Wednesday, November 9, 2011

What is Windows Identity Foundation ?


What is Windows Identity Foundation ?
The Windows Identity Foundation is a framework for building identity-aware applications.  The framework abstracts the WS-Trust and WS-Federation protocols and presents to developers APIs for building security token services and claims-aware applications. Applications can use the framework to process tokens issued from security token services and make identity-based decisions at the web application or web service.
What can this do for me ?
  • Build claims-aware applications (Relying Party Applications)
Windows Identity Foundation helps developers build claims-aware applications. In addition to providing a new claims model, it provides application developers with a rich set of APIs to help making user access decisions based on claims.
Windows Identity Foundation also provides developers with a consistent programming experience whether they choose to build their applications in ASP.NET or in WCF environments.
  • ASP.NET Controls
ASP.NET controls simplify development of ASP.NET pages for building claims-aware Web applications.
  • Translate between claims and NT tokens
Windows Identity Foundation includes a windows service, named Windows Identity Foundation Claims to NT Token Service (C2WTS), that acts as a bridge between claims-aware applications and NT token based applications. It provides developers with an easy way to convert claims to NT-Token identity and makes it possible to access the resources that require NT-Token based identity from a claims-aware application.
  • Build identity delegation support into claims-aware applications
Windows Identity Foundation offers the capability of maintaining the identities of original requestors across the multiple service boundaries. This capability can be achieved by either using the "ActAs" or the "OnBehalfOf" functionality in the framework and it offers developers the ability to add identity delegation support into their claims-aware applications.
  • Visual Studio Templates
Windows Identity Foundation SDK offers built-in Visual Studio Templates for claims-aware ASP.NET Web Site and WCF Web Service applications and reduces learning curve to get familiar with claims-based programming model.
  • Easy trust establishment between claims-aware application and STS
Windows Identity Foundation SDK provides a utility, named FedUtil, to allow easy trust establishment between claims-aware applications and an STS, for example: Active Directory Federation Services STS, LiveID STS. This utility supports both ASP.NET and WCF Service applications. It is also integrated with Visual Studio so that it can be invoked from the Solution Explorer by right clicking on a project and choose "Modify STS Reference" menu item or from the Tools menu in Visual Studio.
  • Build custom security token services (STS)
Windows Identity Foundation makes it substantially easier to build a custom security token service (STS) that supports the WS-Trust protocol. These STS's are also referred to as an Active STS.
In addition, the framework also provides support for building STS's that support WS-Federation to enable web browser clients. These STS's are also referred to as a Passive STS.
The framework offers built-in Visual Studio Templates for building ASP.NET STS and WCF STS; these templates create simple STSes and developers can extend these and implement production STS that suit their needs.
Where would I use this ?
Federation
Windows Identity Foundation makes it possible to build federation between two or more partners. Its functionality offerings on building claims-aware applications (RP) and custom security token services (STS) help developers achieve this scenario.
Identity Delegation
Windows Identity Foundation makes it easy to maintain the identities across the service boundaries so that developers can achieve identity delegation scenario.
Step-up Authentication
Authentication requirements for different resource access within an application may vary. Windows Identity Foundation provides developers the ability to build applications that can require incremental authentication requirements (for example: initial login with Username/Password authentication and then step-up to Smart Card authentication).
Major Benefits
Windows Identity Foundation enables .NET developers to externalize identity logic from their application, improving developer productivity, enhancing application security, and enabling interoperability. Enjoy greater productivity, applying the same tools and programming model to build on-premises software as well as cloud services. Create more secure applications by reducing custom implementations and using a single simplified identity model based on claims. Enjoy greater flexibility in application deployment through interoperability based on industry standard protocols, allowing applications and identity infrastructure services to communicate via claims.
Foundations of Windows Identity Foundation
  • Active Directory Federation Services 2.0: a security token service for IT that issues and transforms claims and other tokens, manages user access and enables federation and access management for simplified single sign-on.
  • Windows CardSpace 2.0 Beta 2: the end user component of Microsoft’s user access platform for developers and IT professionals that helps simplify access to applications and other systems with an open claims-based model
  • Windows Azure Access Control Services: provides an easy way to provide identity and access control to web applications and services, while integrating with standards-based identity providers, including enterprise directories such as Active Directory®, and web identities such as Windows Live ID, Google, Yahoo! and Facebook.
Windows Azure Access Control Services
Access Control provides an easy way to provide identity and access control to web applications and services, while integrating with standards-based identity providers, including enterprise directories such as Microsoft’s Active Directory®, and web identities such as Windows Live ID, Google, Yahoo! and Facebook.
The service enables authorization decisions to be pulled out of the application and into a set of declarative rules that can transform incoming security claims into claims that applications understand. These rules are defined using a simple and familiar programming model, resulting in cleaner code. It can also be used to manage users’ permissions, saving the effort and complexity of developing these capabilities. 

image
Use Access Control
  • Create user accounts that federate a customer's existing identity management system that uses Active Directory® service, other directory systems, or any standards-based infrastructure
  • Exercise complete, customizable control over the level of access that each user and group has within your application
  • Apply the same level of security and control to Service Bus connections
Access Control Benefits
  • Federated identity and access control through rule based authorization enables applications to respond as if the user accounts were managed locally
  • Flexible standards-based service that supports multiple credentials and relying parties
  • Lightweight developer-friendly programming model based on the Microsoft .NET Framework and Windows Communication Foundation
Access Control Features
  • Setup Issuer trust with a simple Web interface or programmatically through APIs
  • Supports Active Directory and other identity infrastructures, with minimal coding
  • Support for multiple credentials, including X.509 certificates
  • Support for standard protocols including REST
  • Applications that run inside and outside the organizational boundary can rely on the service
  • Validate application and user request from data and connectivity services
Support for OAUTH Means Site Collaboration
ACS (Azure Access Control Service) recently added support for the OAuth 2.0 protocol. OAuth is an open protocol that allows 3rd party applications to access their data without providing their passwords.
The Sample..
Microsoft has developed a sample which shows off the real power of Windows Identity Foundation when combined with OAUTH..
The sample uses the  OAuth protocol to enable web sites to access resource on behalf of a user without the user providing his or her credentials to that site (meaning no extra logins) .
In other words less of this..
facebookauth

and less of this..
twitterauth
In the sample  Microsoft provides, Contoso (Microsoft’s omnipresent fake sample company)  has a web service that exposes customer information that needs to be protected.
Another company, Fabrikam (yet another popular fake Microsoft sample company)  has a web site and wants users to be able to view their Contoso data directly on it. The user doesn’t have to log in to the Fabrikam site, but gets redirected to a Contoso specific site in order to login and give consent to access data on their behalf. 
image
The Contoso web service requires OAuth access tokens from ACS to be attached to incoming requests. The necessary protocol flow for the Fabrikam web site (in OAuth terms – the web server client), including redirecting the user to login and give consent, requesting access tokens from ACS, and attaching the token to outgoing requests to the service is taken care of under the covers. The sample contains a walkthrough that describes the components in more detail.
image
Download the Sample on Microsoft Connect...