mszCool's thoughts and cents revealed : Architectural Thoughts

Identity Interop Update for our Interoperability Council: ADFS v2 and WIF Interop with Sun OpenSSO, Novell Access Manager, CA, OpenID and Sun Metro / WSIT

mszCool — Thu, 05 Nov 2009 13:30:10 GMT

As today we’re going to host our 3rd Microsoft Austria Interoperability Council, I thought that in addition to our existing results we’re presenting today, it’s a good time to publish an update of my Identity Interoperability Demos and samples I created earlier this year.

Furthermore, based on the feedback of members from our interop-council, I’d like to provide a few links with more information on Identity Interoperability between Microsoft Windows Identity Framework (WIF) and Active Directory Federation Services v2 (ADFS v2- both formerly codenamed Geneva Framework and Geneva Server).

The Foundation – OASIS Identity Metasystem

Primarily the foundation for all these interoperability thoughts is the Identity Metasystem vision originally started by Kim Cameron (Microsoft – see article on MSDN). More information on the official standards can be found on the following link:

http://docs.oasis-open.org/imi/identity/v1.0/identity.html

Sun Metro / WSIT Interoperability

The interop-identity PoC I’ve created demonstrates interoperability with Sun Metro / Web Services Interoperability Toolkit. For the PoC you need a Glassfish v2 application sever to host a Java-based Relying Party and integrate this RP with a .NET-based Security-Token-Service (STS) and a .NET-based client. The PoC shows, how you can integrate Java-based services in a Windows-based security-infrastructure based on standards.

Click here to download the lates version of my ID-Interop-PoC

Click here to view my previous blog-entry on how-to setup the PoC

Note, that the download package is a little big larger this time. You don’t need to download any additional bits. Everything including all Java-Pre-Requisites is included, except Microsoft Geneva Beta 2 (click here to download).

Interoperability with CA, Novell Access Manager, Sun Open SSO

While working with colleagues (Michael Steinböck, Dominik Paiha from Microsoft) on a proposal for a customer (who is also a member of the council) on identity interoperability, we’ve collected a number of additional resources on identity interoperability. First and foremost I would like to mention papers on interop between Sun Open SSO, Novell Access Manager and CA.

Click here to download Interop-Whitepapers for ADFS v2 (Geneva)

OpenID Interoperability with Microsoft ADFS v2 and WIF

Also a question continuously asked is the interoperability between the Microsoft-platform and OpenID. Of course OpenID can be used as a means of authentication on top of a WIF/ADFSv2-based STS.

Thanks to Matias Woloski who is working very close with Microsoft’s patterns & practices team, you can find more information and a conceptual view below (click image to enlarge):

Click to read Matias’ blog entry on OpenID integration

Click to get to DotNetOpenAuth, a library for .NET-OpenID-integration

Download .NET Open Auth here

Novell Bandit Project provides Information-Card Interoperability

In partnership with Microsoft, Novell is working on an initiative called “The Bandit Project”. This initative provides components and source code to implement a complete Identity Metasystem-based solution with STS, RP and even identity selectors (DigitalMe) for clients. To get these components to ensure complete interoperability of your Java- and browser-based components and end user experience on Linux, click the link below:

http://www.bandit-project.org/

Identity Interoperability with IBM Tivoli

At last year’s PDC 2008, Vittorio Bertocci and Kim Cameron demonstrated interoperability with IBM Tivoli access manager and ADFS v2 / Geneva Framework.

Take a look at Vittorio’s blog here for more details.

Click to view the session, directly, and get the info from live-demos.

Interoperability between Shibboleth and ADFS

Microsoft published a guide on interoperability between Shibboleth and the Microsoft platform for it’s previous version of Active Directory Federation Services, already. Of course this guide is still available.

Download Shibboleth – ADFS Interop here.

With ADFS v2, Microsoft is implementing the SAML 2 protocol in addition to the WS-* protocols which are available in both, ADFS v2 and the Windows Identity Framework. Having that said, interoperability will be given for Shibboleth and ADFS v2, as well. I’ve found the following references on this interoperability and I’ll continue my search to find or build more concrete step-by-step guides and samples on this kind of interoperability:

Geneva and SAML 2 from Don Schmidt of the identity-team

SAML 2 protocol and Shibboleth Interop-Announcement

Patterns & Practices Identity and Access Guide

Finally I wanted to share one last, extremely important resource. My friend Eugenio Pace from the Microsoft patterns and practices team in Redmond is currently working on a PnP-guide on identity and access management using ADFS v2 and WIF. This guide is currently under development and is published as a open project on www.codeplex.com. That means, feel free to start reading through the guide and provide the PnP team with feedback as much as you can and about all the things you would love to read there.

