Wednesday, November 11, 2009

[WIF] TechED 2009 – Windows Identity Foundation, Cardspace 2.0, ADFS 2.0

The new claims based security abstraction layer (before project “Geneva”) was presented. It will likely change how applications implement security handling in the future.

Until now when you developed your application, you had to decide during development time what security approach you wanted to support.  Then your application was more or less coupled to the security implementation.

Changing your application from a Windows to a Web application could mean re-developing the whole security handling (recovery of rights and verification, etc…) for example.

New WIF Security Abstraction Layer

This is about to change considerately with Windows Identity Foundation (WIF), Cardspace 2.0 and ADFS 2.0 or any other provider that can act as STS.

Applications will not mind anymore from where security is coming. In fact they won’t know anymore. They will just know what rights – or better what claims they need and who they trust. It will be the responsibility of the Security Token Service (STS) provider to recover claims and sending them to requesting applications.

P1000382 P1000383
Security will be decoupled completely form application development in this scenario. And it is very easy to do!
The WIF API will provide all functions and objects, that are necessary to do the implementations in your applications. You may change your security configuration by modifying the application configuration file (like for WCF) and changes will be immediate even in production environments.

Claim Recovery Example

Here is an example of how to recover a claim (ex: “age”) that the application needs for security verification (note the usage of LINQ in this context).


Visual Studio 2010 Tooling Support

Visual Studio 2010 will provide the tools necessary to make this as easy as possible. There will wizards that greatly help configuring your applications. You may even have a local simulated STS implementation that can be used during development (not everyone has a fully configured STS at hand).

P1000385P1000370P1000372 P1000373

ASP.NET & WCF Integration

With WIF authorization and security handling will provide more flexibility and will allow more complex scenarios.

P1000394 P1000395


The new security concept that will be provided by WIF will really change how application security will be built. There are already Hands-On-Labs and documentations on WIF and I encourage you to further “dive” into the subject. I for my part will closely follow the next releases and can’t wait to see the final product.


No comments: