Vibro.NET

ADFS 2.0 RC is Here!

vibro — Fri, 18 Dec 2009 16:53:08 GMT

The release candidate is always an important milestone for a product: if possible, it is even more so for a component as essential as your identity provider or your federation provider, which must be absolutely rock solid, secure, always available... you know the drill.

Well, good news everyone! From this morning Active Directory Federation Service 2.0 is officially in Release Candidate mode: read the announcement here and download bits & goodies from here.

As you’ve come to expect, the Id Element is here to provide in video the juicy details, directly from the protagonists:

Active Directory Federation Services (ADFS) 2.0 finally reached the Release Candidate phase!
This special episode of the Id Element is all about the new features introduced in the RC: Matt Steele, Senior PM in the ADFS team, makes his second appearance on the show and gives us an insider view on how the feedback on Beta2 helped to improve the product.
From SAML protocol interop to farms and certificates management, going through new authorization capabilities and improved user experience, in this release there's something for everybody!

The video is available here.

For this release the team has produced enough material to keep you busy exploring the product for days: have fun discovering the new capabilities of the RC, and… stay tuned for the next logical step ;-)

Deep linking your way out of home realm discovery

vibro — Thu, 03 Dec 2009 20:38:00 GMT

Here there’s a very quick post about an often debated topic, home realm discovery.

When your web application trusts multiple identity providers, the first task you have when processing a request is figuring out from where the user is coming from. If the user is coming from your partner Adatum, he’ll have to authenticate with the Adatum (IP) STS before being able to access your application; if he comes from Contoso, he’ll have to authenticate with the Contoso STS before being able to authenticate with your application. The Contoso STS and the Adatum STS clearly live at different addresses, which means that you’ll typically need to feature some logic (often residing on your federation provider STS) to determine from where your user is coming from before starting the classic WS-Fed redirection dance. CardSpace provides a very neat solution to this, but it is not always readily available. The result is that everybody comes out with some different solution, which often involves the user to interact with a UI. For example the MFG will prompt you for a live id, and once it will sense that you entered an account belonging to a federated partner it will offer you to redirect to your IP STS. Others may offer a simple drop down which enumerates the federated partners, and ask you to pick your own (not especially handy if you want to keep your list of partners/customers private).

While those mechanisms are necessary, some times your users may get fed up to always have to handle UI tasks instead of enjoying smooth, heated-knife-though-butter SSO.

Well, here there’s a trick that we used in the internal version of FabrikamShipping for easing that pain: basically, we include in a deep link all the hops that a user from Adatum would go though when going through the authentication experience. As a result, adatum users will click on a link that points directly to the Adatum ADFS2 and already contains all the info for performing the redirects to the R-STS of the app and to the app itself. If you know about WS-Fed you may in principle build the link from scratch, but since I am notoriously lazy (and bad at remembering syntactic sugar) I prefer the following trick: I go through the authentication experience, and once I reach the authentication pages of the intended IP I save the URI currently displayed in the address bar.

Let’s get one pretty complicated example: this is the deep link we used for showing SSO via ADFS2+MFG to CRM Online. (disclaimer, this was made with versions that are older from the ones you may have available now: you may have to re-build, this is just for giving you an idea).

https://www.adatumcorporation.com/FederationPassive/auth/integrated/IntegratedSignIn.aspx?wa=wsignin1.0&wtrealm=uri:WindowsLiveID&wctx=LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D10%26rver%3D4.5.2130.0%26wp%3DMBI_SSL%26wreply%3Dhttps:%252F%252Fsignin.crm.dynamics.com%252FPortal%252Fsignin%252Fsignin.aspx%253Fmscrmurl%253Dhttps%25253A%25252F%25252Fsignin.crm.dynamics.com%25252Fportal%25252Fnotification%25252Fnotification.aspx%25253Forganizationid%25253D9a3db539-849c-4a52-bdd1-460cd6e81fac%252526skipnotification%25253Dfalse%252526target%25253Dhttps%2525253A%2525252F%2525252Fadatumcorporation.crm.dynamics.com%2525252Floader.aspx%26lc%3D1033%26id%3D252280