They are also working on a guidance on how-to implement BOTH, single-sign-on (which is available out-of-the-box in Geneva) and single-sign-off, which is a very special challenge, typically!"

Click here to get to the guides workspace on codeplex.

Click here to get to Eugenio’s blog.

Final thoughts

I think, these are some of the most important pieces of information, architects and developers need when it comes to thinking about identity interoperability. I personally strongly believe in all the parts of the identity metasystem vision and claims-based security. I also see, that most of the vendors are (slowly) moving towards this direction with their products and offerings.

So stay tuned, keep your eye on all these things.

Cheers
Mario

Presentation at Microsoft TechReady in the US on Always Responsive Applications and Services with samples using CCR (Concurrency and Coordination Runtime) as well as .NET 4.0 Task Parallel Library

mszCool — Fri, 31 Jul 2009 02:00:40 GMT

Today in the morning I gave a presentation at Microsoft’s largest internal conference for employees in Seattle, WA (called TechReady, about 5000-6000 Micorsoft employees are there on technical education).

The presentation I gave is essentially based on the whitepaper I’ve written and we’ve published a few weeks ago together with Frequenits AG on always responsive and scalable apps and services. You can find more details as well as the paper for download here.

While the presentation is strictly confidential, I can publish the demo scenarios. Therefore click the link below if you are interested in a complete scenario that shows asynchronous processing within clients and services as well as across services… of course I do not cover all possible “exceptions”, but it’s a starting point.

Click here to download the demo
(for Visual Studio 2010 Beta 1, only, I will provide a VS 2008 version with CCR-only implementations soon)

The demo scenario supports a few arguments discussed in my whitepaper as well as the presentation:

Performance comparison between Peer-2-Peer and Service-bus based communication metaphors.
Base classes for implementing the Command/Job/Queue patterns discussed in the whitepaper.
And finally – a mapping of these patterns to .NET Framework technologies that definitely help implementing the patterns themselves. I include two implementations, one that uses the Concurrency and Coordination Runtime from the Microsoft Robotics Studio and another one that uses the .NET Framework Task Parallel Library that we are going to publish with the .NET Framework 4.0. To switch between those two implementations, just modify the JobManagerFactory in the AsyncDemo.JobLibrary project to use one or the other implementation.

The project with Frequentis definitely showed me, that Asynchronous programming and thinking is not just for the sake of performance, it’s also for “responsiveness” and “availability”. The neat thing is, that simply by keeping a few things in mind, these things can go hand-in-hand.

Nevertheless, it was very special for me delivering this session at TechReady. Seven years ago, right before I started working for Microsoft in October 2002, Seattle was the place where I attended the first Microsoft conference of my life (and the first conference in the US, at all). And it was in the very same location as TechReady this year – in the Washington State and Convention Center, in the Sheraton Hotel and Hyatt Hotel in Seattle.

My session was in one of the Grand Ball Rooms in the Sheraton with about 100 attendees… and back in August 2002 I had my room in the Sheraton at the Windows .NET Server 2003 conference… at that time I would have never thought that I will hold a session in the same location at any time:) So this was special for me! And I hope it was not for the last time!

Project with the Medical Association in Austria, a Pragmatic Services Architecture with .NET 3.5 and SQL Server 2005/2008

mszCool — Tue, 05 May 2009 21:46:50 GMT

Hint: technical presentations about this project as download in the link list at the end of this post!!

This year the Austrian medical association together with the medical associations of the different federal states in Austria as well as one of our Gold-certified partners, Anecon Software Design und Beratung GmbH., completed a project we (Microsoft Austria) started together on the country-wide management of data for medical practitioners and their ordinations.

The management of this data is prescribed by the Austrian law and is used for several scenarios such as sponsorships of medical practitioners, promotions, payments, traceability or even for support in lawsuits and is therefore mission-critical!

Attached to this blog-entry you will find two presentations with technical information on how we architected the solution. While the first presentation (Part1.pdf) contains shows some of the most important requirements within the environment, usage-scenarios of technologies as well as some really cool screen-shots of parts of the application, the second presentation (Part2.pdf) is based on an architectural specification I’ve written for the project on where and how-to apply which technologies of the .NET Framework 3.x in the application architecture.

Understanding the political and technical environment

Austria’s health care environment is one of the most complex political environments in Europe – and the most complex political environment in the country itself. The environment is organized in a federal way, that means each federal state of Austria (we have 9 of them) is treated as an autonomous unit.

Therefore each federal state has its own state-medical association with its own responsibilities and duties. Many of these responsibilities and duties are self-managed by these medical associations for a federal state, but on the other hand many of them are prescribed by a country-wide medical association which is the Austrian medical association.

