www.it-ebooks.info
Programming
Windows
®
Identity
Foundation
Vittorio Bertocci
www.it-ebooks.info
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2011 by Vittorio Bertocci
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means
without the written permission of the publisher.
Library of Congress Control Number: 2010933007
Printed and bound in the United States of America.
Distributed in Canada by H.B. Fenn and Company Ltd.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further infor mation about
international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly
at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to
Microsoft and the trademarks listed at />EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events
depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in this book is provided without any
express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will
be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
Acquisitions Editor: Ben Ryan
Developmental Editor: Devon Musgrave
Project Editor: Rosemary Caperton
Editorial Production: Waypoint Press (www.waypointpress.com)
Technical Reviewer: Peter Kron; Technical Review services provided by Content Master, a member of CM Group, Ltd.
Cover: Tom Draper Design
Body Part No. X17-09958
www.it-ebooks.info
To Iwona, moja kochanie
www.it-ebooks.info
www.it-ebooks.info
v
Contents at a Glance
Part I WindowsIdentityFoundationforEverybody
1 Claims-Based Identity 3
2
Core ASPNET Programming 23
Part II WindowsIdentityFoundationforIdentity
Developers
3 WIF Processing Pipeline in ASPNET 51
4 Advanced ASPNET Programming 95
5 WIF and WCF 145
6 WIF and Windows Azure 185
7 The Road Ahead 215
www.it-ebooks.info
www.it-ebooks.info
vii
Table of Contents
Foreword xi
Acknowledgments xiii
Introduction xvii
Part I WindowsIdentityFoundationforEverybody
1 Claims-Based Identity 3
What Is Claims-Based Identity? 3
Traditional Approaches to Authentication 4
Decoupling Applications from the Mechanics of
Identity and Access 8
WIF Programming Model 15
An API for Claims-Based Identity 16
WIF’s Essential Behavior 16
IClaimsIdentity and IClaimsPrincipal 18
Summary 21
2 Core ASPNET Programming 23
Externalizing Authentication 24
WIF Basic Anatomy: What You Get Out of the Box 24
Our First Example: Outsourcing Web Site Authentication
to an STS 25
Authorization and Customization 33
ASPNET Roles and Authorization Compatibility 36
Claims and Customization 37
A First Look at <microsoftidentityModel> 39
Basic Claims-Based Authorization 41
Summary 46
Microsoft is interested in hearing your feedback so we can continually improve our books and learning
resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
www.it-ebooks.info
viii Table of Contents
Part II WindowsIdentityFoundationforIdentity
Developers
3 WIF Processing Pipeline in ASPNET 51
Using Windows Identity Foundation 52
WS-Federation: Protocol, Tokens, Metadata 54
WS-Federation 55
The Web Browser Sign-in Flow 57
A Closer Look to Security Tokens 62
Metadata Documents 69
How WIF Implements WS-Federation 72
The WIF Sign-in Flow 74
WIF Conguration and Main Classes 82
A Second Look at <microsoftidentityModel> 82
Notable Classes 90
Summary 94
4 Advanced ASPNET Programming 95
More About Externalizing Authentication 96
Identity Providers 97
Federation Providers 99
The WIF STS Template 102
Single Sign-on, Single Sign-out, and Sessions 112
Single Sign-on 113
Single Sign-out 115
More About Sessions 122
Federation 126
Transforming Claims 129
Pass-Through Claims 134
Modifying Claims and Injecting New Claims 135
Home Realm Discovery 135
Step-up Authentication, Multiple Credential Types,
and Similar Scenarios 140
www.it-ebooks.info
Table of Contents ix
Claims Processing at the RP 141
Authorization 142
Authentication and Claims Processing 142
Summary 143
5 WIF and WCF 145
The Basics 146
Passive vs Active 146
Canonical Scenario 154
Custom TokenHandlers 163
Object Model and Activation 167
Client-Side Features 170
Delegation and Trusted Subsystems 170
Taking Control of Token Requests 179
Summary 184
6 WIF and Windows Azure 185
The Basics 186
Packages and Cong Files 187
The WIF Runtime Assembly and Windows Azure 188
Windows Azure and X509 Certicates 188
Web Roles 190
Sessions 191
Endpoint Identity and Trust Management 192
WCF Roles 195
Service Metadata 195
Sessions 196
Tracing and Diagnostics 201
WIF and ACS 204
Custom STS in the Cloud 205
Dynamic Metadata Generation 205
RP Management 213
Summary 213
www.it-ebooks.info
x Table of Contents
7 The Road Ahead 215
New Scenarios and Technologies 215
ASPNET MVC 216
Silverlight 223
SAML Protocol 229
Web Identities and REST 230
Conclusion 239
Index 241
Microsoft is interested in hearing your feedback so we can continually improve our books and learning
resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
What do you think of this book? We want to hear from you!
