Announcing new project – patterns & practices - Claims based Authentication & Authorization Guide

For the next couple of months I’ll be working on a new project here at patterns & practices, developing a new guide for claims based authentication and authorization.

I’m personally very happy to be working on this project, for many reasons. I believe frameworks like “Geneva” (previously known as “Zermatt”, now Windows Identity Foundation), products like “Geneva Server” (now ADFS) are great platform additions to enable a new set of scenarios.

I realize that SSO, Federated Identity and Claims are not new. It’s just that we have much better tools and higher abstractions to implement these scenarios much more easily than ever.

I also feel privileged to work with such a great team. I’ll be sitting on giants shoulders: Dominick Baier, Vittorio Bertocci, Keith Brown, David Hill and Matias Woloski. Many others are joining as advisors and reviewers.

As it is customary now in the patterns & practices team, we will be publishing our content often and very early. I’ll post details here soon.

We also want to try a few new things in this project. In this guide we want to be very focused on the practices rather than on the “theory”, the “principles” or “philosophy” of claims based security.

We want to have very concrete scenarios, with a high fidelity of what happens out there in the real world. Almost a “case study” approach in which we weave a story across the book that takes the reader into more ambitious requirements as he proceeds.

With each chapter, we will introduce more complex solutions to address increasingly more ambitious requirements.

The current backlog for the scenarios we want to cover is illustrated below. Each “station” is a core scenario. Some will have small variations (like Azure hosting in the first one).

The two lines (yellow and light blue) refer to the two perspectives we plan to include: that of someone consuming software (the blue), and that of some building software (the yellow).

Stay tuned!

Eugenio

Update: fixed image size.

Comments

• Anonymous
  August 12, 2009
  This is great news and is definitely what is needed. I would like to see the guides also to answer the following questions. The context for these is a multi-tenant environment in Windows Azure:

1. How do you enable different providers (Windows Live ID, Active Directory, OpenID) for different tenants, and possibily also within a tenant, e.g. main users should come from Active Directory domain X, guests from domain Y and some guests via Windows Live ID?
2. How should one map authorization to roles and tasks, tasks being at a lower level of granularity and possibly being nested? Can this be done at least partially also declaratively, e.g. via attributes or interception?
3. How can we enable the tenats to self-service their security configuration (login, roles, task mapping) while not allowing access to other tenants security configuration? It would be great to have access to early versions of these guides, either via a Wiki or if you could post them or email them to interested parties, like myself :-)

• Anonymous
  August 12, 2009
  Thanks Ralf, yes, the intent is to publish early content along the way. #1 & #3 of your list are definitely in scope. #2 is there, but not sure about the depth just yet. Thanks again. Stay tuned. Eugenio

• Anonymous
  September 02, 2009
  Really looking forward for more on this. Any coverage on scenarios for creating a custom STS. There's a lot of documentation out there saying that you won't need one due to Geneva Server. What about scenarios for Geneva Server supporting custom extensions eg. support for token serialization to formats other than SAML? Peace Steve

• Anonymous
  September 22, 2009
  Will there ever be RESTful support in future wIF versions? Seems like Microsoft only concentrates on the bloated SOAP and WS-*. Would be nice to hear about REST and SSO (OpenId, oAuth).

• Anonymous
  October 02, 2009
  @Jeff - I can't comment on REST support on WIF yet as I'm not on the product team. Dominick has some interesting posts on it.   Also, it seems REST is also going to be "starred": http://www.jboss.org/reststar ;-) @Steve: Many many sceanrios are covered with ADFS v2, but you are right that there are other that aren't. Building a productoion level custom STS is not a trivial task. We have one scenario that would require one (Federation with partners with no IdP), but honestly, there are other things above in therms of priorities.