Vittorio Bertocci

Scatter thoughts

Identity Developer Training Kit March 2010 update: WIF+Silverlight, WIF+WCF on Windows Azure

Identity Developer Training Kit March 2010 update: WIF+Silverlight, WIF+WCF on Windows Azure

  • Comments 6

IDTK_march2010

Are you ready to roll? I have just flipped the publish bit on the March 2010 update of the Identity Developer Training Kit!

The new release contains various fixes and improvements, but above all it contains two brand-new labs about two scenarios you asked for loud and clear: Web Services and Identity in Windows Azure  and Developing Identity-Driven Silverlight Applications.

Web Services and Identity in Windows Azure

Web Services and Identity in Windows Azure describes how to use WIF with WCF roles in Windows Azure. It was developed in collaboration with the amazing Todd West from the IDA team: thank you Todd! Among the things the lab demonstrates:

• Use Windows Identity Foundation with WCF services hosted in Windows Azure

• Trusting an on-premise STS from a WCF service hosted in Windows Azure

• Using WIF & WCF tracing for a WCF service hosted in Windows Azure, taking advantage of blob storage for the traces

• Configure a WCF service to use load balancing (binding and session management)

• Deploy a WCF service secured via WIF to the Windows Azure cloud

• Switch between alternative WIF config settings without having to redeploy the entire app in the cloud

You will recognize many of the points above as frequently asked questions on the forum: the idea is that the lab will be useful also for non-Azure specific scenarios, for example if you have your own web farm.

Developing Identity-Driven Silverlight Applications

Developing Identity-Driven Silverlight Applications is one of the results of Caleb Baker’s great work on the use of WIF in Silverlight applications. You really asked in a landslide for this one, to the point that today Caleb did a session at MIX exactly about this. If you were in the room, this is the training it release he was talking about!

The lab has been written to be (as) understandable (as possible) by developers who know little or nothing about identity. Among the things the lab demonstrates:

• Take advantage of an existing identity provider (exposed via passive STS) for externalizing authentication for a in-browser Silverlight application

• Access claims values from the code of a Silverlight application and use them for user experience customization

• Handle authorization for WCF services hosted in a Silverlight website using the WIF programming model

• Take advantage of an existing identity provider (exposed via active STS) for externalizing authentication for an out-of-browser Silverlight application

• Invoke services on other domains using SAML tokens from a Silverlight application

Isn’t that really exciting? You know for how long I’ve waited to be able to use claims in Silverlight? What are you doing still here, get the March 2010 update of the Identity Developer Training Kit while it’s hot! :-)

  • This is great, finally a good solution for authenticating service calls from silverlight

  • There were instructions to federate with LiveID (development) that seem to have been removed from the most recent version.

    What is the plan with LiveID?

  • Hi, this is great. I would like know, how make this using http ???

  • Hi Developer,

    using HTTP would be pretty risky here. SL does not support full message security, hence plain HTTP could really backfire

  • Just want to put a remark that the Identity Developer training kit for Visual Studio 2010 is out of date. This can give problems with the labs. For example, I had the following problem reported during EXERCISE 2: ACCEPTING TOKENS FROM AN ACTIVE DIRECTORY FEDERATION SERVICES (ADFS) STS:

    "The server certificate with name 'CN=ip-sts-01.federatedidentity.net' failed identity verification because its thumbprint ('DE74CFE7D20E8DC2B6E6E700E4D2A940CB08B268') does not match the one specified in the endpoint identity ('50191FA07A8F79D4220E551DF4B97F31519D012D'). As a result, the current HTTPS request has failed. Please update the endpoint identity used on the client or the certificate used by the server."

    The exercise related to Web Services and Identity for Visual Studio 2010 Developers (last updated 8/25/2011, which is weird then to be outdated), asks the trainee to insert the following lines in the app.config of the WeatherStationClient:

    <issuer address="ip-sts-01.federatedidentity.net/.../usernamemixed" bindingConfiguration="ip-sts-01.federatedidentity.net/.../usernamemixed" binding="ws2007HttpBinding">

    <identity>

       <certificate encodedValue="MIIGKjCCBRKgAwIBAgIKKwWMagAFAAF3hDANBgkqhkiG9w0BAQUFADCBizETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYDVQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTAwMzI0MTcwNTI3WhcNMTEwMjE5MTgyNDUzWjB4MQswCQYDVQQGEwJVUzELMAkGA1UECBMCd2ExEDAOBgNVBAcTB3JlZG1vbmQxEjAQBgNVBAoTCW1pY3Jvc29mdDEMMAoGA1UECxMDaWRhMSgwJgYDVQQDEx9pcC1zdHMtMDEuZmVkZXJhdGVkaWRlbnRpdHkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqQB1CIW67PoTYJPc5wgjF9qtyKHToKVesfMPgE5oNtg+d47DAHllO0vCGvhWmsaJhbimLXK1GzTno/pNMorvFqVQNV9Z9WUxw6tw6VLaUEDBaQ/Afd8SyoljDnaZuxn6tqLjGBR+QgX+SBFFyiQD9iZwVLc+7cblf9lRGoG9kfQIDAQABo4IDJDCCAyAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBTpy6XhrWHQg+IRMqEPWBPt9nGZCTAfBgNVHSMEGDAWgBQUVcQ54D0u0VUuSJaw2H4UIgaTvDCCAQoGA1UdHwSCAQEwgf4wgfuggfiggfWGWGh0dHA6Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg1KS5jcmyGVmh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNSkuY3JshkFodHRwOi8vY29ycHBraS9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDUpLmNybDCBvwYIKwYBBQUHAQEEgbIwga8wXgYIKwYBBQUHMAKGUmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg1KS5jcnQwTQYIKwYBBQUHMAKGQWh0dHA6Ly9jb3JwcGtpL2FpYS9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNSkuY3J0MD8GCSsGAQQBgjcVBwQyMDAGKCsGAQQBgjcVCIPPiU2t8gKFoZ8MgvrKfYHh+3SBT4PC7YUIjqnShWMCAWQCAQYwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAX3OLpn7dtTwxUdTbUQQpkmBDVgwOItpIuIykQw8ab7y94weVBkF58DX5KoZ+44eEq9kDh/LKBA5ncTrrNKc8TRypjBM1JgvaP+7WDStb4ll07r8Ka7Zskb+4RGFnZDVP91zMq6aw7C63UHCMQCMv4K7amKuq+dxJEEp+BCRyiMhbt0QQAY2Fv+IrEf/unLvV/TheZ7J5meKLV4tvZaAU4zFzHbfaZ1tGSr6ldhkL92Qqs8WF1nRfPyq3Jk+616KVZXyluBhDoK6sCGJdCzmP+CWhaOprCbPrM5GAFSig7TUTQymi87SNAM9H1dVaIfSysjc9BjhnhFm7HsINtj6S1g==" />

    </identity>

    </issuer>    

    The problem is that the certificate that is contained in this encoded value has expired since 2/19/2011.  They did put up a new certificate on the server but forgot to update the exercise description.

    To get this to work, instead of the suggested snippet above, use:

    <issuer address="ip-sts-01.federatedidentity.net/.../usernamemixed" bindingConfiguration="ip-sts-01.federatedidentity.net/.../usernamemixed" binding="ws2007HttpBinding">

     <identity>

       <certificate encodedValue="MIIF5jCCBM6gAwIBAgIKTPVCpAAIAAH4kDANBgkqhkiG9w0BAQUFADCBizETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYDVQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTEwMjI4MTgyNTU0WhcNMTMwMjI3MTgyNTU0WjAqMSgwJgYDVQQDEx9pcC1zdHMtMDEuZmVkZXJhdGVkaWRlbnRpdHkubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxwHgRsl3Pk9blgHI/jBozplW740UU+tx9kp5qYlsSZ2JRSWXpkNBJGGn4VeF/evW/d2Vo5D9ZZYOFoEh5x1G3RF+hEgRj3Na9P9GjfuJeB9CfL9HN5Z70tLgi/Swpd+zJxhOUrxBZFjzhwd9i17J9OAXnhoqdhPtPh4WIkCsuOrA0+B+mfhCsuCj+YYV6msXkzF7cdZ3HqN9x6fdG+2mA+am+Y4DKirs5TmhDolx32l0QdfhDLKI5/iwltgOvd/5d89AWKj1RlNewv4F6ZzuPev2PrRK3J1L7dGf0hMZYHmw1rGbEm5l/6zUif+3A1GS5M4C2aI0LULtTcATpLY6cwIDAQABo4ICqjCCAqYwPwYJKwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3yAoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIBCjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwCwYDVR0PBAQDAgSwMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFJcgzmxV2Eb/y2gP/WMIta+HPLSlMB8GA1UdIwQYMBaAFAhC49tOEWbztQjFQNtVfDNGEYM4MIIBCgYDVR0fBIIBATCB/jCB+6CB+KCB9YZYaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDgpLmNybIZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg4KS5jcmyGQWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoOCkuY3JsMIG/BggrBgEFBQcBAQSBsjCBrzBeBggrBgEFBQcwAoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDgpLmNydDBNBggrBgEFBQcwAoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg4KS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAODoj1Oh3FYsizwaDPKso3LGCGd9XTZtbDI/yB2QVWFWBN5OHVYMAhukXXZjtjGL9yNlPbl+ImP+BI//bAfQCuubavesBbf3wFtGJ7hpPpiKwhkKsLEKwldGrNAoSC2W6QFHCFhu0AjdO3GM8CQsqQ2cSAo6lWC+FNW1odZl0s6BqRTIsklFMHmqW7gmZwUbQCcjdiBx1KyzGttMt54mcH21QWeuICKGM/2cQdLVZOG+XpsSW00m0+lcUQeN/ZJ+S7j66gntc4dj8bdMMMzr3+zuoSd75Dv4qjsSnEc9KeXYTeDqc3e14RUkA0q+MjB88BX3DtzmSpZBQ6txlwV8R+U=" />

     </identity>

    </issuer>

    This refers to the new server certificate hosted at  ip-sts-01.federatedidentity.net. And that did the trick for me!

    Hope it helps some of you getting through the labs,

    Marco

  • Hi. Does the training kit cover the session management for active clients?

Page 1 of 1 (6 items)
Leave a Comment
  • Please add 7 and 5 and type the answer here:
  • Post