Now, isn’t that quite a mouthful! Let’s improve it a bit by url-decoding:

https://www.adatumcorporation.com/FederationPassive/auth/integrated/IntegratedSignIn.aspx?wa=wsignin1.0&wtrealm=uri:WindowsLiveID&wctx=LoginOptions=2&wa=wsignin1.0&rpsnv=10&rver=4.5.2130.0&wp=MBI_SSL&wreply=https://signin.crm.dynamics.com/Portal/signin/signin.aspx?mscrmurl=https://signin.crm.dynamics.com/portal/notification/notification.aspx?organizationid=9a3db539-849c-4a52-bdd1-460cd6e81fac&skipnotification=false&target=https://adatumcorporation.crm.dynamics.com/loader.aspx&lc=1033&id=252280

Sliightly better. Now, should we try to parse this guy? Sorry, no time; maybe some other time. Let’s just get a very rough look at how this may be broken down:

https://www.adatumcorporation.com/ FederationPassive/auth/integrated/IntegratedSignIn.aspx?	this is the URI of your IP. In fact, it points directly to the endpoint you are interested into (in this case the integrated security one, which should not promt the user when accessed from the intranet)
wa=wsignin1.0 &wtrealm=uri:WindowsLiveID &wctx=LoginOptions=2 &wa=wsignin1.0 &rpsnv=10 &rver=4.5.2130.0 &wp=MBI_SSL &wreply=	those are parameters of the request. You’ll notice here some familiar WS-federation parameters (wa, wtrealm, wtcx,wp, wreply) but also some liveid specific ones (rpsnv). In this case the federation relationship we are riding is between our ADFS2 and the MFG, in fact the wtrealm points to windows live id (which acts as the federation provider/resource STS here)
https://signin.crm.dynamics.com/Portal/signin/signin.aspx?mscrmurl=https://signin.crm.dynamics.com/portal/notification/notification.aspx?organizationid=9a3db539-849c-4a52-bdd1-460cd6e81fac &skipnotification=false &target=https://adatumcorporation.crm.dynamics.com/loader.aspx &lc=1033&id=252280	The content of the wreply is the actual RP, which in turn it includes its own login mumbo-jumbo

Details aside, the effect of using this URL is that Adatum users will experience smooth SSO to CRM online despite of the multiple STS layers between them and the application. Neat! Note that if everybody in the chain did their homework, there should be no way to craft malicious URLs: if every issuer validates the audience to which it is requested to generate a token for, the risk of redirect attacks is mitigated. This should also be a wake-up call for the ones who rely just on UI tricks for managing HRD: this method can be used to request tokens from an arbitrary issuer, regardless of if it appears in the dropdown or not, hence validating everything is really key.

Unexpected bonus: this approach may come in handy also for less complicated cases. For example if your ADFS2 exposes more than one endpoint and you want to pre-select one, all you need to do is embedding it in the URL (something like https://www.adatumcorporation.com/FederationPassive/auth/integrated/IntegratedSignIn.aspx?wa=wsignin1.0&wtrealm=https://www.fabrikamshipping.com/FabrikamShipping/Default.asmx).

Now, the usual disclaimers. This method is not a solution to home realm discovery, rather it is a “shortcut” that piggybacks on existing home real discovery solutions which must be in place for this to work. Furthermore, this has to be arranged by every partner and relies completely on the fact that the users will access the application through the specially crafter URL as opposed to direct links. It is not guaranteed to work in all cases, and I am sharing it with you just because I think it is neat: for official guidance on how to use WIF, ADFS2, etc please always refer to the federated identity team blog.

That said, this really worked well for our content: thanks to “Office” Donovan who, despite having left us for the IW crowd, still has what it takes and gave me a refresher on this!

Good Claims, Bad Claims 1: an Example

vibro — Tue, 01 Dec 2009 17:25:17 GMT

Ahh, claims. Aren’t they a thing of beauty? When you first discover them, you’d be tempted to use them for everything up to and including brewing coffee.

Now that we finally have powerful tools at our disposal for actually developing claims-based systems, as opposed of just talking about it, it is time to go past the trivial examples and make some more realistic considerations. Oversimplification is useful for breaking the ice, but we don’t want to fall victim of the hype and do silly things do we? Just remember that there was a time in which there was the belief that before writing any web service (including the one doing a + b) you should have provided the corresponding XSD… yeah, fits beautifully with the vision but not especially agile in practice :)

We kind of started this process in the “what goes into claims” post, which BTW is being reworked for appearing in the claims guide, however here I’d like to go a step further and reason about what makes a claim a good or a bad choice for a given scenario. I’ll start by discussing one of the most classic example of claims in the authorization space, the Action claim, and use it as an example of kind of the things you want to consider in practice when evaluating which claims are right for your scenario.