www.it-ebooks.info
xi
Foreword
Afewyearsago,Iwassittingatatableplayingagameofpokerwithafewcolleaguesfrom
MicrosoftwhohadallbeeninvolvedatvarioustimesinthedevelopmentofWebServices
EnhancementsforMicrosoft.NET(WSE).DonBox,MarkFussell,KirillGavrylyuk,andIplayed
thehandswhileshowmanextraordinaireDougPurdyengageduswithlivelybanterand
morethanafewquestionsabouttheproduct—allofthisinfrontofthecamerasatthe
MSDNstudios.
Wehadeachselectedapersonfromtheeldtoplayfor;someonewhomweeach
thoughthadmadeasignicantcontributiontothesuccessofWSEbuthadn’tbeenadirect
memberoftheproductteamitself.Ifwewon,thenournomineewouldgetaprize,atoken
ofourappreciationfortheworkthatheorshehaddone.Myselectionwasaguycalled
VittorioBertocciwhowasworkingforMicrosoftinItalyatthetime.I’dnevermetVittorio,
norevenseenaphotoofhim,buthewasaprolicposteronourinternaldiscussionlist,
clearlyunderstoodthekeysecurityconceptsfortheproductincludingtheWS-*protocols,
andhadevencraftedanextensiontoenableReliableMessagingdespitesomeofthecrude
extensibilitywehadinplaceatthetime.Vittoriowassomeoneworthplayingforbut,
unfortunately,Ididn’twin.
Timepassed,theWindowsCommunicationFoundation(WCF)supersededWSE,andImoved
tobecometheArchitectfortheIdentityandAccessteamtaskedwithbuildingaSecurity
TokenServiceforWindowsServer.Oneday,outoftheblue,Igotane-mailfromVittorio
tosaythathe’dmovedtoRedmondtotakeonaPlatformEvangelistroleandaskingifwe
couldmeetup.OfcourseIsaidyes,butwhatIcouldn’thaveanticipatedwasthatmaneof
jet-blackhair
Vittoriowasdeeplyinterestedintheworkthatweweredoingtoenableaclaims-based
programmingmodelfor.NET,ontopofwhichweplannedtobuildthesecondversionofour
securitytokenservice.Overtime,theseideasbecamethe“Geneva”waveofproductsand
werenallybirthedastheWindowsIdentityFoundationandActiveDirectoryFederation
Services2.0.
Throughoutseveralyearsofproductdevelopment,Vittoriobecamenotonlyaremarkable
spokespersonfortheproductsbutakeysourceoffeedbackonourwork,bothfromthe
customersandpartnersthathemetwithandfromhisowndirecteffortstousetheproduct.
Hewasinstrumentalinencouragingme,andtheproductteam,totakeonthelast-minute
taskofmakingWIFruninWindowsAzurejustintimeforPDC2009andtheproductrelease.
WatchingVittoriopresentasessiononWIFisapleasure—hisdepthofknowledgeandhis
creativepresentationskillsallowhimtodeliverthemessageonanincreasinglyimportant
topicdespitethefactthatitistoofrequentlytaintedwiththedrynessofthe“security”label.
www.it-ebooks.info
xii Foreword
Withinthepagesofthisbook,you’lllearnhowtousetheWindowsIdentityFoundationfrom
someonewhoisnotonlyagreatteacherbutisalsodeeplyfamiliarwiththeconceptsbe-
hindthetechnologyitselfandwhohasworkeddirectlywiththeproductteam,andmyself
personally,onaveryclosebasisoverthecourseofthelastfourtoveyears.
