I spend numerous hours every month answering questions about WIF and identity in general.
This made me realize that this is still quite a complicated topic once you go beyond
the standard fedutil stuff.
My good friend Brock and I put together a two day training course about WIF that covers
everything we think is important. The course includes extensive lab material where
you take standard application and apply all kinds of claims and federation techniques
and technologies like WS-Federation, WS-Trust, session management, delegation, home
realm discovery, multiple identity providers, Access Control Service, REST, SWT and
OAuth. The lab also includes the latest version of the thinktecture identityserver
and you will learn how to use and customize it.
If you are looking for an open enrollment style of training, have a look here.
Or contact me directly!
The course outline looks as follows:
Day 1
Intro to Claims-based Identity & the Windows Identity Foundation
WIF introduces important concepts like conversion of security tokens and
credentials to claims, claims transformation and claims-based authorization. In this
module you will learn the basics of the WIF programming model and how WIF integrates
into existing .NET code.
Externalizing Authentication for Web Applications
WIF includes support for the WS-Federation protocol. This protocol allows separating
business and authentication logic into separate (distributed) applications. The authentication
part is called identity provider or in more general terms - a security token service.
This module looks at this scenario both from an application and identity provider
point of view and walks you through the necessary concepts to centralize application
login logic both using a standard product like Active Directory Federation Services
as well as a custom token service using WIF’s API support.
Externalizing Authentication for SOAP Services
One big benefit of WIF is that it unifies the security programming model
for ASP.NET and WCF. In the spirit of the preceding modules, we will have a look at
how WIF integrates into the (SOAP) web service world. You will learn how to separate
authentication into a separate service using the WS-Trust protocol and how WIF can
simplify the WCF security model and extensibility API.
Day 2
Advanced Topics: Security Token Service Architecture, Delegation and
Federation
The preceding modules covered the 80/20 cases of WIF in combination with ASP.NET and
WCF. In many scenarios this is just the tip of the iceberg. Especially when two business
partners decide to federate, you usually have to deal with multiple token services
and their implications in application design. Identity delegation is a feature that
allows transporting the client identity over a chain of service invocations to make
authorization decisions over multiple hops. In addition you will learn about the principal
architecture of a STS, how to customize the one that comes with this training course,
as well as how to build your own.
Outsourcing Authentication: Windows Azure & the Azure AppFabric
Access Control Service
Microsoft provides a multi-tenant security token service as part of the Azure
platform cloud offering. This is an interesting product because it allows to outsource
vital infrastructure services to a managed environment that guarantees uptime and
scalability. Another advantage of the Access Control Service is, that it allows easy
integration of both the “enterprise” protocols like WS-* as well as “web identities”
like LiveID, Google or Facebook into your applications. ACS acts as a protocol bridge
in this case where the application developer doesn’t need to implement all these protocols,
but simply uses a service to make it happen.
Claims & Federation for the Web and Mobile World
Also the web & mobile world moves to a token and claims-based model. While the
mechanics are almost identical, other protocols and token types are used to achieve
better HTTP (REST) and JavaScript integration for in-browser applications and small
footprint devices. Also patterns like how to allow third party applications to work
with your data without having to disclose your credentials are important concepts
in these application types. The nice thing about WIF and its powerful base APIs and
abstractions is that it can shield application logic from these details while you
can focus on implementing the actual application.
HTH