The Action claim: really???

Let’s say you have a LoB application featuring various web services, all facade-ing business entities. Most of those services offer CRUD operations for some business entity, but there are others exposing operations whose semantic is less clear. How are you going to authorize access to those services?

One recurrent solution in literature is requiring the caller to present a token containing one or more Action claims. If the value of one of the Action claims corresponds to the action URI of the method being invoked, we’ll authorize the call; otherwise we’ll block it. Clear as spring water, right? An elegant catch-all solution to services authorization. Unfortunately, not always “simple” corresponds to true, effective or realistic. Back in ancient Greece Aristotle believed that stones fell to the ground and smoke rose up because they were trying to reconnect to their elements (Earth and Air) in their natural places. That’s a good model while your technology level sticks to crab pots and horse-powered carriages, but if you don’t move your understanding past it forget about PET scans and buckyballs.

Did I go off a tangent again? Let’s get back to business. Who are we expecting to issue the token containing the Action claim? A good candidate would appear to be the federation provider in the same organization as the app we are securing: after all they are in the same org and they know about each other, right? It’s not like we are asking the IP in another organization to pollute its schema with info about the app.

Ehrr, when you try to put the above in practice you discover that it’s not as simple as it would have seemed at first. The administrator of your local FP (think of it as the local ADFSv2 instance) will want to know about your app, since it is a relying party that should be recorded & recognized if we want to issue claims for it. At a certain point of the app development cycle the administrator will be notified of the URL of the app (better if done via metadata docs). But think about how much more you’d have to ask to the administrator if you’d want the FP to issue Action claims for you. He’d have to know about ALL the web services your application have, ALL endpoints, and ALL the methods you want to secure; and he’d have to write claim issuance rules accordingly. If you think that an administrator will gladly submit to that, you never worked with a DB admin (which is the best approximation I can find for a FP admin). I worked with customers who always added extra columns to their DBs before going to the DB admins, so that they had something to sacrifice in the bargain bagarre that inevitably ensued.

Let’s admit that for some reason the admin agrees to handle for you al those rules. What happens when next week you need to make adjustments to your app, like adding or deleting a web service? Are you going to bug the man again? Now, multiply this for all the LoB apps in your company’s portfolio. Even if they guy has the attitude of a martyr, he would simply be unable to comply with the extra work.

Note, here I didn’t even touch on non-admin issues of sticking with Action, such as action strings collision (it may happen that CRUD ops are represented by the same action URI, and they are simply applied to different services) and claims overcrowding vs token issuance overhead (do you overstuff a token with all possible actions for that user, or do you keep querying the FP every time you call a different method?).

So much for improvement. Note that here the fault is not in claims, of course; it’s in the choice of claims for the scenario. If you’d ask the FP to issue a role claim, and at the resource map that role to the actual permissions at the method level, the autonomy of everybody in the chain would be respected and you would not have to duplicate within the FP what you already know locally. Of course this is not a foolproof rule in itself, since uncontrolled app-specific role proliferation is precisely one of the main causes of AD overspill, but you get my point.

OTOH it is not my intention to demonize the Action claim: there are situations in which it may make sense, it’s all about understanding the scenario rather that blindly following catch-all rules. If instead of dealing with an entire portfolio of LoB apps for an enterprise you are simply exposing one SaaS app, the number of possible Actions will likely be manageable and their semantic more uniform (especially if you believe in the resource model). In that case using Action may prove to be handy; that would also hold in cases in which between the FP and the app itself there are intermediate levels, such as a departmental R-STS or in any case an issuer for which the knowledge of resource-level info would not be a burden but a natural part of its operations.

Good Claims, Bad Claims

Your application has questions about its users, and the answers to those questions are what decides if one call succeeds or fails. Claims are a great way of getting the answers to those questions right when you need them, from the most authoritative source: why storing the roles for your users when you can simply require that info to be there, fresh & authoritative, in form of claims in a token right at the moment of the call?

If you ask the right question to the right authority, things flow literally by themselves and everything works out beautifully: all you need is already in place, claims based identity simply helps you to unlock it and make it available where and when it’s needed. You just need to think a bit to figure out to whom you have to ask what.