Vittoriotakesyouthroughtheterminologyandkeyconcepts,andexplainstheintegration
ofWIFwithASP.NET,WindowsCommunicationFoundation,andWindowsAzure,culminat-
inginaspeculativelookaheadatthescenariosthattheproductmighttackleinafuture
release.Iencourageyou,thereader,tothinkdeeplyabouttheconceptshereandhowyou
willmanageidentityintheapplicationsthatyougoontobuild;it’satopicthatisbecoming
increasinglyimportanttobothenterprisesandtheWebcommunity.
Finally,IwanttothankVittorioforhisenthusiasm,support,andtirelessenergyoverthe
years.Ihavebutonenalrequestofhim:pleasegetahaircut.
Hervey Wilson
Architect, AppFabric Access Control Service
Microsoft, Redmond
July 2010
www.it-ebooks.info
xiii
Acknowledgments
You create the world of the dream. We bring the subject into that dream and ll it
with their subconscious.
—Cobb in “Inception”, Christopher Nolan, 2010
Sometimeago,afriendaskedmewhatthepointwasofwritingabookwhenIalreadyhave
awell-readblog.Therearemanyexcellentanswerstothatquestion,fromtheextrareach
thatabookhastotheadvantagesofreadingwithouthavingtoconstantlyghttheop-
portunitycostsofnotfollowingalink.Myfavoriteanswer,however,isthatwhereasablogis
aone-manoperation,abookistheresultofthecontributionofmanypeopleanditsvalue
forthereaderisproportionallyhigher.Itmightbemynameonthecover,butthereality
isthatIstandontheshouldersofmanynepeople,whoIwanttoacknowledgehere.I’ve
beenworkingwithidentityforthelast8yearsorso,interactingwithanincredibleamountof
people;hence,IamprettysureI’llforgetsomebody.Iapologizeinadvance.
PeterKronisaPrincipalSoftwareDeveloperEngineerontheWIFteam,andtheofcial
technicaleditorofthisbook.Withouthispatience,thoroughness,anddeepknowledgeof
WIF,thiswouldhavebeenamuchinferiorbook.
HerveyWilsonistheArchitectoftheAccessControlservice.HeledtheWebServices
Enhancements(WSE)team,andhehappenstobetheonewhoenvisionedWindowsIdentity
Foundation.I’vebeenworkingwithHerveysince2002,wellbeforeImovedtoRedmond.At
thetime,IwasstillusinghisWSEforsecuringsolutionsforItaliancustomers.Ifyoubelieve
whatMalcomGladwellsaysinhisbookOutliers: The Story of Success(Little,BrownandCo.,
2008),thatyouneed10,000hoursofpracticeforbecomingrealgoodatsomething,nobody
contributedmorethanHerveytomyprofessionalgrowthintheeldofIdentity.Iamvery
honoredheagreedtowritetheforewordforthisbook.Thanks,man!
ThecrewatMicrosoftPresshasbeenoutstanding,choppingintomanageablechunksmy
long“Itanglish”sentenceswithoutchangingthemeaningandworkingaroundmyabysmal
delaysandcrazyschedule.(Inthelastyearalone,Ihandedaboardingpasstosmilingladies
55times.)Specically,thanksgotoBenRyanandGerryO’Brienforhavingtrustinmeand
thebook,toDevonMusgraveforbootstrappingtheproject,andtoRosemaryCaperton
forrunningtheproject.SteveSagmanofWaypointPressledafantasticproductionteam:
RogerLeBlancasCopyEditor,ThomasSpeechesasProofreader,andAudreyMarras
Illustrator.SpecialthankstoAudreyforworkingonreallychallengingillustrations:youcan
pullouttheneedlesfrommydollnow!
