Vibro.NET

Download the November 2009 release of the Identity Developer Training Kit

2009-11-07T00:00:45Z

Let’s close the WIF RC day with the November refresh of our Identity Developer Training Kit.

The new version of the Identity Developer Training Kit ported forward the three WIF labs (web site, web services, ASP.NET Membership provider) to the RC, and improved support for Windows 7 and Windows Server 2008 R2.

The ACS labs have been temporary removed, to give us the time to accommodate the new REST scenarios it now supports, but it will be back in in no time.

In addition to that, we’ll also be adding some new interesting content very soon… but I won’t spoil the surprise ;-)

Happy coding!

ClaimsDrivenModifierControl has been updated to WIF RC

2009-11-06T19:32:51Z

Following the route of FabrikamShipping, the Claims-Driven Modifier Control is now ready to influence the behavior of your federated sample websites… using WIF RC :-)

enjoy!

FabrikamShipping has been updated to WIF RC

2009-11-06T19:08:23Z

That’s right, the big sample you know and (hopefully?;-)) love has been updated for taking advantage of WIF RC.

Get it while it’s hot at http://code.msdn.microsoft.com/FabrikamShipping

The Id Element Special: up close & personal with WIF RC

2009-11-06T18:21:00Z

The Federated Identity team finally unwrapped the RC version of Windows Identity Foundation: as you have come to expect, the Id Element did some fact gathering for you. Enjoy!

The release candidate of Windows Identity Foundation is here! Chock-full of improvements driven by YOUR feedback, WIF RC gives a very good idea of how the final release will look like.
Vittorio went to visit Sidd, Govind and Sesha to learn about the new features and explore the rationale behind some of them. From a comprehensive list of new features to deep dives in their favourite scenarios, the guys tell it all. Tune in!

The RC of Windows Identity Foundation is here!

2009-11-06T18:06:00Z

You have been waiting for it: it is finally here. We have just released WIF RC, you can download it here. Note how nicely the logo reflects WIF’s status of member of the .NET family… i love it!

This release has very few breaking changes, but it is full of small & big improvements. You can learn all about it in our RC special of the Id Element!

Also, we updated to the RC the Identity Training Kit, FabrikamShipping and the ClaimsDrivenModifierControl; as the new versions come online I will post accordingly (and change the text into links).

And now… heads down for the Big R!

The New ACS is Live: if you do HTTP, you can play the Game

2009-11-06T07:56:32Z

Today the .NET Services team released the first CTP that reflects the changes announced back in September: you can read about it in their team blog and in Justin’s blog and experiment with the service here.

You know, it’s kind of a big deal! The power of the claims-based approach is now within reach for REST developers and a surprisingly wide array of platform and devices: all it takes for taking advantage of the service is being able to use http and perform super-simple crypto (did I just say an oxymoron or what? Come on, you know what i mean :-)). Substantially, many of the diagram you have seen me drawing in the last 4 years remain pretty much unchanged: the difference is mainly in the kind of tokens exchanged (a minimalist bearer that plays fair with the space limitations in HTTPland) and in the protocol used.

The protocol ACS uses is WRAP, or Web Resource Authorization Protocol; in fact I should probably call it OAUTH WRAP, given what is mentioned on the WRAP discussion group home page… which is now moved to http://groups.google.com/group/oauth-wrap-wg. OAUTH WRAP has a companion token, the Simple Web Token or SWT, whose spec can be found here. Take the time to leaf through them: you’ll be surprised by how simple & straightforward they are.

I am itching to pick the pen and start scribbling on my tablet some schema for you, but I’ll resist the temptation: we are working on some content for helping you to explore the new possibilities that the service offers, and it will be available to you very soon. In the meanwhile, you can play with the samples in the SDK: and of course, don’t forget to add Justin’s session in your PDC09 agenda!

WIF on .NET Rocks!

2009-11-03T17:30:12Z

Last Saturday I had the pleasure to spend 1 hour at the phone with Carl & Franklin from .NET Rocks: you can listen to the results here.

We mainly chatted about why claims are good for you: while the first parts are mostly introductory content, we quickly find ourselves discussing advanced topics, like the (good!) implications on development practices on switching to claims. It’s a gentle slope, so you’ll have time to pull out before the water gets too deep… or to dive right in, if identity is your thing ;-)

TechEd Europe & PDC

2009-11-03T08:45:40Z

November is already here: can you believe it? The last few months have been a crescendo of activities, and now that PDC is just behind the corner they just turned in a tornado (alliterating in English is, well, weird). I can’t really tell you all we’ve been cooking for your identity geeks out there, but you’ll know soon enough: probably sooner than you think ;-)

In any case, this is the last week I have for finalizing everything: next Sunday I’ll hop on a flight for Berlin, where I’ll give a session on WIF: it’s

SIA305, “Windows Identity Foundation Overview”, on Wednesday 11/11 | 9:00-10:15 | New York 3 - Hall 7-1a. Thanks to the good work of the Security, Identity & Access track owners, this year the sessions’ order is actually the correct one: the session will follow the introductory breakout from my good friend David Chappell, who is presenting a 200 on claims based identity the day before (SIA204 Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) v2, Windows Identity Foundation, and CardSpace Tue 11/10 | 15:15-16:30 | Budapest - Hall 7-2b).