Having these autonomous associations’ leads to the fact that each association manages both, a common set of information on medical practitioners which is prescribed by the Austrian medical association as well as its own, additional set of information they want to and need to manage for the federal state they’re acting in. That means that the application of discussion of this web blog as well as the attached presentations need to be deployed in each federal association with their own data storage, their own service instances and client applications while on the other hand they need to synchronize the common set of data between the federal associations to be able to manage and process data on medical practitioners having ordinations in multiple federal states.

Finally that means we are talking about federated data and federated services from a technical point-of-view with medical associations in the states within Austria as well as one overall organization which is the Austrian medical association. Technologies such as workflows for synchronization using SQL Server Service broker for data-synchronization transactions with “transformation”-rules in between are core in the application architecture.

The role of the medical association, Anecon and Microsoft in the project

Requirements as well as the underlying data model haven been defined by a working group defined by the Austrian medical association that consisted of several representatives of the different medical associations from the federal states. Our partner, Anecon, was responsible for the design, implementation and test of the overall solution based on latest Microsoft technologies. We from Microsoft acted as a trusted advisor for the Austrian Medical association: Robert John, our business development manager ensured getting the right support from the Area and Microsoft Corp. while I helped creating the overall architecture for the system together with Anecon and the representatives of the medical association.

Download the presentation

Requirements, usage-scenarios of technologies and screen-shots from Anecon

Core technical architecture recommendations from Microsoft / Mario Szpuszta

Involved technologies, links and further resources

.NET Framework 3.5 (incl. Service Pack 1)

Windows Presentation Foundation

Windows Workflow Foundation

Windows Communication Foundation

SQL Server 2005 and SQL Server 2008 (for newer deployments)

SQL Server Service Broker

Microsoft Patterns & Practices Home

Microsoft Patterns & Practices Application Architecture Blueprint

TechEd Europe 2008 - Downloads and Architectural Thoughts

mszCool — Tue, 16 Dec 2008 19:32:11 GMT

A little late but nevertheless I managed to publish my demos from this year's TechEd Europe 2008 in Barcelona from my session on the identity meta system applied to real world projects in Austria.

As mentioned, the experience I summarized in the session comes from a project we've been driving in Austria in the electronic health care sector as outlined in issue 16 of the architecture journal in my article.

You can download the demo applications from my session at TechEd by clicking the link below:

Also here you can download the presentation material of my session by clicking below:

Essentially in my presentation I really focused on discussing four things where in my opinion the concepts from the identity meta system vision really helped us implementing our stuff:

Clear separation of concerns
Separation of where authentication happens from where authorization happens enables you switching authentication modes without affecting your back-end services. If authentication happens at all your services, you need to touch all the clients and services for doing so. If you separate authentication out into a Security Token Service you just need to touch your clients and the STS while the services at the back end can remain untouched. In the attached demos you need to work with the NET.SecondTestClient, the mszcool-ActiveSTS and the ClaimsAwareWebService-VS2008 projects to test out what I've shown in my session.
Simplification through Claims
Claims-based security helped us implementing the two-factor authentication that was a requirement for according to the strong data protection law. More on that later in this post.
Building bridges between domains and/or platforms
On the one hand side trust-chains between Security Token Services helped us separating out responsibilities and ownerships given based on political reasons while still remaining an easy possibility to change these responsibilities and ownerships by just merging or splitting STS'es if the political interests changed. On the other hand transformation of tokens from rather proprietary tokens to standardized tokens is another thing where the separation of concerns between authentication (STS) and authorization (Relying party service) really can help. In the attached demo you need to work with the JavaWebHostNew Netbeans 6.5 project as well as the NET.TestClient and the SimpleActiveSTS-VS2008 projects to try things I've shown in my session at TechEd.

Coming back to the second point I outlined above. If you're working with the NET.ThirdClient, the mszcool-activeSTS and the ClaimsSuperTokenService you can try out a simple implementation of our approach for making sure that only things are published into some e-health system if the patient explicitly agrees at leat two times. The model from a business point-of-view was the following:

For getting read access, a patient needs to explicitly authenticate with his e-card when visiting a doctor for a medical treatment at the reception. For the time of the treatment the doctor got read-only access to documents published in a variety of e-health services. For this purpose, the e-card STS issues a standard-token with standard-claims based on the e-card authentication. e-health services do not allow to update any content with this standard-token because the STS does not add a what we called super-token-claim.
For updating content in e-health services the patient needs to explicitly authenticate for each update-process in addition to the previously mentioned, first authentication step. During this authentication the client application sends the previously issued token as a means of authentication to the STS which leads the STS to add a super-token-claim to the issued token. Therefore e-health services detect the presence of the super-token-claim and allow writing / updating content to their storage.

