Blogs @ IRM

… is the title of a great post by Vibro that can be found here. This is an important subject and in all project where I have used claims and STS I also wanted the claims on the client. When cracking my own STS (before WIF) I always used the display token to get them from the identity provider (IP, aka the STS) so that seems to be in the line with ...

Windows Identity Framework (known as Geneva) has now been released as a release candidate (RC). This is great and will have a big impact on how identity and some other security related parts of your applications will be implemented. If yu haven’t started use claims yet, now is the time to do some reading to catch up and shift yuor mind. Vibro’s ...

Beta 2 of Microsoft Code Name “Geneva” is available to download. More info here.

On thursday, me and Herbjörn, will be presenting at IASA’s event ITARC09 (swedish) about cloud computing. The subject is about how to handle Identity and Single-Sign-On when moving applications and services to the cloud. Of course we will cover a lot about Security Token Service (STS), claims and so on, but one slide that we had to cut was about ...

When deploying solutions that contains a Security Token Service (STS) you will probably have to set the security properties of the private key of the certificates that are used to sign and encrypt the messages. It can be very difficult to find the file though, but luckily there is a resource tool for this specific purpose that can be downloaded at ...

So PDC is over for this time, but PDC 2009 is already announced, so we might not need to wait three years to the next. In this post I will try to summaries a great week. Windows Azure I think this announment was expected, but I must say that the first impression is that it seems quite complete. After having the head spinning for a while I can ...

Geneva is the code name of Microsoft's identity framework (and it replaces Zermatt for those of you who have read about that). Geneva is actually three things: Geneva Framework. Geneva Server a security token service (STS), also the next version of ADFS. Windows CardSpace "Geneva", formely known as CardSpace 2. The Geneva ...

Finally BizTalk Services is not containing BizTalk in its official name anymore, but that is now called Microsoft .NET Services. "Dublin" is the code-name for Windows Application Server Extensions and contians part that was originally in the "Oslo" vision. (Side note: "Oslo" is now only the modelling). As you might ...

When creating my WCF version of a Security Token Service, I also created a flexible way to add claims to the security token by basing that functionallity on the provider model. One of the providers I created, issues authorization claims that gives you access (for example ReadOwn, Read, Create, UpdateOwn, Update and so on) to tasks (or replace task ...

I have recently got questions about why Cardspace is more secure than username/password. Of course Michele Leroux Bustamante (dasBlonde, ThatIndigoGirl) has a great post covering this which is a must read for everyone and a lot better than my clumsy attempts to explain.

Dominick Baier blogs about his, Barry Dorrans and David Christiansen SharpSTS for Information Cards (Cardspace).

In my requirements for the STS implementation I wanted to be able to use the SAML token in the client and I also wanted to log in the user against the STS when the user logs in through the GUI and not when the first call to a service is made. To be able to fulfill this I need to manually issue a SAML token and set the token to my custom principal ...

By using the SAML token in the client, it is possible to set up the principal and identity objects also on the client side, which will make it possible for the client to also ask for if a user belongs to a certain role and so on. The problem though is that the client cannot deserialize the SAML token if not using asymmetric key pairs. I first ...

This post continues where the last one left off. We now have a SAML token that is re-serializable, which is good, because that will make it possible to use the same SAML token when calling a second business service from the first one. We could also easily check if we have a SAML token available by casting the current principal object to an ...

When creating many services in SOA it's a common scenario that you need the SAML token to flow from one business service to another. The first issue that you will bump into when trying to enable this is that the SamlAssertion class in .NET 3.0 is not re-serializable, but it's fixed in the .NET 3.5. Fortunately there is a really good post ...

When a business service receives a SAML token, WCF will extract the SAML attributes (containing the information) as claims and make it available as a ClaimSet that can be reached through the AuthorizationContext. This not the way I would like my business logic to work with the information available in the SAML token though, because that will thigh ...

It will probably be easier to follow my upcoming posts about how I have enabled my requirements of the STS in WCF if you have a good understanding of the security architecture of WCF. This is a good starting point if you don't have that understanding.

Almost three years ago I started to think in the terms of having an infrastructure service to handle security like verifying users, getting which roles they belong to and so on. Back then it was WSE 3 in a beta and no information available on the Internet (that I could find anyway). I had heard of WS-Trust and I had also seen a sample on an event ...

A Security Token Service (STS) is a web service that issues security tokens. A security token can be used for encrypting and signing messages, and it can be used to carry information about a user (claims). One common security token in a windows environment is a Kerberos Security Token that carries information about the current windows user. ...

First session today was titled ''Securing ASP.NET and Windows Communication Foundation (WCF) Applications with Windows Cardspace'' by Vittorio Bertocci, but it actually was covering ADFS ''2''. ADFS is Active Directory Federation Services and is part of the Windows Server 2003 R2. What ADFS really is, is a Security Token Service (STS), so ...