StuartKwan,GroupProgramManagerforWIF,andConradBayer,GMfortheIdentityand
Accessdivision,havebeengreatpartnersandsupportedthisprojectfromtheverystart.
www.it-ebooks.info
xiv Acknowledgments
Ididmostofthewritingatnight,onweekends,andduringvacationtime,butattimes
thebookdidimpactmydayjob.JamesConardandNeilHutson,SeniorDirectorsinthe
DeveloperandPlatformEvangelismgroupandmydirectmanagementchain,havebeenvery
patientandsupportiveoftheeffort.
JustineSmithandBrjannBrekkan,fromtheBusinessGroupoftheIdentityandAccess
Division,havebeenincrediblyhelpfulonactivitiesthatultimatelyhadanimpactonthe
samplecodediscussedhere.
ToddWest,atthetimewiththeWIFtestteam,isoneofthemostgiftedWebservices
developersI’veevermet.MostoftheguidanceregardingWIFandWindowsAzureinthis
bookandoutthereistheresultofhiswork.
MygoodfriendCalebBaker,ProgramManagerontheWIFteam,isanever-endingsource
ofinsightsandusefuldiscussions.HeisalsotheowneroftheWIFandSilverlightintegration.
TheSilverlightcodesamplesareallbasedonhiswork.
TogetherwithHervey,theoriginalWSEteammergedwithWIFtoo.Ihadachanceto
taptheirbrainscountlesstimes.ThankstoSiddShenoy,GovindRamanathan,Vick
Mukherjee,HongMeiGe,andKeithBallinger.
TheentireWIFteamcontributedtothisbook.HereI’llcallafewpeopleouttogiveyou
afeelingforthequalityoftheirwork.DanielWuwasofgreathelponsessions;Brent
SchmaltzwaskeyforhelpingmeunderstandtheinnerworkingsofWIFandWCF;VaniNori
andVickdevisedthewayofusingWIFwithMVC;JunaidTisekarwaskeyforstartingthe
workwithWIFandOAuth2.0;ShiungYongwasinstrumentalinguringoutsomepartsof
theWIFpipelineintheearlydaysofWIF.
Manyothersintheidentityproductteamcontributedthroughtheyears:thankstoJan
Alexander,VijayGajjala,ArunNanda,MarcGoodner,MikeJones,CraigWittenberg,
DonSchmidt,RuchiBhargava,SeshaMani,MattSteele,andSamDevasahayam.
MyteammatesintheWindowsAzureplatformevangelismteamplayedakeyrolein
keepingmeonmytoes,andthey’resimplyawesometohangoutwith.ThankstoRyan
Dunn,DavidAiken,NigelWatling,andZachOwen.Pleasedeleteallthepicturesyou
saved!
TheguysatSouthworks,thecompanythathelpedmewithpracticallyalltheidentity
samplesandlabsinthelasttwoyears,arefantastictoworkwith.ManythankstoMatias
Woloski,PabloDamiani,TimOsborn,JohnnyHalife,andmanyothers.
ConversationsaboutidentitywithGianpaoloCarraroandEugenioPacewereextremely
valuable,especiallytheonesrelatedtotheP&Pguideonclaims-basedidentityledby
Eugenio.
www.it-ebooks.info
Acknowledgments xv
DonovanFollettehasbeentheADFSevangelistforalongtime,sharingwithmethepains
andthejoysoftheclaims-basedidentityrenaissanceatPDC08.Evenifnowheisallcozy
inhisnewOfcerole,Icannotforgethisincrediblecontributiontobringingidentitytothe
community.
Ofcourse,wewouldnotbeevendiscussingthisifKimCameronhadnotdriventhe
conversationontheidentitymetasystemandclaims-basedidentitywiththeentireindustry.
Thankyou,Kim!
Mywife,IwonaBialynicka-Birula,deservesspecialthanks.Sheacceptedandsupported
thiscrazyinitiativenomatterwhat,whetheritmeantskippingbeachtimewhileinMauior
copingwithinsuranceagentsandcontractorsafterourhousegotooded.Withouther,
notonlywouldyounotbeholdingthisbookinyourhands,Idon’tknowwhatIwoulddo….