Subsequent graphics should outline what's going on there. Take the first graphic as an example. Here the previously defined process is executed as needed. The client authenticated for read-stuff and gets a token for reading stuff without the super-token-claim. Later during the medical treatment the doctor wants to publish stuff and therefore the patient authenticates a second time. That second authentication includes the previously issued SAML token which leads the STS to include the super-token-claim in the newly issued token. With this newly issued token the client software of the doctor can issue an update on the back end e-health service of the current context.

If one of the authentication steps, either the first or the second one is missing, the STS won't issue a token with a super-token-claim. And therefore the e-health services should and can simply deny access to any updating operation - based on a simple query whether a claim has been added to the token issued by the STS or not. The following graphic demonstrates what happens if the client tries to update content in an e-health services without the first authentication-step so that you can better understand our selected approach and idea:

The neat thing is that the e-health services really just need to query the issued SAML-token from the STS for the super-token-claim. If it's there let updates happen, if not then not;) As simple as that. In classic scenarios they would need to manage sessions, state and all that stuff what is much more complicated.

In my opinion this really shows, how claims-based security (as a part of the concepts from the identity meta system vision) really simplifies complex processes in the security world by separating the responsibility of authentication from authorization and by making authorization as simple as querying standardized tokens for claims.

If you're interested in my approach for building bridges between platforms through the separation of concerns with STS'es and relying parties, just take a look at my previous posting which I created for TechEd 2008 and the local DevCamp conference here...

Any questions - feel free asking me through comments or the contact link here of the blogging-engine;)

Cheers
Mario

DevCamp 2008 - Making Security-Interoperability work with a Zermatt-based Security Token Service (STS), a .NET Client and a Java Web Service hosted in Glassfish

mszCool — Thu, 30 Oct 2008 19:07:05 GMT

(Click here to download my Security-Interop-Sample)
(Click here for downloading the presentation)

While I am here at PDC studying the most exciting new stuff from Microsoft around Software+Services and much more interesting platform-enhancements (Dublin, Velocity, Geneva etc.) I promised about more than a week ago at the DevCamp 2008 conference in Vienna that I will publish some details about a demo on security I've shown in my session about applying concepts from the Identity Meta System Vision in the real world for heterogeneous environments.

The session itself was all about taking the separation of concerns in terms of authentication and authorization that is proposed by federated identity patterns. Furthermore it was about learning, how this SoC can help you solving real world problems when it comes down to implementing security in your solutions.

Click here for downloading the presentation. I'd strongly recommend you do this before moving on in this post!

In the last demo I've shown a Security Token Service (STS) written with Microsoft Codename "Zermatt" that authenticates requests coming from a .NET-based client application through Windows Authentication and transforms the (proprietary;)) Windows-token into a standards-based SAML-token. Why that? Well, non-Windows based platforms won't be able to deal with a proprietary Windows-token for authorizing requests - especially if they're not running on Windows. But they will be able to work with SAML as it is just a signed XML with information about an authenticated user proofed by an identity provider (the security token service). The following picture shows the scenario I've implemented:

In this post I give you a step-by-step guide how-to setup the samples which you find for download under the following link:

Click here to download my Security-Interop-Sample

In the following sections I summarized the pre-requisites and steps you need to complete for making the sample above work!

Installation Pre-Requisites

Microsoft-Part of the Sample

Visual Studio 2008 with SP1 installed
(Service Pack 1 download here)
.NET Framework 3.5 (with SP1 installed)
Microsoft “Zermatt” (now Geneva Identity Framework) CTP
(I have included the version of Zermatt-CTP that I've used for developing the sample in the download so that at later point of times you can try this in an isolated environment without bothering with some breaking changes in Zermatt at first place;))

Java-Part of the Sample

Java2 SDK 1.5.0 with Update 15
Netbeans 6.5 Beta IDE with Glassfish v2
JCE Policy Files installed
Dom4j 1.6.1 and Jaxen 1.1.1 installed
Appropriate Java environment variables set for command prompts. For this purpose I added a sample “Java Command Prompt” batch file to the download (located in the "Pre-Requisites\Java"-directory). You need to adopt it based on your installation-path values on your machine.

Steps to make the Microsoft / .NET Side running:

Install the certificates using Zermatt Samples Utilities
The necessary batch-files for doing so are located in the Zermatt Directory (typically “C:\Program Files\Microsoft Code Name Zermatt\Samples\Utilities”) – execute the SamplesPreReqSetup.bat in a Visual Studio Command Prompt as Administrator.
Run Visual Studio 2008 as Administrator and open the SimpleSTSForActiveClients-VS2008.sln Visual Studio 2008 solution located in the “<your working folder>\DevCamp\Simple STS For Active Clients” directory. This is a modified and extended version of the standard Simple Active STS sample included with Microsoft Code Name “Zermatt”.
Right-click the solution and configure the startup-projects so that the STS, the .NET-based test service and the test-client start-up as shown in the following screen-shot:
Try the solution by pressing CTRL-F5 in Visual Studio to run everything without debugging. Important is that you follow the following steps in the running applications:

In the “ClaimsAwareWebSErvice-VS2008”-project enter “1” to take the included simple active STS as a security token service.
In the client application type in “net” to call the .NET-based service and verify whether the STS and the .NET-based service as well as the client are working properly on your machine!

