Matias Woloski’s Blog

Implementing authentication and authorization mechanisms for applications is something we do over and over. However designing the identity architecture to be adopted across an enterprise is a more challenging task. Based on my experience, reusability ends up happening at the application level as opposed to the enterprise level. So, designing this architecture requires think about: different trust boundaries, complex access checks and centralized management.

The solution that I’ve been using lately with good results is Security Token Service. Today, standards like WS-Trust and SAML among others are mature enough and technology stacks like WCF or Sun Metro fully support them, making it easier to have an interoperable and strategic infrastructure in place. The Security Token Service provided me with a generic and customizable architecture component that became part of my architecture toolbox.

However, the concepts behind Security Token Services are not trivial to understand, and the value they provide is sometimes hidden under its complexity. The good news is that Microsoft has started to invest on a high-level identity framework that will work on top of CardSpace, WCF and ASP.NET. The new kid on the block is codenamed “Zermatt” and will help approaching the separation of concerns on authentication and authorization; the federated security scenario; tackling real claim-based authorization on both presentation and service layer; and potentially integrate with “cloud” infrastructure like the Internet Service Bus.

Extrapolating the scenario I wrote about in March 2007 we might be able to create something like the following diagram with much less code:

Finally, I recommend you to add Vittorio’s RSS to your feed reader because he will share, as usual, much more info (already started actually).

Thinking about SaaS, for quite some time now, I wanted to share this animated GIF diagram with you (it took lots of cycles to get here:). 

Make sure to open the post from the browser to see the animated gif.

I talked briefly about it in the last RAF (you can see the video in spanish [minute 16:30]) and will write about each this in future posts.

Update: here is the video of the presentation (thanks to Martin Salias)

Couple of week ago the Regional Architect Forum took place on Sheraton Pilar (Buenos Aires, Argentina). Ezequiel Glinsky and Juan Ladetto kindly invited us to talk about a recent case study we did with an insurance company Grupo Sancor Seguros where we created the foundations for an S+S platform.

I had the opportunity  to deliver a presentation together with Nicolas Sabena who is part of Grupo Sancor Seguros development team. During the presentation we talked about how we chose a couple of use cases related to policy issuance as an excuse to:

• Teach them the Agile methodology that we use at Southworks
• Start building the foundation of a corporate S+S platform.

The picture on the right shows how we approached the S+S platform requirements. I will extend on that in a future post.

I also had the chance to meet with many people and exchange experiences around S+S, day to day architecture and lots of juicy things.

This friday (Feb, 15th) Microsoft is holding an Architect Forum. Agile is the topic.

When: Feb 15th
Where: Buchard 710 4to

Lots of things will be covered by different experts that apply agile methodologies: Scrum and TFS, TDD, FDD, Crystal, MoQ Framework and Build Automation and Continous Integration among other things.

Together with Johnny we will present about our experiences automating builds and applying CI in many projects.

If you want to attend send an email to: v-sconde at microsoft dot com

Reading a post from Diego Dagum’s blog I remembered about an interesting topic related to SaaS. In his article, Diego, talks about an experience he has with a customer that developed an application for multiple customers (multi-tenant). They had a performance issue because they were using shared-schema (i.e. extended fields stored in a separate table as rows pointing to the shared data table).

Figure 1 - Shared schema approach (Multi Tenant Data Architecture paper)

Diego and his colleague tried to convince the customer to move to the separate schema approach. In this approach each customer has its own table and every time he wants to customize an ALTER TABLE is used)

The customer immediately refused the ALTER TABLE because of the myth that altering the schema of a table is a *HEAVY *operation.

It seems the story ends with the customer afraid to go with that approach, but this is a very interesting issue for multi-tenant applications. Modern databases implement ALTER TABLE very fast depending on the structure of the table and the change that wants to be done.

Let’s enumerate the common scenarios and how SQL Server manage this:

• Adding a column: when you add a *NULLable* column to a table only metadata changes (syscolumns).
• Dropping a column: the same applies when you drop a column
• Changing a data type: this is tricky. Changing the data type to something larger should only be metadata change and the physical change in the rows should not happen until the rows are updated. When changing the data type to something smaller, SQL Server will have to validate to make sure current data fits in the smaller type

There is an interesting (paid) article that explore the insides of ALTER TABLE: http://www.sqlmag.com/Article/ArticleID/40538/sql_server_40538.html

PS: Talking about Diego, if you read Spanish make sure to read his architecture bulletins. There are already 3 of them:

Abril 19, Boletin Oficial de Arquitectura #3

Abril 05, Boletin Oficial de Arquitectura #2

Marzo 18, Boletin Oficial de Arquitecture #1

While reviewing DinnerNow.net I found an interesting workflow implementation.

Scenario:

A customer place an order for food from multiple restaurants. DinnerNow acts as a hub that will grab the order, will check each item and will group them by restaurant.