Thankyou,darling.Ipromise:nomorebooksforsometime!
Finally,Iwanttothankyou:thereadersofmyblog,whofollowedfaithfullymyramblingsfor
sevenyearswithoutaskingtoooftenabouttheweirdblogname;theparticipantsoftheWIF
workshopsinBelgium,UK,Germany,Singapore,Melbourne,andRedmond,whoputupso
nicelywithmy“sexy”accent;andtheattendeesofthemanysessionsIgaveateventsallover
theworldinthelastveyears.Withoutyourquestions,yourcritiques,yourcomments,your
compliments,andyourlongingforunderstanding,Iwouldhaveneverfoundthemotivation
todothisandtheotherthingsIdoforevangelizingidentity.Thisbookisforyou.
www.it-ebooks.info
xvii
Introduction
IthasbeensaidthateveryprobleminComputerSciencecanbesolvedbyaddingalevelof
indirection.
Youdon’thavetogofartondexamplesofsuccessfulapplicationsofthatprinciple.Before
theintroductionoftheconceptofdriver,programshadtoberewritteneverytimeone
changedsomethingassimpleasthemonitor.BeforetheintroductionofTCP/IP,programs
targetingatokenringnetworkenvironmenthadtoberewrittenifthenetworkprotocol
changed.DriversandTCP/IPhelpedtofreeapplicationdevelopersfromtheneedtoworry
aboutunnecessarydetails,presentingthemwithagenericfaçadewhileleavingthenitty-
grittydetailstotheunderlyinginfrastructure.Inadditiontomakingthedeveloperprofession
ahappierone,theapproachledtomorerobustandlong-livedsoftwareforthebenetof
everybody.
Forvarioushistoricalreasons,authenticationandidentitymanagementpracticesneverreally
followedthesamerouteofmonitorsandnetworkcards.Adding“authentication”toyour
softwaretodaystilllargelymeansmessingwiththecodeoftheapplicationitself,writing
logicthattakescareindetailoflowleveltaskssuchasverifyingusernameandpasswords
againstanaccountstore,jugglingwithX509certicatesorsimilar.Whenyouaresparedfrom
handlingthingsatsuchlowlevel,whichusuallymeansthatyoutookastrongdependencyon
yourinfrastructureandyourapplicationwillbeunmovablewithoutsubstantialrewriting:just
likeaprogramfromthepre-driversera.
Asyouwilllearnintherstchaptersofthisbook,claims-basedidentityischangingallthis.
Withoutgoingtoomuchintodetails,claimsarethemeanstoaddthatextralevelof
indirectionthateludedtheidentityworldsofar.Theintroductionofopenprotocolsenjoying
wideindustryconsensus&support,theconvergetowardtheideaofameta-systemfor
identity,thesuccessofmetadataformatswhichcanautomatemanytediousanderror-prone
taskscreatedtheperfectstormthatgeneratedthepracticescollectivelyknownasclaims-
basedidentity.Claimsarepavingthewayforidentityandaccessmanagementtobepushed
outsideofapplicationsanddownintheinfrastructure,freeingdevelopersfromtheneed
tohandleitexplicitlywhileenhancingsolutionswithwelcomeextraadvantages(suchas
cross-platforminteroperabilityoutofthebox).
Ihavespentfullfouryearsworkingalmostexclusivelyonclaims-basedarchitectureswith
customersandproductteamshereinRedmond;themodelissound,anditinvariablydelivers
signicantimprovementsagainstanyotherauthenticationsystem.However,untilrecently,
actuallyimplementingsystemsaccordingtothemodelwasapainfulexperience,sinceit
requiredwritinglargeamountsofcustomcodethatwouldhandleprotocols,cryptography,
andsimilarlowlevelaspects.
www.it-ebooks.info
xviii Introduction
Thisallchangedwhen,inOctober2008,Microsoftannouncedthe“Geneva”waveof
claims-awarebetaproducts:amongthosetherewasWindowsIdentityFoundation,the
protagonistofthebookyouareholding,whichwasnallyreleasedinNovember2009.
