20 minutes read

Real-time User Notification and Session Management with SignalR – Part 2

In Part 1 I introduced a basic usage of SignalR and talked about the goals we were trying to accomplish with the library. In the next few posts I’m going to show how we can build a real-time user notification and session management system for a web application. In this post I’ll show how we can implement a solution that accomplishes our goals. Before diving back into SignalR it’s important to have a quick rundown of concepts for session management. If we think about how sessions work for a user in most applications it’s usually conceptually simple. A session is…

1 minute read

Guide to Claims-Based Identity Second Edition

It looks like the Guide to Claims-Based Identity and Access Control was released as a second addition! Take a look at the list of authors: Dominick Baier Vittorio Bertocci Keith Brown Scott Densmore Eugenio Pace Matias Woloski If you want a list of experts on security then look no further. These guys are some of the best in the industry and are my go-to for resources on Claims.

11 minutes read

Strongly Typed Claims

Sometimes it’s a pain in the neck working with Claims. A lot of times you need to look for particular claim and that usually means looping through the claims collection and parsing the value to a particular type. This little dance is the trade-off for having such a simple interface to a potentially arbitrary collection of claims. Most of the time this works, but every once in a while you need to create a basic user object that contains some strongly typed properties. You could build up a basic object like: public class User { public string UserName { get;…

13 minutes read

The Importance of Elevating Privilege

The biggest detractor to Single Sign On is the same thing that makes it so appealing – you only need to prove your identity once. This scares the hell out of some people because if you can compromise a users session in one application it’s possible to affect other applications. Congratulations: checking your Facebook profile just caused your online store to delete all it’s orders. Let’s break that attack down a little. You just signed into Facebook and checked your [insert something to check here] from some friend. That contained a link to something malicious. You click the link, and…

5 minutes read

Adjusting the Home Realm Discovery page in ADFS to support Email Addresses

Over on the Geneva forums a question was asked: Does anyone have an example of how to change the HomeRealmDiscovery Page in ADFSv2 to accept an e-mail address in a text field and based upon that (actually the domain suffix) select the correct Claims/Identity Provider? It’s pretty easy to modify the HomeRealmDiscovery page, so I thought I’d give it a go. Based on the question, two things need to be known: the email address and the home realm URI.  Then we need to translate the email address to a home realm URI and pass it on to ADFS. This could…

7 minutes read

Creating a Claims Provider Trust in ADFS 2

One of the cornerstones of ADFS is the concept of federation (one would hope anyway, given the name), which is defined as a user’s authentication process across applications, organizations, or companies.  Or simply put, my company Contoso is a partner with Fabrikam.  Fabrikam employees need access to one of my applications, so we create a federated trust between my application and their user store, so they can log into my application using their internal Active Directory.  In this case, via ADFS. So lets break this down into manageable bits.  First we have our application.  This application is a relying party…

3 minutes read

Windows Azure ACS v2 Mix Announcement

Part of the Mix11 announcement was that ACS v2 was released to production.  It was actually released last Thursday but we were told to keep as quiet as possible so they could announce it at Mix.  Here is the marketing speak: The new ACS includes a plethora of new features that customers and partners have been asking with enthusiasm: single sign on from business and web identity providers, easy integration with our development tools, support for both enterprise-grade and web friendly protocols, out of the box integration with Facebook, Windows Live ID, Google and Yahoo, and many others. Those features…

3 minutes read

GoodBye CardSpace; Hello U-Prove

Other possible titles: So Long and Thanks for all the Identity Goodbye awesome technology; Hello Awesomer Technology CardSpace? What’s CardSpace? Over on the Claims Based Identity Blog they made an announcement that they have stopped development of CardSpace v2.  CardSpace was an excellent technology, but nobody used it.  Some of us saw the writing on the wall when Microsoft paused development last year, and kept quiet about why.  For better or for worse, Microsoft stopped development and moved on to a different technology affectionately called U-Prove. U-Prove is an advanced cryptographic technology that, combined with existing standards-based identity solutions, overcomes…

12 minutes read

The Problem with Claims-Based Authentication

Homer Simpson was once quoted as saying “To alcohol! The cause of, and solution to, all of life’s problems”.  I can’t help but borrow from it and say that Claims-Based Authentication is the cause of, and solution to, most problems with identity consumption in applications. When people first come across Claims-Based Authentication there are two extremes of responses: Total amazement at the architectural simplicity and brilliance Fear and hatred of the idea (don’t you dare take away my control of the passwords) Each has a valid truth to them, but over time you realize all the problems sit somewhere between…

8 minutes read

Claims, MEF, and Parallelization, Oh My

One of the projects I’ve been working on for the last couple months has a requirement to aggregate a set of claims from multiple data sources for an identity and return the collection.  It all seems pretty straightforward as long as you know what the data sources are at development time as well as how you want to transform the data to claims.  In the real world though, chances are you will need to modify how that transformation happens or modify the data sources in some way.  There are lots of ways this can be accomplished, and I’m going to…