How this is implemented? They have two workflows:

• Sequential: this workflow receive a customer order, splits and gorup the order items within a set of restaurant orders. For each restaurant order a state machine workflow is started.
• State machine: this workflow represents a single order workflow (open, ready for pickup, delivered, payed, complete)

You can download DinnerNow today and see this workinf in NET 3.0.

We’ve been working on some training material lately to show how to do this using NET 3.5. There is a new feature code-named "Silver" (read more on Matt Winkler blog) that basically are a couple of activities to integrate Workflow Foundation with Windows Communication Foundation: the ReceiveActivity and SendActivity.

The following illustration shows how to implement a splitter workflow exposed as a service with WCF:

This workflow is hosted using the new WorkflowServiceHost (that derives from the regular WCF ServiceHost). This new host will read the workflow and will associate the endpoints configured with specific contracts with the workflow implementation.

If you do the analogy with WCF, in WCF you create a service interface and then the implementation with a regular c# class. With Workflow Services you create the interface but the implementation is the workflow itself! And even more easy you can embed the contract metadata in the workflow and the host will read it and associate them with the endpoints.

When a client make a call to the PlaceOrder operation of the IOrderWorkflowService, a new workflow will be started (there is a property in the ReceiveActivity called CanCreateInstance to tell the runtime to do so). This call will be syncrounous but the workflow will start running and will split the orders.

The replicator is similar to a "foreach" statement but it can execute either in sequential or paralel. The first activity that executes is a "SendActivity". This is the counter part of the other activity and will allow calling a service. Either we can call a regular service or we can call another workflow that has a ReceiveActivity listening. And that is what we are doing here: a workflow conversation where the sequential calls the state and when the state finishes it will call the sequential again.

Of course, you will need to somehow manage a context between calls. If not how the workflow knows if you are refering to instance A or instance B.

We are provided with a new set of bindings that allow to do that (netTcpContextBinding and wsHttpContextBinding). This bindings provide a property to access the context:

proxy.PlaceOrder(order);
IContextManager cm = proxy.InnerChannel.GetProperty();
IDictionary<XmlQualifiedName, string>  context = cm.GetContext();

This context will have the workflow instance id of the recently created workflow. You can add things to the context and read them on the client and the workflow.

IContextManager cm = proxy.InnerChannel.GetProperty();
cm.SetContext(context);
proxy.UpdateShipping();

In the case of the child state machine workflow, how do we know which sequential workflow to return after we finish the order process? Simply, we bind the context on the ReceiveActivity of the initial state to a workflow depdendency property. This context is the one sent by the SendActivity of the parent workflow. Then when we get to the complete state we bind the saved context to the SendActivity.

More info:

Matt Winkler’s blog

Alex Thissen blog

Ezequiel Morito posted on his blog a hello world tutorial in spanish for the march ctp

We spent three days with a mix of theory and practice on Software as a Service.

The hosters: Fred Chong, Gianpaolo Carraro, Erik Weis and me.

The consumers: microsoft internal employees and ISVs.

Day 1

• SaaS Ecosystem: Gianpaolo presented the different players in SaaS.
• Multi tenant architecture principles: general architecture principles like data, workflow, security and provisioning.
• Multi tenant data architecture: Fred Chong talked about the famous paper about the different approaches.
• Hands on Labs: Data model extensions

Day 2

• Consuming SaaS in the Enterprise: where is the enterprise fits as a consumer
• SaaS Hosting Platform: the idea of a multitenant platform where ISV can plug applications
• Monetizing SaaS: how you can protect and license your SaaS app. The guys from SecureLM (that was acquired by Microsoft) have a great product.
• Hands on Labs: customizing workflows using Workflow Foundation

Day 3

• Securing SaaS application: Fred, the "security guru", presented different approaches about identity and federation in the context of SaaS
• Hands on Labs: creating security token service to manage authentication and authorization
• Hands on Labs: provisioning a tenant on IIS, ADAM, SQL Server

People found the labs very in depth showing the latest technology and how that applies to SaaS. Specially the ones about workflow and security. That means that the team at Southworks did a great job!

I’m presenting SaaS with Roberto Schatz, Ramiro Iturregui and Ariel Schapiro at Microsoft Argentina headquarters. The talk will be oriented to ISVs and architects who wants to know about the business model and the architectural technical challenges.

We will explore the LitwareHR application published on february.

Register here!

A couple of years ago, the platform was not rich enough to create complex security solutions for service oriented applications based on standards. WSE was a half way path. With the advent of WCF we finally have a foundation to build a security subsystem flexible and robust for the enterprise.

The following illustration shows the different components involved and how they interact between each other.

Most of enterprise line of business apps have used a login to authenticate their users and roles to authorize them. When webservices were not there, the business logic was hosted in the application itself and advanced users hosted in COM+. The authentication and access checks were mixed in the same code that performed the business logic. Sometime later enterprises started to realize that integration between applications was getting harder: SOA implemented with webservices came to the rescue.