WindowsIdentityFoundation(WIF)isMicrosoft’sstackforclaims-basedidentity
programming.Itisanewfoundationaltechnologywhichhelps.NETdeveloperstotake
advantageoftheclaimsbasedapproachforhandingauthentication,authorization,custom-
izationandingeneralanyidentity-relatedtaskwithouttheneedtowriteanylow-levelcode.
Truetotheclaims-basedidentitypromise,youcandecidetouseWIFtoexternalizeall
identityandaccesscontrollogicfromyourapplications:VisualStudiowillmakeitabreeze,
andyouwillnotberequiredtoknowanydetailabouttheunderlyingsecurityprotocols.If
youwanttotakenercontroloftheauthenticationandauthorizationprocess,however,WIF
offersyouapowerfulandexibleprogrammingmodelthatwillgiveyoucompleteaccessto
allaspectsoftheidentitymanagementpipeline.
ThisbookwillshowyouhowtouseWindowsIdentityFoundationforhandling
authentication,authorizationandidentity-drivencustomizationofyour.NETapplications.
Althoughthetextwilloftenbetask-oriented,especiallyforthenovicepartofthebook,the
ultimategoalwillalwaysbetohelpyouunderstandingtheclaimsbasedapproachandthe
patternthatismostappropriatefortheproblemathand.
WhoIsThisBookFor?
PartIofthebookisfortheASP.NETdeveloperwhowantstotakeadvantageofclaims-based
identitywithouthavingtobecomeasecurityexpert.Althoughtherearenorequirements
aboutpre-existingsecurityknowledge,youdoneedtohavehands-onASP.NETprogram-
mingknowledgetoprocientlyreadPartI.
InPartIIIshiftgearprettydramatically,assumingthatyouareanexperienced.NET
developerwhoknowsaboutASP.NETpipeline,Formsauthentication,X.509certicates,LINQ
syntaxandthelike.Ioftentrytoaddsidebarswhichintroducethetopicifyouknowlittle
aboutitbutyouwanttofollowthetextanyway,butrealityisthatwithoutconcrete,hands-
onknowledgeofthe.NETFramework(andspecicallyC#)PartIIcouldbehardtonavigate.I
alsoassumethatyouaremotivatedtoinvestenergyonunderstandingthe“why”sofidentity
andsecurity.
Identityisanenablingtechnology,whichisneverfoundinisolationbutalwaysasa
componentandenhancementofothertechnologiesandscenarios.Thisbookdiscusses
howtoapplyWIFwithavarietyoftechnologiesandproducts,andofcoursecannotafford
providingintroductionsforeverything:inordertobeabletoapplytheguidanceinthe
variouschaptersyou’llneedtobeprocientinthecorrespondingtechnology.Thegood
newsisthatthechaptersarereasonablydecoupledfromeachother,sothatyoudon’tneed
www.it-ebooks.info
Introduction xix
tobeaWCFexpertforappreciatingthechaptersaboutASP.NET.Chapter3andChapter4
requireyoutobefamiliarwithASP.NETanditsextensibilitymodel.Chapter5isforexperi-
encedWCFdevelopers.Chapter6requiresyoutobefamiliarwithWindowsAzureandits
programmingmodel.Chapter7sweepsonanumberofdifferenttechnologies,including
SilverlightandASP.NETMVCFramework,andexpectsyoutobeateasewithterminology
andusage.
Thebottomlineisthatinordertofullytakeadvantageofthebookyouneedtobeanexpert
.NETandWebdeveloper.Ontheotherhand,thebookcontainsalotofarchitecturalpatterns
andexplanationswhichcouldeasilybeappliedtoproductsonotherplatforms:henceifyou
areanarchitectthatcanstomachpatternsexplanationsintertwinedwithcodecommentary,
chancesarethatyou’llndthisbookagoodreferenceonhowclaims-basedidentitysolves
variouscanonicalproblemsintheidentityandaccessspace.