Make the Java-Side working

Now, after the .NET-based solution is running, we can move forward by making the Java-version of our claims-based web service running. For that purpose follow the subsequent steps:

First of all run Netbeans Developer studio as administrator and make sure that all application server references are registered with your IDE. With the Netbeans 6.5 beta I’ve installed, just Glassfish v3 was included in the server list. So you need to add Glassfish v2 (which is the one I’ve tested the service with) to your services list. For that purpose follow the next sub-steps but note that by default Netbeans should create a personal domain during the installation of the IDE:

In the left panel switch to the services tab and open the “Servers” tree-view element.
Right-click the “Servers”-node and select “Add Server”
Select “Glassfish V2” from the list and leave the name below as it is.
Create a personal domain for the application server that will install some configuration files in your local user profile. These files also will include the certificate store for your development instance of the app-server.
Select a folder for the development domain where you would like to install the configuration files to as shown in the following screen (note that there it will be “D:\Data\.testDevDomain” which is what I will refer to later on, as well)
Then you will have to select an administrator user name and a password and afterwards you will need to specify the ports on which the server is running. Make sure that nothing else runs on these ports and note the ports as you will need them later on.

Then open the Java-project I’ve included in the samples-download. This project is located in the “<your working folder>\DevCamp\JavaWebHostNew” directory. Just let Netbeans point to that directory in the open-project dialog and it will detect that this is a Netbeans-project, automatically.
You probably will need to update a few references to point to dom4j and Jaxen as I use these libraries for some XML processing in the test application. Netbeans will warn you if you need to update the references. If so, switch to the “Projects” tab in the panel on the left, navigate to your project “JavaWebHostNew” and within there on the libraries-node. Right-click the “Libraries”-node and select “Add Jar / Folder” from the context menu. Add the “dom4j-1.6.1.jar” and the “jaxen-1.1.1.jar” files as libraries this way to your project. I’ve included them in the download in the “<your working folder>\DevCamp\Pre-Requisites\Java” directory”. Also remove all broken references from the project by right-clicking the project and going to the properties:
After all libraries and references are set-up correctly, you should be able to compile the solution using Netbeans, successfully. Next we can start configuring the application server appropriately to make this stuff running.
Next we need to install the Java cryptography policy extensions (JCE) with Java to be able to work with our certificates. For this purpose copy all files from the “<your working folder>\ DevCamp\Pre-Requisites\Java\jce”-directory to the “C:\Program Files\Java\jdk1.5.0_15\jre\lib\security”-directory and overwrite all files.
Now we need to install certificates for the two sides of the application – first the Java-service needs to be able to trust the STS and therefore it needs to have the STS’s public key in its trusted certificates store and second the .NET client and the STS need to have a way to trust the Java service and therefore we need to export the public key from the Java service’s certificate and import it into the Windows certificate store.
To ensure, that the Java-service is able to trust and validate tokens issued by the STS, execute the following steps on your machine.

Export the STS certificate from the Windows certificate store as DER-encoded file. Only export the public key. Store the file to a directory of your choice. The certificates are installed in the personal store of the local computer by the previously executed Microsoft Code Name Zermatt Samples Batch-file utilities when setting up the .NET based solution, before. You can get to the machine’s certificate store by starting a management console (mmc.exe) and selecting “File – Add / Remove Snap-In” and then select “Certificates” from the list, click the “Add >” button and then click okay. Make sure that you select “Computer Account” and “Local Computer” when adding the snap-in. You’ll find the certificate as shown in the following screen-shot:
Import the STS-public key certificate in the trusted certificates store of your Glassfish personal domain by executing the following command (typically the password you have to enter is changeit by default):
keytool -import -alias sts -file sts.cer -keystore "d:\Data\.testDevDomain\config\cacerts.jks"

Next we need to ensure that the STS and the client can trust the Java service. For this purpose we need to export the Java service’s certificate and import it in the Windows certificate store. To do so, follow these steps:

Execute the following command to export the default service certificate from glassfish with its public key. This certificate is typically called s1as.
Now import the certificate in the personal store of the local computer of the Windows Certificate store. Also import the certificate into the trusted people store so that the validation of the certificate can succeed.

