Tracking change and innovation in the enterprise software development community
Free Book Offer
SOA Demystified
$40 Value
QCon London 2010!
March 10-12, 100
Speakers, 80 sessions,
"THE" team leads and,
architects conference.
Scaling Scrum
in the enterprise?
ScrumWorks Pro
can help.
Start a trial today
Posted by Abel Avram on Oct 06, 2009
Microsoft patterns&practices has created a new CodePlex project entitled Claims Based Identity & Access Control Guide to introduce users to claims-based identity and to present examples on how to write applications using this new type of authentication and authorization.
A trusted authority (Issuer) issues a signed security token containing a set claims (credentials) which is given to the application for validation. The application will authenticate the user if the security token is valid and signed by a trusted issuer.
Claims-based identity simplifies application development because applications using this type of authentication do not have to verify all the credentials presented by the user. Instead
Someone who determines your company's security policy can make those rules and buy or build the issuer. Your application simply receives the equivalent of a boarding pass. No matter what authentication protocol was used, Kerberos, SSL, forms authentication, or something more exotic, the application gets a signed set of claims that has information it needs about the user. This information is in a simple format that the application can use right away.
Letting the issuer to deal with all security issues involved eases the process of integration, migration, merger, federation or building cloud applications. Also, single sign-on (SSO) is easier to implement for the same reason. The guide presents how a fictive company has implemented SSO using claims offering its employees external access to its applications without having to create a VPN connection first.
While claims-based identity is a recommended approach to security, it is not necessarily appropriate for anybody to use. Active Directory may be good enough:
When you decide what kinds of claims to issue, ask yourself how hard is it to convince the IT department to extend the Active Directory schema. They have good reasons for staying with what they already have. If they're reluctant now, claims aren’t going to change that. Keep this in mind when you choose which attributes to use as claims.
The guide contains also the protocols to be used in a claims-based security architecture. The guide is still work in progress.
Microsoft has created a framework, called Geneva, providing “simplified user access and single sign-on, for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web”. Geneva has been renamed the Windows Identity Foundation and contains logic for building claims-aware ASP.NET or WCF applications. The Geneva Server is called Active Directory Federation Services now and “is a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access”. The Geneva project is currently in Beta 2.
Unix, Linux Uptime & Reliability Increase While Patch Management Woes Plague Windows (Yankee Group)
Architectures Behind Facebook, Skype, Sky.com, Bwin, League of Legends @ QConLondon
Right Collaboration Architecture Drives Business Transformation
Innovation in Your Data Centre
Testing C# and ASP.NET, w / Ruby, Noda Time, .NET State of the Art - AlphaGeeks Track @QCon London
Brian Marick takes us through a quick tour of the most important values and challenges to adopting Agile successfully (they aren't the typical challenges and values we hear in the community).
The line between development and architecture is tricky. Does it exist at all? Is an ivory tower actually needed? There's a balance in the middle, but how do you move from developer to architect?
The word 'authority' sometimes produces an allergic response in hard-line agilists. Freedom and authority – both are bad if misused and both are good if used in right spirit for a noble cause.
"Getting Started with Grails" brings you up to speed on this modern web framework. Companies as varied as LinkedIn, Wired, and Taco Bell are all using Grails. Are you ready to get started as well?
Those familiar with only ITIL V2 often scoff at the thought that ITIL could serve as a governance framework for SOA. With ITIL V3, the focus of the framework shifted towards service-orientation.
SpringSource CTO Adrian Colyer discusses AspectJ, SpringSource's dm Server and tc Server products, OSGi and Scrum.
Heroku's Adam Wiggins talks about Rails, Background Jobs, Add-Ons, Ruby, and how Heroku manages to work around Ruby's inefficiencies using Erlang and other languages.
For Grady Booch the foundation of a good architecture is patterns, SOA being just one of many patterns. In this Second Life presentation, Booch attempts to bring more clarity on what architecture is.
No comments
Watch Thread Reply