SystemRequirements
You’llneedthefollowingsoftwareandhardwaretobuildandrunthecodesamplesfor
thisbook:
■
Microsoft®Windows7;WindowsServer2003ServicePack2;WindowsServer2008R2;
WindowsServer2008ServicePack2;WindowsVista
■
WindowsIdentityFoundation1.0runtime
■
WindowsIdentityFoundationSDK4.0
■
Microsoft®InternetInformationServices(IIS)7.5,7.0or6.0
■
Microsoft®.NETFramework4.0
■
VisualStudio2010
■
1.6-GHzPentiumorcompatibleprocessor
■
1GBRAMforx86
■
2GBRAMforx64
■
Anadditional512MBRAMifrunninginavirtualmachine
■
DirectX9–capablevideocardthatrunsat1024×768orhigherdisplayresolution
■
5400-RPMharddrive(with3GBofavailableharddiskspace)
■
DVD-ROMdrive
■
Microsoftmouseorcompatiblepointingdevice
■
Approximately78MBofavailableharddiskspacetoinstallthecodesamples
www.it-ebooks.info
xx Introduction
NotethattheWIFruntimeandtheWIFSDK3.5arecompatiblewithVisualStudio2008and
the.NETFramework3.5SP2.TheMarch2010versionoftheIdentityTrainingKitcontains
mostofthesamplesofthebookinaformthatiscompatiblewithVS2008andthe.NET
Framework3.5,howeverpleasenotethatthecodeinthetextreferstoVS2010andthereare
smalldifferenceshereandthere.
CodeSamples
Thecodesamplesforthisbookareavailablefordownloadhere:
/>Clickthedownloadlinkandfollowtheinstructionstosavethecodesamplestoyourlocal
harddrive.
ThecodesamplesusedinthisbookaremostlyfromtheIdentityDeveloperTrainingKit,a
collectionofhands-onlabs,presentations,andinstructionalvideos,whichismeanttohelp
developerslearnMicrosoft’sidentitytechnologies.Itisaself-extracting.EXE.Everylabhasits
ownsetup,whichwilltakecareofmostprerequisitesforyou.Pleasefollowtheinstructions
ontheWelcomepage.
ProducingtheIdentityDeveloperTrainingKitisoneofthethingsIdoduringmydayjob.
WhereasinthebookIhighlightcodesnippetstohelpyouunderstandthetechnology,in
theIdentityDeveloperTrainingKitdocumentationIgivestep-by-stepinstructions.Feel
freetocombinethetwoapproachesasyourampupyourknowledgeofWindowsIdentity
Foundation.
TheIdentityDeveloperTrainingKitisalivingdeliverable;everytimethereisanewver-
sionofaproductIupdateitaccordingly.However,Iwanttomakesurethatthecode
samplesreferencedinthebookwillnotbreak.Forthatreason,Iamincludinginthebook
codesamplearchivethecurrentversionofthetrainingkit,June2010,whichwillalwaysbe
available,evenifIkeepupdatingthetrainingkitinitsoriginaldownloadlocation.
ErrataandBookSupport
We’vemadeeveryefforttoensuretheaccuracyofthisbookanditscompanioncontent.If
youdondanerror,pleasereportitonourMicrosoftPresssiteatOreilly.com.
1. Goto.
2. IntheSearchbox,enterthebook’sISBNortitle.
3. Selectyourbookfromthesearchresults.
4. Onyourbook’scatalogpage,underthecoverimage,you’llseealistoflinks.
5. ClickView/SubmitErrata.
www.it-ebooks.info
Introduction xxi
You’llndadditionalinformationandservicesforyourbookonitscatalogpage.Ifyouneed
additionalsupport,pleasee-mailMicrosoftPressBookSupportat
PleasenotethatproductsupportforMicrosoftsoftwareisnotofferedthroughtheaddresses
above.
WeWanttoHearfromYou
AtMicrosoftPress,yoursatisfactionisourtoppriority,andyourfeedbackourmostvaluable
asset.Pleasetelluswhatyouthinkofthisbookat:
/>Thesurveyisshort,andwereadeveryoneofyourcommentsandideas.Thanksinadvance
foryourinput!