You’ll also find me at the booth, and I’ll periodically walk by the hands-on lab area (try SIA26!) to see if you have any questions. Looking forward to meet you there!

Every year I attach to TechEd Europe a tour of EU customers: this time I won’t be able to, on Friday I’ll fly straight to L.A. to add the finishing touches before the PDC09’s Big Show. More about this soon!

It’s official: ADFS 2.0 passes Liberty Alliance SAML 2.0 interop tests with IBM, SAP, Novell, Ping, Siemens, Entrust

2009-10-01T03:22:36Z

Well, in the last 12 months we certainly covered a lot of ground!

Last October we announced that we were going to support the SAML protocol in ADFS 2 (at the time announced under the codename Geneva Server).

Today we are backing that claim (pun intended) with the results of the latest Liberty Alliance Interoperability Testing, which demonstrate that ADFS 2’s SAML 2.0 protocol implementation interoperates with the corresponding products from Entrust, IBM, Novell, Ping Identity, SAP, and Siemens.

As a rightfully proud team explains in the Geneva blog, the test included the three main profiles IdP Lite, SP Lite and EGov 1.5; and it was pretty much the Cartesian product of all vendors & test cases, which kind of explains why I haven’t seen my good friend Caleb Baker as often in the last few weeks :-)

Congratulations to the Federated Identity team for this important milestone. Thanks to their efforts & commitment, the question “does ADFS2 interoperates with X?” just became exceedingly easy to answer :-)

You can read more about this on:

Forefront Blog

Federated Identity team blog

Computerworld

Full results report

An example of trusted subsystem fail in meatspace

2009-09-17T04:00:15Z

Here I am, stuck in Sydney airport for various cascade delays but awarded with the Gift of Free WiFi. I am coming back from a awesome 2 weeks in Australia and Nw Zealand, where I met great customers & partners, enjoyed the company of amazing friends & colleagues and drew few chuckles (while hopefully passing some claims knowledge too) from the awesome audiences of #tenz9 and #auteched. BTW, thank you for the fantastic feedbacks!

I should really take advantage of any free minute for working on the book, but having woken up at 2:45am I don’t feel especially intelligent (if ever) and I’d do more damage than good: hence I’ll just spend 1/2 hour reinforcing one topic that was especially popular during the techeds, the argument against trusted subsystems.

Case on point. TechEd New Zealand took place in the same hotel where the speakers were staying. The event level was directly connected to the rooms via handy elevator, but unfortunately they were not accessible:

Or at least, that’s what the black tape and the sign would want you to believe.

However, if you’d be rebellious enough (I believe the technical term is “polarity responder”) and if you’d be so bold to hit the call button anyway… surprise! You’d get the familiar “pling!” of the elevator and one cabin would materialize at the floor.

Now, you can think of this button-tape-signs contraption as the frontend of the application “go to your room”. This application tries to keep everybody out, apart from the service people who indeed know that the elevator works perfectly. It is not a very secure way of protecting a resource, but the intent is clearly that one. So, if the only line of defense would be this, or in other words the elevator cabin would live in a trusted subsystem, then the security of the solution would be very, very ineffective.

In fact, it turns out it’s not the case. Even if you “hacked” the system by clicking the button anyway and went around the tape, clicking on the floor buttons would not do you any good: it turns out that you need a room key for accessing your floor.

So that’s not too bad after all, but it could have been :-)

Note. This example does not map 1:1 with what we discussed in the sessions, since here there’s no delegation (I am using the room key directly, there’s no actor that pushes buttons on my behalf), however hopefully that gives you (if necessary) the feeling of why it is a good idea to make access checks at the resource and on actual user privileges instead of expecting that the frontend security will always enforce the right thing :-)

More PDC09 Identity Awesomeness

2009-09-02T03:01:46Z

Kim’s session sequel

Today the PDC team published a new wave of sessions, and sure enough identity is there! In fact, you'll be glad to learn that Kim Cameron is going to again walk the stages of the L.A. Convention Center, with a “2nd part” of last year’s famous S+S Identity Roadmap session. Here there’s the complete abstract:

Software + Services Identity Roadmap Update

Kim Cameron

At PDC 2008, Microsoft unveiled a comprehensive offering of identity software and services, based on the industry standard claims-based architecture, and designed to address the rapidly growing requirements of modern applications both on-premises and cloud. In this session, we will demonstrate the progress we’ve made using real life use cases, discuss lessons learned in adoption of claims based identity, and preview new scenarios and capabilities of the evolving identity software + services portfolio.