Before we test the web service solution we need to make sure that the correct WS-Policy configuration is set for the Java Web Service. For this purpose open the “Web Services”-node in your Netbeans-project and double-click the “JavaTestService” Web Service in the project. In the designer then click the “Advanced…” button to open the web service configuration dialog and make sure that it looks as shown in the following two screen-shots:
Finally you can un-deploy and deploy the new service to Glassfish as shown in the following screen-shot.
It’s important that you note the URL on which your web service is listening depending on the ports you configured for your Glassfish application server instance and development-domain. Typically this should appear in the output-window within the Netbeans-IDE for Glassfish as shown in the following screen-shot:

Final steps and then running the application

After you have configured Glassfish, configured the Java Web Service and deployed it, successfully, you can try the interoperability solution between Java and .NET. For this purpose you need to update the .NET test-client’s configuration to point to your running Java web service and then run the application. The URL to the Java-service is configured in the client’s App.config (NET.TestClient in my sample solution) as shown in the following screen-shot:

Just one last step before running it – you need to update the STS so that it encrypts the SAML-token with the certificate of your Glassfish Java Web service. As these certificates are re-generated for each machine you need to update my code in the sample to make it work. Update the certificate-name in the project “SimpleActiveSTS-VS2008” of my solution in the file “MySecurityTokenService.cs” and change the common name of the certificate to yours (you should only need to replace the machine-name part of the common name which is “vaiom” in my sample and should be “yourmachinename” in your environment):

After you have updated this one you can try to run the solution and instead of calling the .NET-based service you can call the Java-service by entering “java” instead of “net” when the client asks you which web service it should call. The following screen-shot shows the resulting application in action.

In the console-windows you can see the .NET-based applications running: the claims-aware web service which is not called in this scenario, the security token service which issues a SAML-token based on the Windows identity the client authenticates with and the client itself that calls the Java service this time. In the background you can see the Netbeans IDE with the Glassfish output Window where clearly the Java application outputs the contents of the SAML token it gets passed from the STS. That SAML token just contains claims extracted from the Windows-token the client authenticated with against the STS. And that way we managed to make security-interoperability happen by transforming a proprietary Windows-token to a standardized SAML-token through an STS and give Java access to the contents of the Windows-token. Of course the Java-application could run on a Linux-box as well and still you would be able to use Windows and AD as the primary identity management system for managing users, groups etc. and include Java-services (or other services) running on any OS with your security-infrastructure as they don’t need to know about any details of the security infrastructure. The only thing they need to know is the Security Token Service which proofs the fact that the user has been authenticated successfully by passing a signed SAML-token through the client to the Java-service. In my opinion that shows one of the things that unveil the real power of a federated identity infrastructure based on the WS-* standards...

If you have any feedback or questions, feel free getting in touch with me through my blog;) ... of course I'd be happy about any feedback:)

Cheers
Mario

Microsoft Patterns & Practices Application Architecture Guidance v2

mszCool — Thu, 02 Oct 2008 22:36:35 GMT

For a long time the application architecture guidance from the patterns & practices team remained unchanged... and it was inherently necessary to give it an update with all the new technologies and also trends appeared on the market.

Now the first messages are out... just take a look at the blog of my peer Cesar from Spain - he created a pretty cool mind-map with the topics addressed by the new App Arch Guidance.

Check out the following links:

Cesar's blog entry on App Arch v2
J.D. Meier's blog entry summaring new guides
Application Architecture Guide v2.0 Info
Key Features of App Architecture Guide v2.0
The Meta-frame for the App Architecture Guide

I hope that the team will release the guide as a printed book as well as they did with the previous version of the guide. I'll definitely spend one of my upcoming weekends reading the guide;)

Cheers
Mario

Migrate from CAB/SCSF to Composite WPF Guidance / Prism!?

mszCool — Fri, 11 Jul 2008 16:47:56 GMT

Finally, after the Composite Application Guidance for WPF (codename "Prism") was released last week, I started thinking about necessary steps for migrating CAB/SCSF based solutions to the new Smart Client framework built with WPF. I also started migrating the solution I've created for last year's TechEd and for the HP banqpro/ case study to Composite WPF guidance.

I would like to share the thoughts I made with you right now... but don't expect this to be the only post about this topic. I believe while moving on with the migration I definitely will find out some more things and my thoughts will evolve, definitely;)

Important note: please understand that these are my own, personal thoughts and that this is NOT Microsoft's official opinion and this is not an official Microsoft-statement at all!

#1: What should I use when starting a new project?

My personal conclusion: For me that question is obvious: use Composite WPF guidance and WPF if your client-hardware is sufficient for WPF.

WPF adds a lot value that make things for development of enterprise line-of-business client apps much easier - although the design time experience isn't where it should be, today. And Composite WPF brings you the framework for building extensible and manageable enterprise-level smart clients with WPF! So just use it!