When you don’t control the scenario end to end, you are kind of forced to respect everybody’s autonomy: the real danger is when you do control the scenario end to end, because you may dig yourself in a deep hole if you are not careful. If you run a successful pilot using the Action claim & the FP for authorizing access to one 10-webservices, 3 –actions-each LoB app, you may think you’ve found your claims-based Graal. However, if later it turns out that you have almost a hundred of LoB apps (with tens of services each, with tens of methods each) and the only STS you can rely on is the main FP, you may find yourself in a tough spot to extend the same strategy company-wide if that would require handling rules in the tens of thousands involving fairly volatile resources.

In the last several months my typical posts where of the type “announcing sample X” or similar: now that a very successful PDC and WIF launch is behind us, I finally have some time to get back to some good ol’ architecture. In the next few posts I’ll try to reason about claims effectiveness. As I mentioned, there are no hard & fast rules here: my hope for this and the next posts is to make exactly that point, and inspire you to think about your systems and the best way of taking full advantage of the claims-based identity approach. Don’t get caught in information cascades and never suspend your judgment, including (especially) about what you read here! ;)

Windows Identity Foundation Overview Session recording: drawing-on-slides presentation technique

vibro — Tue, 24 Nov 2009 21:41:36 GMT

In the same spirit of experimentation shown here, in the last year I’ve been using another fairly original presentation technique. The original aim was to mitigate my being chronically late in turning in slides for events but it turned out something that audiences actually like :-).

The technique is easy to explain, and i am sure that somebody is using it already (although I’ve never stumbled in anybody doing it so far). Instead of having fully baked slides, you have just few elements appearing at strategic moments; you hand draw everything else on the fly, directly during the presentation. I finally got a good recording of a session using the technique, the “Windows Identity Foundation Overview” I gave last week at PDC09. It went really well, and judging from the comments the drawing was a contributing factor (BTW thanks to all the nice comments on twitter and in the evals! :-))

At PDC I used a hybrid, meaning that I didn’t draw everything from scratch, but it can and it has been done (the intro to claims talks in Australia & New Zealand techeds & Munich EIC, for example). That usually works best for architectural talks.

While it is true that you can save time by not having to author complex animations and media research, keep into account that a good act needs some planning (and you may have to do the slides anyway). If you want to apply the same technique, here there are few tips I’ve discovered by trial & error.

If you are drawing on slides, use the pen support built in powerpoint. It supports pressure sensitivity/speed and the resulting trait is more expressive than, for example, what you obtain with zoomit (which remains the best solution for drawing on non-slides)

Learn to draw quickly. Drawing & talking should happen seamlessly, if you stop talking for drawing you break the magic

Have fun! I personally *love* the chance of doing visual humor on the slide; also, for semi-interactive sessions you have the freedom of driving the flow wherever you like and adapt to that specific audience, instead of being constrained on the rails of a pre-built slide

Test that what you draw is immediately recognizable as what you intend. If you draw something in a way that won’t be readily and unambiguously recognized by nearly all audiences, consider using clipart for that element instead. For example, my handwriting is HORRIBLE hence I always fade in & out text elements.

Composition. If you mix animated elements & drawing, make sure that you rehearse the sequence so that you know 1) when to advance the animation 2) where to draw on the screen so that the result does not overlap

And more:

Use few colors- ideally just one. Make sure that it has maximum contrast with the background. Avoid backgrounds with many different colors, or if they are forced on you try to keep the drawing on uniform areas
Backup. This technique is powerful, but also completely dependent on the availability of a tablet. In the last 2 events I was at risk of not being able to use it, since the hinge of my tablet occasionally disconnects the display connections… and there’s always the risk of losing the stylus. Also, not all the touch screens are suitable (my UMPC creates all sorts of artifacts with powerpoint drawing, could not have been used as backup.
The solution is to have hidden traditional slides in your deck, just in case at delivery time you are forced to use a traditional PC. This is of course a big time waster, since doing via animations what you can when drawing takes ages, hence you may consider simplified sequences (and be ready to expand elsewhere since this is likely to mess with your timetable)
Downloadable slides. If the event does not offer a video recording of the event, you HAVE to provide the alternative slides otherwise attendees will download a series of empty slides. The option of saving the ink annotations usually does not work, since the final pic usually does not capture all the intermediate sketches and may end up to be too complex anyway if you didn’t see it gradually taking shape.

