the principles of claims-based identity and access management, along with key architectural patterns.
• Geared for developers with working knowledge of ASP.NET and Windows Communication Foundation, with or without security programming expertise
• Provides pragmatic, scenario-based guidance on the principles—and patterns—for implementing WIF in Web applications and services to solve common authentication, authorization, and customization challenges
• Also explores the use of WIF in Windows Azure, Microsoft Silverlight, and ASP.NET MVC scenarios
EXCERPT from Ch 1:
Microsoft Windows Identity Foundation (WIF) enables you to apply the principles of claims-based identity when securing your Microsoft .NET application. Claims-based identity is so important that I want to make sure you understand it well before I formally introduce Windows Identity Foundation.
Claims-based identity is a natural way of dealing with identity and access control. However, the old ways of doing this are well established, so before delving into the new approach, it’s useful to describe and challenge the classic assumptions about authentication and authorization. Once you have a clear understanding of some of the issues with traditional approaches, I’ll introduce the basic principles of claims-based identity—I’ll say enough to enable you to proficiently use Windows Identity Foundation for the most common scenarios. This chapter contains some simplifications that will get you going without overloading you with information. For a more thorough coverage of the subject, refer to Part II, “Windows Identity Foundation for Identity Developers.”
Finally, we’ll take our initial look at how WIF implements the mechanisms of claims-based identity and how you, the developer, can access the main elements exposed by its object model.
After reading this chapter, you’ll be able to describe how claims-based identity works and how to take advantage of it in solutions to common problems. Furthermore, you’ll be able to define Windows Identity Foundation and recognize its main elements.
The problem of recognizing people and granting access rights to them is one of the oldest in the history of computer science, and it has its roots in identity and access problems we all experience every day as we go through our lives.
Although we can classify almost all the solutions to the problem in relatively few categories, an incredible number of solutions tailored specifically to solve this or that problem exists. From the innumerable ways of handling user names and passwords to the most exotic hardware-based cryptography solutions, the panorama of identity and access methods creates a sequence of systems that are almost never compatible, each with different advantages, disadvantages, tradeoffs, and so on.
From the developer perspective, this status quo is bad news: this diversity forces you to continually relearn how to do the same thing with different APIs, exposes you to details of the security mechanisms that you’d rather not be responsible for, and subjects you to software that is brittle and difficult to maintain.
What you need is a way to secure your applications without having to work directly at the security mechanism level: an abstraction layer, which would allow you to express your security requirements (the “what”) without getting caught in the specifics of how to make that happen (the “how”). If your specialty is designing user experiences for Microsoft ASP.NET, you should be allowed to focus your effort on that aspect of the solution and not be forced to become an expert in security (beyond the basic, secure-coding best practices, of course—all developers need to know those).
If you need a good reference on secure coding best practices, I highly recommend Writing Secure Code, Second Edition, by Michael Howard and David LeBlanc (Microsoft Press, 2002). What we collectively call “claims-based identity” provides that layer of abstraction and helps you avoid the shortcomings of traditional solutions. Claims-based identity makes it possible to have technologies such as Windows Identity Foundation, which enables you to secure systems without being required to understand the fine details of the security mechanisms involved.