Sounds like a really interesting session… but then again, I would expect nothing less from Kim :-)

I’m speaking at PDC!

On other news, it turns out that yours truly will be a speaker at PDC09! More details in the next weeks… needless to say, I can barely contain myself from jumping up & down :-) See you in L.A.!

The Id Element: Jorgen Thelin on the Microsoft Federation Gateway (MFG)

2009-08-29T00:18:11Z

After a long pause, the Id Element returns with a bang: yesterday I sneaked in Jorgen Thelin’s office, and he was so kind to spend some time with us discussing the Microsoft Federation Gateway. The MFG is absolutely central to Microsoft’s services offerings: this interview will help you understand what scenarios it enables and how to take advantage of it. Below there’s the caption:

Jorgen Thelin, Senior Program Manager, looks after key identity services in Microsoft such as Windows Live ID and the Microsoft Federation Gateway (MFG).
In today's interview Jorgen describes the role of MFG, and touches on the many wonders it enables: using AD accounts to SSO (single sign on) access to Microsoft Business Online Services such as Dynamics CRM, allowing the 550 million owners of a Live ID account to gain access to your federated applications developed with Windows Identity Foundation, and much more.
Jorgen also takes the chance to tell the story of the Microsoft Services Connector (MSC), from its inception to the decision of consolidating its functionalities in Active Directory Federation Services 2.0 (see the Microsoft Online Service Federation Utility preview).
Finally, Jorgen gives us a taste of the future of MFG: non-AD directories, SAML2.0 protocol and the new scenarios that those exciting features will enable.

Have fun!

Books: “Programming Windows Identity Foundation”, P&P claims guide & others

2009-08-26T10:05:43Z

Want to know why I spent one hour every day of my vacation practicing touch typing? Well, apart from the fact that it’s simply scandalous that after 20+ years spent on keyboards I still hunt & peck: in the next few months I’m going to need all the typing speed I can gather… I am signed up to write (or otherwise actively participate in) three books about identity:

“Programming Windows Identity Foundation”, MSPress

The title is still provisional, but the scope is clear. We want to provide .NET developers with a reference to Windows Identity Foundation, going from the basic principles & programming model to the intended usage of the main product features, active & passive cases, on-premises & cloud scenarios, and so on & so forth. The book will take on the same mission as the identity developer training kit, but will of course expand and integrate it accordingly.

I know this is going to take a lot of evenings & weekend, but I am sure it will be fun! As usual, PDC is a monumental task and I may have to shuffle priorities around: I have a quite precise idea of by when it should be available, but I don’t want to commit on a date in case I flunk it even by few days… ;-)

“Claims based Authentication & Authorization Guide”, Patterns & Practices

It’s since March that I am collaborating on Eugenio’s latest project, on a P&P guide on claims based authentication and authorization. Recently the project really took off in big style, with big names actively involved in it (Keith, Dominick, Matias) and Eugenio started sharing details on his blog. For this guide I don’t really write anything, my role is mainly being an advisor (and not even a good one, since I am constantly late and I am often pretty radical) but I am truly honored to be working with such a star team.

Note. The overlap between “Programming Windows Identity Foundation” and this P&P guide will be minimal: the former will be focused on WIF development and will loop in other products (ie ADFS, Windows Azure) only when they are part of WIF development tasks, whereas the P&P guide will be focused on scenarios.

Mysterious third book

Eh, mentioning this third book here is kind of cheating since I am not going to do any work for it: one (already written) article of mine was selected to appear in an anthology on Identity, hence it would appear that my name will end up on a front cover without further efforts. Ah, some ROI… nice :-) Since I am not sure what I can safely share about this title, I’ll just not say anything more until further notice.

Well, now you know what I will do during the 37+ hours of flights to & fro TechEd AU/NZ… or better, for as long as the 2 tablet batteries will last. Now you see why I am trying to learn how to touch-type: hunt&peck in economy class means shoving your elbows in the ribs of your neighbors, and that’s veeery bad practice ;-)

Identity @ Tech.Ed Australia & New Zealand

2009-08-24T11:19:00Z

Ah nice. Sunday night, 1:00am and I am still perfectly awake… the usual jet lag after vacation (3 hours for actual time zone difference, + 3 hours because in vacation I like to “recuperate” the lost sleep during the year ;-)).