That’s it. This so powerful yet easy & simple to do that I am truly surprised this is not mainstream. Give it a try and let me know if you discover more tips!

Update on Windows Azure + Windows Identity Foundation

vibro — Tue, 24 Nov 2009 07:10:21 GMT

New Guide

Back in August we released a guide that explained how to use WIF for adding to your web role SSO and claims-based identity capabilities via WS-Federation. That guide contained a number of workarounds that were made necessary by the limitations of the bits publicly available back then. A lot of you wrote back saying that the guide was helpful in getting you going with identity & the cloud and experiment with the scenario (I believe it was the case here, for example) while waiting for more complete guidance. That’s great, because that was precisely the intent.

Since then both WIF and Windows Azure evolved quite a bit: today the scenario described by the original guide can be set up in significantly less steps, and above all you are no longer forced to implement the unsafe workarounds that were needed back then.

The new identity developer training kit and channel9 training course contain a new hands-on lab, Federated Authentication in a Windows Azure Web Role Application, which contains an updated version of the guide. We also uploaded a standalone version of the lab in the same code gallery page where we uploaded the first guide, so that if you land there via search engine you’ll have the most up to date information.

The new lab is the result of a coordinated effort from the Windows Identity Foundation, Windows Azure and DPE teams. Among the key contributors Hervey Wilson, Todd West & Sidd Shenoy on the WIF side, Mohit Srivastava and Remy Pairault on the Windows Azure side, and Ryan Dunn & yours truly on the DPE team. We hope you’ll enjoy the results!

In-depth info

The lab is designed to give you a quick start and be accessible to as many as possible. However there are advanced considerations that arise whenever you deal with non-trivial environments such as multi-stage deployments and web farms (and what is Windows Azure, if not the biggest of them all?).

If you are interested in going deeper in the topic, I strongly suggest you take a look at the recording of the excellent talk Hervey gave on this very subject at PDC09. That will certainly give you food for thought: I also suggest to keep an eye on his blog.

[funny] Stolen Identity Video

vibro — Thu, 19 Nov 2009 23:20:56 GMT

PDC is slowly wrapping up, and it has been an awesome one. Identity was all over the place, and the interest you guys have show for the topic makes the months of behind-the-scenes hard work well worth it!

Before resuming the “serious” steams of news around the content (there’s more to come!), let me share with you this hilarious video in which, you really can say that, identity is the undisputed protagonist… enjoy! (thanks to Mike for the link!)

http://www.youtube.com/watch?v=bT_8pkoIGms

More WIF RTM Extravaganza: Sharepoint 2010 & Claims-Based Identity on the Id Element

vibro — Wed, 18 Nov 2009 09:00:00 GMT

Riding the wave of the WIF RTM joy, Here there’s a bonus for you: an exclusive interview with Venky, Program Manager Lead in the Sharepoint team, where he describes how claims-based identity is helping Sharepoint to address its identity challenges.

This is an unusual interview for the Id Element, as it depicts somebody who USES an identity product rather than somebody who writes it: I personally find it really, really interesting, and I am sure you’ll agree with me ;-) enjoy!

When it comes to identity management intensive applications, it's hard to top Sharepoint. Whether you are signing in a portal, accessing a document or using a webpart for reaching out to external web services, your identity is going to be the factor that drives it all.
Vittorio went to visit Venky Veeraraghavan, Program Manager Lead in the Sharepoint team, to discuss how Sharepoint deals with identity challenges. Venky gives a fantastic explanation of how claims-based identity and Windows Identity Foundation helped the Sharepoint team to deliver on the identity functionalities they needed without getting entangled in low level details such as protocol handling.
Tune in!

Stuart Kwan & yours truly broadcasted LIVE on Channel9 – TOMORROW!

vibro — Wed, 18 Nov 2009 07:48:17 GMT

Yes, you read it right :-)

Tomorrow at 1:00pm PST Stuart Kwan and I will appear LIVE on the new unscripted broadcast that the Channel9 guys are doing from the PDC floor; we are going to be grilled by Scott Hanselman, who presumably will want to know everything about Identity!

Instructions:

To watch, go to www.microsoftpdc.com
To participate and ask questions, send a tweet to @ch9live
PDC attendees can drop by the Channel 9 Live stage in the Big Room to be part of the action in person

Now, don’t ask me how my name ended up in the same program as stars of the magnitude of DelBene, Guthrie, Don & Chris… some times it’s just chance! I guess that WIF RTM and the roaring interest you guys are demonstrating for identity are a good part of it… awesome!

