Federated security models and claims–based access control are key to modern distributed systems, enabling business scenarios that are very difficult to implement otherwise. Federation allows users to authenticate in their own domain while being granted access to applications and services that belong to another domain or environment. This removes the need to provision and manage duplicate accounts for a single user, reduces overall application complexity, and enables Single Sign–On (SSO) scenarios loved by all users. Claims–based access is central to a federated security model whereby applications and services authorize access to features and functionality based on claims from issuers (the STS) in trusted domains. Claims can contain information about the user, roles, or permissions – and this makes for a highly flexible authorization model. Together, federated security and claims–based access enable a range of integration scenarios across applications, departments, and partners in a wider ecosystem. Platform tools in this area have also come a long way. Windows Identity Foundation (WIF) is a feature–rich identity model framework for building claims–based applications and services, and for supporting active and passive federated security scenarios. Active Directory Federation Services (AD FS) V2 is an out–of–the–box Security Token Service (STS) that handles authentication and claims transformation for federation scenarios. Windows CardSpace V2 presents users with an easy way to select their digital identity for authentication.
During this intense, two–day class you will learn how to apply claims–based and federated identity and the relevant architectural scenarios. The class demonstrates the rich features of WIF for supporting claims–based identity and federation in your ASP.NET and WCF applications; explains how to work with identity providers in a federated scenario; provides the foundation for building custom STS with WIF and how to work with ADFS V2; and discusses scenarios where managed information cards and CardSpace play a key role. By the end of this tour de force you will be well versed in the subject of claims–based and federated identity. The class offers not just the technical but also the business perspective and practical reasons to leverage claims–based and federated identity – while utilizing numerous demonstrations that include IDesign’s original tools and utilities.
Format
On top of frontal presentations this class illustrates concepts with numerous demonstrations. These demonstrations serve as a starting point for new projects and as a rich reference and samples source.
Target Audience
.NET developers, architects or technical leads who are exploring the benefits of claims–based and federated security and who are looking to understand the relevant scenarios, technology platforms, and developer tools.
Duration
2 very intense days
Offering
This course is available as an on–site training class as well as a public offering.
Course Outline
Federated Identity Overview
- Identity challenges
- Claims–based and federated identity benefits
- Platform tools and technologies
- Terminology and protocols
Architectural Scenarios
- Active and passive federation
- Identity federation and token issuance
- Federating with multiple domains
- Home realm selection and CardSpace
- Claims transformation
- The role of a resource STS or federation provider
- Federation for REST–based web resources
.NET Security 101
- A very brief overview of core .NET Framework security concepts
- Process identity
- Thread identity and security principal
- PrincipalPermission and PrincipalPermissionAttribute
- Implementing role–based security in .NET
Windows Identity Foundation (WIF) Overview
- WIF core features
- Enabling passive federation for ASP.NET
- Single sign–on⁄sign–out
- Exposing federated service endpoints
- Caching tokens
- Identity delegation
- Home realm selection
WIF and Claims–Based Access Control
- ClaimsPrincipal and ClaimsIdentity
- ClaimsAuthenticationManager and ClaimsAuthorizationManager
- Integration with .NET role–based security
- ASP.NET Login controls
- Web Forms and MVC strategies
- WCF service operations and permission demands
- Migration strategies from claims–based to federated
Security Token Services
- Security Token Service (STS) overview
- Active and passive federation scenarios
- Policy and rules configuration
- Custom STS implementations with WIF
- Working with ADFS V2
Windows CardSpace
- CardSpace–enabled authentication for ASP.NET and WCF
- CardTile and ASP.NET
- Issuing managed information cards
Federation with AppFabric Access Control
- Windows Azure platform AppFabric Access Control overview
- Securing REST–based web resources with Access Control
- Protocols support and interoperability
- Configuring claims–transformation rules for access control
- Federated security scenarios for REST–based web resources
- Access control key management
Identity Protocols
- Where do the various identity protocols fit?
- How to they compare?
- WS–Trust ⁄ WS–Federation
- SAML Protocol
- OAuth ⁄ WRAP
- OpenID
- U–Prove
- XACML
About Michele Leroux Bustamante
Michele Leroux Bustamante is Chief Architect at IDesign,
Microsoft Regional Director for San Diego, and a
Microsoft MVP for Connected Systems. With over 15 years of experience designing enterprise systems, prior to IDesign Michele has held senior executive positions at several corporations. She has assembled and organized software development teams from the ground up, implemented processes for all aspects of the software development lifecycle, and facilitated many successful large–scale enterprise application deployments, including capital fund raising, sales, and business development efforts. At IDesign, Michele specializes in training, mentoring and high–end architecture consulting services focusing on end–to–end solutions with scalable and secure architecture design, service–orientation with WCF, interoperability, federated identity, and cloud computing. Michele participates in Software Design Reviews for related products in the Microsoft roadmap. She also participated in prototyping elements of the CardSpace technology for the product team in its early Beta phase. Michele has been advisor to
University of California, San Diego Extension since 1994, establishing several successful certificate programs. Michele is a member of the
International .NET Speakers Association; a frequent
conference presenter at technology conferences such as Tech Ed, PDC, Dev Connections and NDC; has chaired many conferences and events; and she regularly
publishes in several technology journals. Michele wrote the best–selling book Learning WCF, O’Reilly, in 2007 (
www.learningwcf.com) and is currently writing the second edition. Visit her blog at
www.michelelerouxbustamante.com, or follow her tweets @michelebusta