StayinTouch
Let’skeeptheconversationgoing!We’reonTwitter: />www.it-ebooks.info
www.it-ebooks.info
Programming Windows Identity Foundation
1
PartI
Windows Identity Foundation
for Everybody
In this part:
Claims-Based Identity 3
Core ASPNET Programming 23
Claims-basedidentitypromotesseparationofconcernsatalevelneverachievedbefore
intheidentitymanagementworld.Asaresult,implementationssuchasWindowsIdentity
Foundation(WIF)canprovidetoolingthatwillenabledeveloperstoaddauthenticationca-
pabilitiestotheirapplicationswithouttheneedtobecomesecurityexperts.
Thetwochaptersinthispartofthebookdeliveronthatpromise:theycontainindications
thatcanbeunderstoodandappliedbyanyASP.NETdeveloper,regardlessofhowmuchthe
developeralreadyknowsaboutsecurity.Ifyouarenotasecurityguru,andyoudon’twantto
becomeone,WindowsIdentityFoundationallowsyoutotacklethemostcommonauthen-
ticationandauthorizationchallengeswithoutenteringintothegorydetailsofcredentials
andprotocolmechanics.ItissosimplethatideallyyoucouldevenskipmostofChapter1,
“Claims-BasedIdentity,”andgostraighttothe“WIFProgrammingModel”section.Youwould
stillbeabletouseWIFforsecuringyourapplicationsinthesimplestcase,althoughhaving
thebackgroundweprovideinChapter1wouldhelpyoutodosomoreeffectively.
Ifyouareinterestedintakingnercontroloftheidentityandaccessmanagementprocess,
PartII,“WindowsIdentityFoundationforIdentityDevelopers,”isforyou.However,Isuggest
thatyoustillglancethroughPartI,asitscharacterizationofclaims-basedidentitywillbe
requiredknowledgeinPartII.
www.it-ebooks.info
www.it-ebooks.info
3
Chapter1
Claims-Based Identity
In this chapter:
What Is Claims-Based Identity? 3
WIF Programming Model 15
Summary 21
MicrosoftWindowsIdentityFoundation(WIF)enablesyoutoapplytheprinciplesof
claims-basedidentitywhensecuringyourMicrosoft.NETapplication.Claims-basedidentity
issoimportantthatIwanttomakesureyouunderstanditwellbeforeIformallyintroduce
WindowsIdentityFoundation.
Claims-basedidentityisanaturalwayofdealingwithidentityandaccesscontrol.However,
theoldwaysofdoingthisarewellestablished,sobeforedelvingintothenewapproach,it’s
usefultodescribeandchallengetheclassicassumptionsaboutauthenticationandauthoriza-
tion.Onceyouhaveaclearunderstandingofsomeoftheissueswithtraditionalapproaches,
I’llintroducethebasicprinciplesofclaims-basedidentity—I’llsayenoughtoenableyouto
procientlyuseWindowsIdentityFoundationforthemostcommonscenarios.Thischapter
containssomesimplicationsthatwillgetyougoingwithoutoverloadingyouwithinfor-
mation.Foramorethoroughcoverageofthesubject,refertoPartII,“WindowsIdentity
FoundationforIdentityDevelopers.”
Finally,we’lltakeourinitiallookathowWIFimplementsthemechanismsofclaims-based
identityandhowyou,thedeveloper,canaccessthemainelementsexposedbyitsobject
model.
Afterreadingthischapter,you’llbeabletodescribehowclaims-basedidentityworksand
howtotakeadvantageofitinsolutionstocommonproblems.Furthermore,you’llbeableto
deneWindowsIdentityFoundationandrecognizeitsmainelements.
WhatIsClaims-BasedIdentity?
Note Ifyoualreadyknowaboutclaims,feelfreetoskipaheadtothe“WIFProgramming
Model”section.Ifyouareinabighurry,Iofferyouthefollowingsummaryofthissectionbefore
youskiptothenextsection:Claims-basedidentityallowsyoutooutsourceidentityandaccess
managementtoexternalentities.
www.it-ebooks.info