I include screenshot below for good measure :)

Soooooo… see you there? ;-)

Enjoyed TailSpin demo in today’s PDC09 keynote? Get it now!

vibro — Tue, 17 Nov 2009 19:43:04 GMT

Few hours ago Cameron Skinner and Doug Purdy were featured in Bob Muglia’s keynote. They showed great demos, where identity played a no-drama role: Cameron used WIF and ADFSv2 for enhancing SSO capabilities to his MVC application, Doug benefitted by that decision when he didn’t have to worry about authentication while modeling, deploying in staging and finally in the cloud the same application. I may be biased, but I found both demos extremely compelling (not just for the identity parts!!!).

The app they used happens to be the brainchild of LostInTangent AKA Jonathan Carter: being the good guy he is, Jonathan decided to make the demo available for you to download so that you can experience it directly on your own machine and experiment with variations.

There’s preciously little code about identity in the sample, and exactly for that reason it effectively demonstrate how Windows Identity Foundation can transform authentication in a non-problem and allow you to focus on the business aspects of the application.

It was real fun to work with Jonathan for the identity portion of the demo: again, this is just a small part of a very comprehensive application, LostInTangent really knows his stuff. Do check it out, it is a great way of familiarizing with the new features in VS2010 and our new server wave!

Announcing the Identity Developer Training Course on Channel9

vibro — Tue, 17 Nov 2009 19:14:57 GMT

Microsoft is a recognized thought leader in Identity: since the Geneva announcements wave in PDC08, we opened a dialog with developers for helping you to reap the benefits of claims based identity with the .NET framework. And today we RTM’ed WIF! :)

During the past year we rolled out many successful initiatives, from the Id Element show on Channel9 to the Identity Developer Training Kit. Today we are raising the game again, by releasing the Identity Developer Training Course on Channel9.

Why The Identity Developer Training Course

The hands on lab in the kit were designed specifically to help you to address the most common scenarios, as gathered at events and indicated by the search engine queries that landed visitors to our blogs; however, once the content was packed in the training kit it was totally opaque to search engines and direct queries, leaving the full burden of discoverability to the short description in the download page or blog posts & tweets.

The Identity Developer Training Course represents the unbundling of the Identity Developer Training Kit: all the labs documentation is now unfolded and hosted by Channel9 on the public internet, ready to answer YOUR queries right when you need it.

Once the content is on line, an entire new range of possibilities opens up: we can complement the content with instructional videos that can be streamed on-demand, roll continuous updates without forcing you to re-download the package, and many others we are considering for the next releases.

Discover Identity at Your Own Pace

The content is designed to provide a gentle introduction to the claims-based approach to identity and the Microsoft technologies that developers can use to put it in practice: in this release we focus on Windows Identity Foundation and the Access Control Service. The course also offers more advanced content, which will appeal to experienced developers and will help beginners to move to the next level.

Just to give you an idea of the kind of content we make available, here there’s a list of the units we offer in the first version of the Identity Developer Training Course:

Overview
- Video: Welcome To The Identity Training Course
- Video: An Introduction to Claims-Based Identity
Web Sites and Identity
- HOL
  - Exercise 1: Enabling claims based access for an ASP.NET Web Application by generating a local STS
  - Exercise 2: Customizing the Credentials Accepted by a Local STS
  - Exercise 3: Accepting Tokens from an Active Directory Federation Services (ADFS) STS
  - Exercise 4: Accepting Tokens from Live ID
  - Exercise 5: Invoking a WCF Service on the Backend via Delegated Access
Web Services and Identity
- HOL
  - Exercise 1: Using Windows Identity Foundation to Handle Authentication and Authorization in a WCF Service
  - Exercise 2: Accepting Tokens from an Active Directory Federation Services (ADFS) STS
  - Exercise 3: Invoking a WCF Service on the Backend via Delegated Access
ASP.NET Membership Provider and Federation
- HOL
  - Exercise 1: Enhance an ASP.NET Membership Website with Identity Provider Capabilities and Use it from a Third Party Website
Identity and the Windows Azure Platform
- Video: What is the Access Control Service?
- HOL: Introduction to the .NET Access Control Service
  - Exercise 1: Using ACS with Symmetric Keys
  - Exercise 2: Using ACS with SAML Tokens
- HOL: Federated Authentication in a Windows Azure Web Role Application
  - Exercise 1: Enabling Federated Authentication for ASP.NET applications in Windows Azure

You can go through the course “cover to cover”, or pick and choose the references that can help them with the task at hand.