#2: Should you migrate to Composite WPF from CAB/SCSF?

Of course many customers are asking this question right now. They are afraid that they are using an old technology which is not going to be state-of-the-art anymore and running into panic-mode.

Well, I don't see it that critical. CAB/SCSF is still driven forward by the community (see SCSFContrib, SCSFWPF etc.) and there are lots of people out there answering questions, sharing experience etc. Furthermore according to the Microsoft homepage it is still supported the same way it was supported all the time: it is simply treated as custom code in support cases with Microsoft.

My personal conclusion therefore: if you do not get additional business value out of Composite WPF and if you are happy with CAB/SCSF in your solution, why should you take the effort of migrating to it!? Then you don't need to... some good reasons to migrate might be:

native WPF implementation that leverages the base classes of WPF such as its existing command mechanisms etc.
more lightweight - Composite WPF is more lightweight than CAB/SCSF and I had the feeling that it is easier to learn...
extended flexibility of Composite WPF: you have the choice which features you want to use and which you don't want to. Composite WPF features are independent from others - e.g. you could use the MVP/MVC implementation without being bound to any "Controller" or "WorkItem" base classes or to the dependency injection mechanisms.
the new Unity framework as an easier-to-use, more lightweight dependency injection framework
the ability of Composite WPF to use another dependency injection framework such as spring etc.

But these are just some thoughts that went through my head. And again - for me important is that if you don't get any value for YOU out of these advantages then why migrate!? There is no reason for doing so. If you get additional value, then let's go;)

#3: How do components from CAB/SCSF map to Composite WPF?

As far as I have seen, the Composite WPF framework achieves exactly the same goals as CAB on it's own. There is no replacement for SCSF available, so far, and according to Microsoft none is planned for the foreseeable future. The team is in a kind-of gathering customer feedback loop right now;) Okay, but let's map some features from CAB/SCSF to Composite WPF - I assume that you read my paper on CAB/SCSF to fully understand the following table...

Shell Workspaces	Region Managers
Shell UI Extension Sites	none
WorkItem class	none or your own ordinary class It's on you whether you want to use "use case controllers" as described in my paper or not. And if, you just create ordinary classes without any attributes or base-class dependencies;)
WorkItem - Use Case Controller-part	none
WorkItem - Container-part	Unity Framework and it's container capabilities
WorkItem - Client Services management	Unity Framework and it's container capabilities
Event Broker	Event Aggregator
Command Pattern	WPF Commands and/or Composite WPF extensions to WPF commands
Dependency Injection	Unity Framework or your own
Smart Parts	WPF controls as views
Presenter class	none or your own ordinary class It's up to you whether you use MVP/MVC - and if you just implement ordinary classes without any attributes or base class dependencies.
ModuleController, ModuleInit	IModule classes
ProfileCatalog, ModuleEnumerator/Services	ModuleEnumerator

As you can see, Composite WPF supports all scenarios but leaves you more "freedom" of whether you want to implement a scenario or not. And also if you implement a scenario you often don't need to inherit from any base class or apply attributes in most cases. That means you can build-up your own hierarchies without running into too many dependencies of the Composite WPF guidance.

#4: The very basic steps to get from CAB/SCSF to Prism

These are some of the first steps I had to complete while migrating the shell and modules from CAB/SCSF to prism. Essentially these where the following:

Create a new solution for the Composite WPF version of my demo.
Import the interface libraries from the CAB/SCSF solution to the Composite WPF solution and remove all namespace-, attribute- and base-class references to CAB/SCSF-related classes.
Re-create the shell as described in the guidance: I have to admit I didn't even try to migrate the shell because many of the concepts are different. But I left my IShellExtensionService interface concept and therefore I was able to hide this pretty heavy change from the modules I migrated later on.
Add a new class library with some of my own base classes:
(1) A Controller base class with a state-bag to replace WorkItems. This is a simple as possible and I just used it because I used the WorkItem.State property. (2) A presenter base class with a reference to the original work item.
Add the first CAB/SCSF module to my new solution.
Replace the "ModuleInit" class by a IModule implementation. I even left the ModuleController-concept for simplicity.
Remove the WorkItemController base class reference in my ModuleController class and replace it by the Controller-base class I created in step 4.1 above.
Replace CAB-Commands [CommandHandler] by DelegateCommands as used in WPF and WPF composite guidance.
Replace all WorkItem.Service usages against a Unity Container Service usage.
UI Extension Site usage must be replaced by my IShellExtensionService concepts as described in my paper as they are not available anymore. Or you create your own IShellService that supports extension of menus etc. in your shell.
Uncomment CAB/SCSF generated code in the code-besides of the smart parts.
Remove all attributes in Presenter classes and SmartParts which are specific to CAB/SCSF.
Replace all WorkItem classes with your own, custom Controller classes that inherit from the Controller-base class I've created in step 4.
Update the configuration and run the application:))))

I know, that looks heavy, but it took me 1/2 day to migrate the first two modules and the shell from CAB/SCSF to Composite WPF guidance without having played with the new guidance before, at all!!!! So I was a bloody beginner with Composite WPF guidance when I started and it took my just 1/2 day...

