Building applicationsthat combineWCF, WF and Cardspace in the .NET Framework

3.5

Gaëtan HolderbekeXavier Pellegrino

Session Objectives & Prerequisites

ObjectivesWCF & WF OverviewMessaging using Workflow ServicesIdentity Metasystem Securing WCF with CardSpace

PrerequisitesExperience with either WF or WCF in .NET 3.0Application Security basisSome experience with the other

Agenda

Introduction to:WCFWF

Better Together:Workflow ServicesService Communications

Identity Metasystem:CardSpaceSTS

{WCF}

Rhetorical Question

WHAT IS A SERVICE?

Some functionality exposed via a structured messaging scheme…

Windows Communication Foundation

The Swiss-Army Chainsaw of service platforms

Unified programming model

Great manageability featuresTracing, message logging, threading controls, DOS remediation, WMI integration, configurability, etc.

Introduced in .NET 3.0, enhanced in .NET 3.5

Clients, Services & Endpoint

Client Service

Message

EndpointEndpoint

Endpoint

Endpoint

CBA

CBA

ABC

CBA

AddressWhere?

ContractWhat?

BindingHow?

Endpoint

WCF Gross Anatomy<service>

<endpoint name=“MyService”

address=“http://MyServer:6666/MyService” binding=“basicHttpBinding”

contract=“IMyInterface”/>[ServiceContract]public interface IMyInterface { [OperationContract] void MyMethod(String arg);}

[ServiceBehavior(InstanceContextMode=

InstanceContextMode.Single]public class MyService: IMyInterface { public void MyMethod(String arg){…}}

Service Contract Definition

Address

Binding

Contract

Service Type

{WF}

Windows Workflow Foundation

What is Workflow?

What’s the value of Workflow?

Workflow is the organization of work

Long Running Logic

FlexibilityTransparency

Visual Studio Designer

A Workflow

Activity

Workflow ServicesApproaches

Service implemented as WorkflowLeverage Workflow development experienceAllows long-running, durable Services

Workflow hosted as ServiceServiceContract provides typed interface for integrating with the WorkflowMessages enforce by-value, serializable dataWorkflows can be message-activated

{DEMO}Workflow Services

Workflow Services Architecture

Workflow Runtime

ServiceHost

ServiceDescription

ServiceBehavior

OperationBehavior

Workflow.cs orWorkflow.xoml

App.config

Service Runtime

OperationInvoker

OperationSelector

InstanceProvider

MessageInspector

ListenerChannel

Service Instance

Operation 1

Operation 2Workflow

ServiceHost

WorkflowServiceBehavior

WorkflowOperationBehavior

WorkflowOperationInvoker

DurableInstanceProvider

MessageContextInspector

ContextChannel

Workflow Instance

ReceiveActivity 1

ReceiveActivity 2

WF Persistence DB

Service.cs

Context Exchange

Transport model for exchange will not work in long-running process

Manage at application or process layer

Need to agree upon a protocol to exchange context

Context Exchange Protocol

Service

Receive

Receive

Client

Send

Send

op x response

{instanceId}

op x params

op y params

{instanceId}

op y response

Context repository (your choice)

op y params

{instanceId}

op y response

{instanceId}

Non-WF Client

Duplex Communication

Cannot rely on a duplex channel

Model this via two contracts (inside two WorkflowServiceHost’s)

Explicitly provide “client” context in the initiating message to the “server”

Duplex Message Flow

Client Service

{no context}

ClientId

BeginWorkflow

{ServiceId}

Body

BeginWorkItem

{ServiceId}

Body

{ServiceId}

Body

ContinueWorkItem

CompleteWorkItem

{ServiceId}

BodyWorkItemCompl

ete{ClientId}

Body

SendRequest

ReceiveRespose

Send

Send

Send

Receive

ReceiveRequest

Receive

Receive

Receive

Send

{EXAMPLE}Duplex Messaging

{IDENTITY}

Identity on the Internet Today

PasswordsNot a secure option with today’s computing powerToo easy to attack, long passwords hard to rememberWe need stronger options!

Identity silosHow many user accounts do you have on the web?Each requires its own password or other credentialExpensive and painful to manage

Today’s “solution”Most users have one password they use everywhere!

Information Card From the user's perspective

Data about myselfName, phone, address…

Data about a relationship with some entity

Frequent Flyer -> AirlineCredit card holder -> BankCitizen of X -> Government

I may have to “do” something for using the card

Insert smartcardBe on my company’s network

Perception:I send this card so that the service provider will recognize me and use the information I disclose.

Information Card From the computer's perspective

Token FormatSAML, Kerberos…

STS InformationAddressMetadataPolicy

Authentication factor type & hintsThumbprint for certificatesCard ID for self issued

A card represent the ability of obtaining a token of a certain format, containing certain claims, requesting it from a certain STS following a certain policy

A Token

ClaimName1: Value1

ClaimNamen: Valuen

S

…

Issuer’s signature[optional] key material

Claims collection

E

Encryption for the intended audience

Windows CardSpace

Windows CardSpace is an identity selector for the metasystem

Represents digital identities graphicallyGets the user more highly involved in authenticationDesigned to be difficult to spoof (helps mitigate phishing attacks)

Makes identity feel realEach identity represented as a card

{DEMO}

Externalizing Authentication

Embedding identity management code in the app codebase is a Bad Idea

CompetenceMaintenanceRobustness/Flexibility

The technical details of authentication should be abstracted away

from the application developer

S+S

Trust

Trust

Trust

IP

IP

Reso

urc

es

R-STS

R-STS

User’s PC

Identity Flow

SAML

User’s PC

Website

Identity Provider

Token PolicyCards

Store

STS

Identities Store

SAML

Get Login Page

Read Policies

Pass Policies to Identity SelectorFilter the list based on policies

Pass card to STS

The IP authenticates RST…

If successful, builds& signs the requested token

The website authenticatesthe token

The IP sends back the token

The application posts the token to the website

{DEMO}

ZermattFramework for implementing claims-based identity in your applications

Set of .NET Framework 3.5 classesFederated Authentication HttpModuleIIdentity -> IClaimsIdentityIPrincipal -> IClaimsPrincipal

Information Card Design ControlPassive Sign In Design Control

Still Beta…

SUMMARY

WCF provides numerous extension points and configuration parameters

Workflow Services provide a natural way to build services.With an understanding of context, advanced communication patterns can be implemented across many parties.

Identity Management Frameworks provide great opportunities to drive security implementations targeting the future of software architecture.

Related Contents

• Community site, samples, news• http://cardspace.nefx3.com• www.dinnernow.net

• MSDN Forum• http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=784&SiteID=1

• MSDN Home Page• http://msdn.microsoft.com/identity

Any questions ?

Feel Free to meet during the break

Or contact us:

Gaetan.holderbeke@pragmaconsult.luXavier.pellegrino@pragmaconsult.lu

www.pragmaconsult.lu

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.