As promised, the recordings of the main sessions of the latest WIF Workshop are now available on Channel9!
The course starts from the very high level intro you’ve seen various times, and progresses into the deepest WIF training content we’ve ever published (that is, until this bad boy will be finally on the shelves).
In a short you can expect to see a new version of the Identity Developer Training Kit, which will include the slides used during the class and embedded players pointing to those very videos: together with the usual labs, that will truly be an event-in-a-box package you’ll be able to use if you want to redeliver a WIF workshop in your area!
WIF Workshop 1: Introduction to Claims-Based Identity and WIF
This session provides a light introduction to claims-based identity: the problems it solves, the canonical authentication scenario, key concepts and terminology. The main Windows Identity Foundation API surface for non-security developers is introduced.
WIF Workshop 2: Lab on Basic Web Sites
The first lab of the workshop offers an overview of what can be achieved when using WIF with Web sites: authentication externalization, integration with IsInRole and ASP.NET authorization, customization of the application via claims, claims-based authorization. This video introduces the viewer to the lab format and gives some advices about lab execution.
WIF Workshop 3: Scenarios and Architecture I
In this session you will learn about the difference between IP-STS and FP-STS and how to choose where to put STSes in your architecture. You will learn about federation, home realm discovery and how to leverage the WIF extensibility model in order to handle multiple identity providers.
WIF Workshop 4: Scenarios and Architecture II
This short session explores the architectural implications of using claims for authorization purposes
WIF Workshop 5: Lab about Web Sites and STS
The second lab of the workshop explores some of the patterns discussed in the former section. One lab demonstrates how a generic web site can be enhanced with identity provider capabilities regardless of the authentication technology it uses, simply by adding an STS page. Another lab shows how to use an existing membership store for authenticating calls to a custom STS and sourcing claim values.
WIF Workshop 6: WIF ASP.NET Pipeline and Extensibility Points
This session explores in depth how WIF tackles the sign-in scenario. After a general intro to the WIF configuration element, the session describes how WS-Federation is used for driving the various browser redirects which ultimately constitute the sign in experience. Most of the time is spent digging deep in how WIF leverages the ASP.NET HttpModule extensibility mechanism and its own classes & events for implementing the sign-in sequence.
WIF Workshop 7: WIF and WCF
This session describes in detail the difference between passive and active scenarios, specifically around the confirmation method for toekns (bearer vs. holder-of-key). The WIF object model and WCF integration are discussed, with special attention to similarities to what has been seen for the ASP.NET case and differences with the traditional, WCF-only programming model. The notion of trusted subsystem is explored at lenght, providing the backdrop for the introduction to WSTrustChannel, CreateChannelActingAs and CreateChannelWithIssuedToken.
WIF Workshop 8: Lab about WIF and WCF
This lab explores the idea of delegated service call via ActAs tokens: the exercise from the Web sites lab shows how to do that from an ASP.NET to a WCF backend, while the one from the WCF lab focuses on flowing identity info through a chain of services calls. The first exercise of the WCF lab does not use an STS for authentication. It uses username & password credentials, and is designed to highlight the differences between the old WCF-only model and the enhanced model offered by WIF.
WIF Workshop 9: WIF and Windows Azure
The last session of the training covers the use of WIF in Windows Azure. After a quick introduction to Windows Azure and the infrastructural differences between web roles and on-premises deployment, the session provides practical advices on aspects of distributed development such as handling NLB sessions, certificate management, dealing with volatile application URI, handling tracing, metadata generation considerations, and so on. The discussion covers both Web roles and WCF roles.
WIF Workshop 10: Lab about WIF and Windows Azure
The last lab of the workshop covers the use of WIF on Windows Azure, demonstrating in practice how to cope with NLB sessions, volatile application URI, dynamic configuration, metadata generation, tracing and so on.
Awesome! I'll be going through all of these. Was very much looking forward to this. This WIF looks very interesting to me and I've already played around with a bit. Very solid.
I'll be evaluating WIF to replace Shibboleth (SP/IdP) currently in place. Also I enjoy your videos very much (from MIX and others), the character you put into them is superb.
Thank you Zarooch, your comment made my day!!! :-)
Great series. I've been through them all and am now trying to apply to ADFS2.
One scenario you mention looks very useful, but I can't figure out how to do it in ADFS2; I'm sure I'm missing something obvious.
I have the standard, initial Identity STS in ADFS2, which authenticates against Active Directory and works fine with my sample web site. I want to add a Resource STS that will allow me to federate with other Identity providers (and also with my local AD STS as you describe). I can't see how to add the Resource STS.
What am I missing?
Thank you for sharing these excellent resources! I am busy convincing my client that ADFS is the way to go for the future! The one part that I dont understand is how AZMAN fits into this environment. How would a person assign user accounts to roles that are from a trust relationship? Looking forward to hear from you.
So many great resources for WIF! And I agree with Zarooch, the flair is awesome. Each article and video is a like a performance with a bow at the end.
So, after going through everything, I'm still looking for good info on SLO. I did everything in the training kit and then went on to create my own apps using the Claims Aware Web Site templates and hooked them up to the standard STS that VS 2010 generates. I log in and they correctly allow me to move between the apps without needing another login.
To get logout capabilities, I used the FederatedPassiveSignInStatus. However, I noticed after testing that it would log out of the app it was in and then send a message to the STS to log out the central session, however, that message didn't get out to the other relying parties so they were all still logged in. That as I understand it is the SLO scenario.
Is there something we can do to get SLO working with the standard STS that VS implements or do I have to wait until our IT staff set up ADFS 2.0 for us to use?
Hi we are planning to launch few of our web applications (ASP .NET and ASP MVC) on cloud (azure). For our internal users (i.e. windows domain users) and other business partners (B-2-B) we are planning to use WIF (and federated) for user authentication. Some of the above examples will definetly help us to come with the right architecture. (Thank you Vittorio )
We have approx 10000 customers whose credentials (user id, password) are currently stored in a SQL Server table.
Question is what is the best practice (for cloud implementation) to manage authentication for those 10000 customers (who are not domain users) using WIF featires ? Pl point me the right articles or example descrbing the above scenario.
Thanks in advance.
glad to help ;-)
We currently don't have a cloud-based offer for hosting your 10K credentials. I see two possible solutions: one is migrating those credentials to some public web provider and then use something like ACS for federation, the other is to build your own custom STS and run it in the cloud. The latter can be very tricky to pull off
Thanks for the excellant article and downloads.
I am trying to secure WCF services by implementing claim based authenticaion using WIF.
The WCF services are consumed by web clients over internet. These clients are not domain users, however each client is assigned with unique user id and password and it is stored in SQL database.
I am planning to develop active STS for WCF authentication. Is this corrcet approach?
Can you please suggest the best practice for implementing claim based authentication for securing wcf services consumed by web clients over internet?
Thanks and regards,