627185cvr.indd Hello! We’re happy to announce that Programming Windows Identity Foundation, by Vittorio Bertocci, is now available.  See this post for the book’s Contents at a Glance, Introduction, and other information.

 

Get hands-on guidance for using Windows Identity Foundation (WIF) to solve common authentication, authorization, and customization issues in Web applications and services. The author—a key member of the WIF engineering team at Microsoft—demonstrates how to apply the principles of claims-based identity and access management, along with key architectural patterns.

 

•    Geared for developers with working knowledge of ASP.NET and Windows Communication Foundation, with or without security programming expertise

•    Provides pragmatic, scenario-based guidance on the principles—and patterns—for implementing WIF in Web applications and services to solve common authentication, authorization, and customization challenges

•    Also explores the use of WIF in Windows Azure, Microsoft Silverlight, and ASP.NET MVC scenarios

 

EXCERPT from Ch 1:

Chapter 1 Claims-Based Identity

In this chapter:
  • What Is Claims-Based Identity?
  • WIF Programming Model
  • Summary

Microsoft Windows Identity Foundation (WIF) enables you to apply the principles of
claims-based identity when securing your Microsoft .NET application. Claims-based identity
is so important that I want to make sure you understand it well before I formally introduce
Windows Identity Foundation.

Claims-based identity is a natural way of dealing with identity and access control. However,
the old ways of doing this are well established, so before delving into the new approach, it’s
useful to describe and challenge the classic assumptions about authentication and authorization.
Once you have a clear understanding of some of the issues with traditional approaches,
I’ll introduce the basic principles of claims-based identity—I’ll say enough to enable you to
proficiently use Windows Identity Foundation for the most common scenarios. This chapter
contains some simplifications that will get you going without overloading you with information.
For a more thorough coverage of the subject, refer to Part II, “Windows Identity
Foundation for Identity Developers.”


Finally, we’ll take our initial look at how WIF implements the mechanisms of claims-based
identity and how you, the developer, can access the main elements exposed by its object
model.


After reading this chapter, you’ll be able to describe how claims-based identity works and
how to take advantage of it in solutions to common problems. Furthermore, you’ll be able to
define Windows Identity Foundation and recognize its main elements.

What Is Claims-Based Identity?

 

The problem of recognizing people and granting access rights to them is one of the oldest
in the history of computer science, and it has its roots in identity and access problems we all
experience every day as we go through our lives.


Although we can classify almost all the solutions to the problem in relatively few categories,
an incredible number of solutions tailored specifically to solve this or that problem exists.
From the innumerable ways of handling user names and passwords to the most exotic
hardware-based cryptography solutions, the panorama of identity and access methods
creates a sequence of systems that are almost never compatible, each with different
advantages, disadvantages, tradeoffs, and so on.


From the developer perspective, this status quo is bad news: this diversity forces you to
continually relearn how to do the same thing with different APIs, exposes you to details
of the security mechanisms that you’d rather not be responsible for, and subjects you to
software that is brittle and difficult to maintain.


What you need is a way to secure your applications without having to work directly at the
security mechanism level: an abstraction layer, which would allow you to express your security
requirements (the “what”) without getting caught in the specifics of how to make that
happen (the “how”). If your specialty is designing user experiences for Microsoft ASP.NET, you
should be allowed to focus your effort on that aspect of the solution and not be forced to
become an expert in security (beyond the basic, secure-coding best practices, of course—all
developers need to know those).


If you need a good reference on secure coding best practices, I highly recommend Writing
Secure Code, Second Edition, by Michael Howard and David LeBlanc (Microsoft Press, 2002).
What we collectively call “claims-based identity” provides that layer of abstraction and helps
you avoid the shortcomings of traditional solutions. Claims-based identity makes it possible
to have technologies such as Windows Identity Foundation, which enables you to secure
systems without being required to understand the fine details of the security mechanisms
involved.