Get on board!

The interest in Identity has been growing at steady pace for the last year: with the RTM release of Windows Identity Foundation and the cloud services getting more concrete every day, we expect the interest of the community to grow further.

Developers skilled in identity matters are in preciously short supply, and our courses represent an easy (and FREE!) way to acquire a skill in high demand. If you want to get on board:

Go through to the online identity developer training course…
…or download the classic identity developer training kit
Explore our end to end sample, FabrikamShipping, or our ASP.NET custom controls (here and here)
Subscribe to the Id Element show on Channel9 to hear about the latest news in Identity directly from the protagonists

As always, we look forward for your feedback: please let us know what works and what you would like us to do differently!

Windows Identity Foundation RTM!

vibro — Tue, 17 Nov 2009 18:16:13 GMT

Hello from PDC09 Day 1 keynote! It is my pleasure to let you know that Bob Muglia just announced the general availability of Windows Identity Foundation. Get it while it’s hot!

Almost exactly 2 years ago I had the honor of giving the first sneak-peak of what at the time we called the ADFS “2” project, which during PDC08 was officially announced under the codename “Geneva”.

With “Geneva” we collectively indicated one developer product (“Geneva” Framework, now Windows Identity Foundation), one server product (“Geneva” Server, now Active Directory Federation Services v2) and one end-user one (Windows CardSpace “Geneva”, now Windows CardSpace 2). Today we put in your hands the first component of the former “Geneva” platform, and I am personally thrilled that is the one for developers :)

We had a fantastic beta program, receiving tons of good feedback which made its way in the product: what you get today is the first of its kind, and is the answer to the need expressed by so many of you of handling identity and access in .NET applications in consistent & easy way. As you heard me say so many times in my presentations in the last year, the time of hand weaving is over: now you can start to experience the power of the claims-based approach directly in your apps!

You can find the official announcement on the Forefront blog: furthermore, before leaving for Berlin/L.A. I was lucky enough to capture a short impression of Conrad Bayer, Director of Program Management for Identity and Access, and get his comments on this release for the Id Element.

All our content has been updated to work with Windows Identity Foundation RTM, and we created some new interesting deliverables: watch this blog and/or my twitter for the next few hours!

Download the November 2009 release of the Identity Developer Training Kit

vibro — Sat, 07 Nov 2009 00:00:45 GMT

Let’s close the WIF RC day with the November refresh of our Identity Developer Training Kit.

The new version of the Identity Developer Training Kit ported forward the three WIF labs (web site, web services, ASP.NET Membership provider) to the RC, and improved support for Windows 7 and Windows Server 2008 R2.

The ACS labs have been temporary removed, to give us the time to accommodate the new REST scenarios it now supports, but it will be back in in no time.

In addition to that, we’ll also be adding some new interesting content very soon… but I won’t spoil the surprise ;-)

Happy coding!

ClaimsDrivenModifierControl has been updated to WIF RC

vibro — Fri, 06 Nov 2009 19:32:51 GMT

Following the route of FabrikamShipping, the Claims-Driven Modifier Control is now ready to influence the behavior of your federated sample websites… using WIF RC :-)

enjoy!

FabrikamShipping has been updated to WIF RC

vibro — Fri, 06 Nov 2009 19:08:23 GMT

That’s right, the big sample you know and (hopefully?;-)) love has been updated for taking advantage of WIF RC.

Get it while it’s hot at http://code.msdn.microsoft.com/FabrikamShipping

The Id Element Special: up close & personal with WIF RC

vibro — Fri, 06 Nov 2009 18:21:00 GMT

The Federated Identity team finally unwrapped the RC version of Windows Identity Foundation: as you have come to expect, the Id Element did some fact gathering for you. Enjoy!

The release candidate of Windows Identity Foundation is here! Chock-full of improvements driven by YOUR feedback, WIF RC gives a very good idea of how the final release will look like.
Vittorio went to visit Sidd, Govind and Sesha to learn about the new features and explore the rationale behind some of them. From a comprehensive list of new features to deep dives in their favourite scenarios, the guys tell it all. Tune in!