I have published the first version of my migration solution where I completed the tasks described above for the first two modules of my last year's TechEd demo.

You can find that download in my previous post.

While this is just a first step I know that I will encounter some additional issues when I have time migrating the remaining parts... so stay tuned on future entries about this story... whereas I am not sure whether I will be able to do this soon:))) because... well... it's vacation time:)))

Cheers
Mario

LINQ to SQL and my Previous Architectural Thoughts

mszCool — Thu, 26 Jun 2008 00:16:19 GMT

Thanks to Jim Wooley I have to extend what I wrote about my LINQ-Architecture thoughts before. Actually LINQ to SQL supports putting the OR-Mapping definitions into a separate XML file instead of having the mapping meta data applied as attributes on your classes and properties. Just take a look at the following blog-entry:

http://www.thinqlinq.com/Default/LINQ-to-SQL-support-for-POCO.aspx

It describes how-to put the OR-Mapping meta data into a separate XML file.

Nevertheless the mapping-mechanisms of LINQ-to-SQL are much simpler compared to full-blown OR-Mapping frameworks such as the ADO.NET entity framework. And still I believe that the performance of simpler mapping mechanisms will be higher, of course. So the fact that this is possible does not really change anything to my recommendations in terms of deciding which DB technology to use when;)

Anyway, thanks to Jim who pointed me to the link above. It's pretty cool that LINQ-to-SQL also supports a more "generic" mapping approach even for the small-to-medium sized applications.

LINQ Workshop with Ernst & Young - Which Data Access Technology should I use?? - My Thoughts

mszCool — Fri, 13 Jun 2008 14:52:33 GMT

While preparing the workshop and discussing the variety of LINQ technologies in the aforementioned workshop I really started thinking of when to use which technology in the big landscape of data access possibilities on the Microsoft platform. Summarizing the technologies we have there you see the following now:

Technology	Available since
ADO.NET Command, DataReader	.NET 1.x / 2.0
ADO.NET DataSets, DataTables	.NET 1.x / 2.0
ASP.NET Data Source Controls	.NET 2.0
Windows Forms Data Source Controls	.NET 2.0
LINQ Foundation	.NET 3.5
LINQ to DataSet	.NET 3.5
LINQ to SQL	.NET 3.5
LINQ to XML	.NET 3.5
ADO.NET Entity Framework	.NET 3.5 SP1
LINQ to Entities	.NET 3.5 SP1
Dynamic Web Data Forms	.NET 3.5 SP1
ADO.NET Data Services	.NET 3.5 SP1

Lots of technologies and that of course fires up the question of what to use when!? I tried to think a bit about it and came up with the following conclusion as my personal opinion.

I think you should base your decision based on two factors: how fast do you need to be (Developer Productivity axis) and how are your requirements in terms of maintainability/flexibility and performance. Having that said I see the world as follows:

If you need high performance in an enterprise-level application that is NOT a prototype I would prefer manually coded data access layers going to the DB directly through commands and data readers. It's still the fastest thing but you need to code it manually.
LINQ to SQL combines performance with productivity as it includes designer support. The OR Mapping in LINQ to SQL happens via .NET attributes applied to your classes. That is tightly coupled to the database and less flexible than complete OR mappers. But as the mapping layer is "coded" it's still faster than OR framework. So its in between of these worlds and still has a really good performance.
If flexibility and maintainability is the major thing and you want to have your object models strongly de-coupled from your database, then OR-Mappers such as the ADO.NET Entity Framework and LINQ to entities (adding even more productivity to it) are the way to go.
For Rapid Prototypes that you want to use for demonstrating value to customers to prepare larger projects or that are not going to be used in a long-term fashion in your company you can use Dynamic Data Forms shipping with .NET 3.5 SP1 or the classic SqlDataSource stuff we've introduced with .NET 2.0.

I haven't added LINQ Foundation and LINQ to XML to this diagram as I think you can use them everywhere you want incl. LINQ to objects;) I also have not added LINQ to DataSets as I rather see this as a migration scenario to migration slowly form DataSets to these new technologies.

Based on what I've written above to simplify the decision of which technology to use when I would update my diagram as follows:

I hope these thoughts help you for your future decision on which data access technology to use when. As mentioned these are my personal thoughts and not an official opinion of Microsoft in any way;)

Cheers
Mario