I am not brave enough to open the email yet, who knows what’s awaiting for me there, so I’ll just write down few lines about my next trip. I am really happy to report that I’ve been summoned again to present at TechEd Australia and TechEd New Zealand on my favourite topic! Last year it was a blast, awesome audiences and great, great places, and I really look forward to get there and blabber about identity, claims & company. I’ll meet customers in Melbourne & Sydney, then I’ll head to Gold Coast and from there to Auckland. I’ll have exactly 0 (zero) time to take a look around, in fact I’ll have to head back ASAP, but that’s more the rule than the exception… that’s how we roll ;-)

I am scheduled to deliver the same 2 sessions in both events: one (ARC204) will be a classic intro to claims-based identity, the other (SEC305) will be a drilldown in WIF. Here there are titles, days, locations & abstracts:

ARC204 Claims-Based Identity: An Overview

Australia: Thu 10/9 | 15:30-16:45 | Arena 1A

New Zealand: Wed 9/16 | 10:45-12:00 | Marlborough Room

For people who create software today, working with identity isn't much fun. There are too many technologies and too much complexity. The industry-wide shift toward claims-based identity improves this, offering a better, simpler approach. Yet making this approach real requires infrastructure, which is why Microsoft is enhancing its platform with AD FS 2.0, Windows Identity Foundation and Windows CardSpace 2.0. This session provides an overview of these forthcoming identity technologies, showing the problems each one addresses and how they relate to one another. The goal is to provide a big-picture understanding of Microsoft's approach to claims-based identity.

It’s been really long since I didn’t give a 200… preparing it will be fun! Nigel, I am not sure I won’t slip to 300 here and there… I’ll try to minimize those moments, I promise!

SEC305 Developing Identity-aware & more secure applications: using Microsoft Windows Identity Foundation for fun and profit.

Australia: Wed 9/9 | 17:00-18:15 | Central A

New Zealand: Tue 9/15 | 14:20-15:35 | New Zealand Room 3

Application developers, meet Mr. 'separation of concerns'. Thanks to its support of claims-based identity, the Windows Identity Foundation (formerly Geneva) APIs allow you to eliminate from your application all authentication- and authorization- specific code, by delegating its function to external entities. The application developer retains access to all the user attributes that are needed for driving the experience or feeding the business logic, without the burden of knowing anything about the underlying security plumbing. The security architect can secure an application simply by manipulating its config file at deployment time, or decide to take full control of the process and easily develop custom authentication and authorization logic. This session provides an overview of how to use Windows Identity Foundation for comfortably achieving the above in interoperable, location-independent fashion.

I am very grateful to Rocky for having allowed me the lighthearted title & abstract :-) you know, that may even be the first session that uses WIF instead of Geneva Framework.

Aaall right. I’m really looking forward to be there, as usual feel free to grab me at any time if you see me around and you want to talk identity!

A Guide for Enabling Federated Authentication on Windows Azure WebRoles… using Windows identity Foundation

2009-08-05T02:51:05Z

Federating with customer and partners, SSO using existing company identities, authentication externalization, multiple auth factors, claims-based identity… those are all things that the good architects, developers & sysadmins want to be able to do on-premises, in the cloud and in whatever lies between.

Our products are still in prerelease status, however we know that many of you are experimenting with the new possibilities offered by the cloud… and not being able to include federated identity in your scenario can be a big limiting factor.

In order to help you with that Hervey, architect on the Federated Identity team, took a good look at the current bits at your disposal (Windows Azure July 2009 CTP, Geneva Framework Beta 2) and developed some code extending Windows Identity Foundation can help you to overcome some of the incompatibilities so that you can experiment with claims based identity in Windows Azure. Then I took that code and made it into a step-by-step guide, that can be used by *anybody* for enabling passive federation in a Windows Azure WebRole for experimental purposes and can be used by identity experts for gaining insights on what are the attention points that require workarounds in the currently available bits.

Here there’s a summary of the steps followed by the guide. You start by creating an ASP.NET website (RP) in the local IIS and auto-generate an STS for it, all by using the usual Windows Identity Foundation tools. Once verified that it works as expected in the local IIS, you create a Cloud Service project and transfer the RP settings to a new WebRole: then you test it in the DevFabric. Upon successful testing you publish & test the WebRole in staging and finally in production.

Note that the guide aims at describing the most basic of the scenarios and requiring minimal system requirements, but you can easily use it as starting point for building something more realistic, for example by using your own AD FS 2.0 as the identity provider instead of the development STS we leverage.

The guide package is available for download on Code Gallery, direct link here.

We will keep updating this guide and its supporting code (Microsoft.IdentityModelPlus) as new releases of the products involved become available; we also plan to release other guides for addressing different scenarios, such as the active case (claims-based identity with WCF services in WAz), perhaps even an STS in the cloud! We look forward to your feedback: please remember that this code is NOT production ready, and it is released to you for the sole purpose of allowing you to experiment with identity and cloud based scenarios.

That’s all: time to jump in action! Download the guide package and have fun with identity and the cloud :-) Happy coding!