Now, the business logic lived in the application server and was accessed through webservices. The problem became to "how can I secure my services?". I’ve seen many different implementations: using kerberos, using custom tickets, certificates, etc. However they were coupled to the platform or they were custom solutions. Single sign on and access check across applications of different platform is hard to accomplish: WS-Trust, STS and SAML comes to the rescue.

Let’s describe the scenario:

1. A user browses to Login.aspx, enters his username and password and click "Login". As this is the only time when we have username and password available from the user, we can fill the UserName token on the proxy. We call a Ping service which is just a dummy service that we use to obtain a SamlToken.

using (SystemServiceChannel channel = new SystemServiceChannel())
{
    channel.ClientCredentials.UserName.UserName = LoginControl.UserName;
    channel.ClientCredentials.UserName.Password = LoginControl.Password;
    channel.Ping();
}

2. The client endpoint is configured to use wsFederationHttpBinding and the issuer of the token is the Authorization STS. Since the client does not have a SamlToken yet, it will send the UserName token to the Authorization STS so he can issue one. Below is the binding.

<binding name="SecureConversationBinding">
  <security mode="Message">
    <message issuedKeyType="SymmetricKey" 
             issuedTokenType="http://….saml-token-profile-1.1#SAMLV1.1">
      <issuer address="http://services.litwarehr.com/Authz/STS.svc"
        binding="wsFederationHttpBinding" bindingConfiguration="AuthorizationSTS">
        <identity>
          <dns value="SaasyLongTailCert" />
        </identity>
      </issuer>
    </message>
  </security>

3.  The Authorization STS trust on the Authentication STS and request him a SamlToken. The Authentication STS message security is configured to use wsHttpBinding with UserName token.

<binding name="AuthorizationSTS">
  <security mode="Message">
    <message issuedKeyType="SymmetricKey"
                     issuedTokenType="http://…-saml-token-profile-1.1#SAMLV1.1">
      <issuer address="http://services.litwarehr.com/Auth/Sts.svc"
        binding="wsHttpBinding" bindingConfiguration="AuthenticationSTS">
        <identity>
          <dns value="SaasyLongTailCert" />
        </identity>
      </issuer>
    </message>
  </security>
</binding>

<binding name="AuthenticationSTS">
  <security mode="Message">
    <message clientCredentialType="UserName"
                     negotiateServiceCredential="true"
                     establishSecurityContext="false" />
  </security>
</binding>

4. The Authentication STS service has a custom UserName Password validator behavior configured. Before the request actually gets to the STS it will go through the username/password validation. LitwareHr default implementation uses ADAM.

<serviceBehaviors>
   <behavior name="AuthenticationSTS">
      <serviceCredentials>
        <userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="CustomValidator, Sts"/>
       </serviceCredentials>
   </behavior>
</serviceBehaviors>

5. If the authentication was succesful , the Authentication STS will issue a basic SamlToken containing the identity name of the caller.

Collection GetIssuedClaims(RequestSecurityToken rst)
{
    string caller = ServiceSecurityContext.Current.PrimaryIdentity.Name;
    Collection samlAttributes =
                    new Collection();
    samlAttributes.Add(
        new SamlAttribute(
        new Claim(ClaimTypes.Authentication,
                  caller,
                  Rights.PossessProperty)));

    return samlAttributes;
}

6. Since the Authorization STS trusts on the SamlTokens issued by the Authentication STS, it will grab the token, extract the username claim and retrieve the actions available for the user. This happens in the IAuthorizationPolcy configured on the STS.

public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
    // check if this context was updated for this user
    if (state == null)
    {
        // Create an empty list of Claims
        IList claims = new List();
        // Add list of actions the user can perform
        string user = GetUserFromClaimSets(evaluationContext.ClaimSets);
        foreach (string action in GetActionsForUser(user))
        {
            claims.Add(new Claim(
                    ClaimTypes.AuthorizationDecision,
                    action,
                    Rights.PossessProperty));
        }
        …
     }
}

7. The SamlToken enriched now is ready to go through the service pipeline.

8. This is where the access check happens. The ServiceAuthorizationManager class has access to the AuthorizationContext which exposes the SamlToken with the claims.

public override bool CheckAccess(OperationContext operationContext)
{
    // Extract the AuthorizationContext from the ServiceSecurityContext
    AuthorizationContext authContext =
        operationContext.ServiceSecurityContext.AuthorizationContext;

    // Guard denies exectuion if the action is not in the token as a claim
    string action = operationContext.IncomingMessageHeaders.Action;
    IEnumerable authorizationDecisionClaims =
        claimSet.FindClaims(ClaimTypes.AuthorizationDecision, Rights.PossessProperty);

    foreach (Claim claim in authorizationDecisionClaims)
    {
        string authzAction = claim.Resource as string;
        if (!string.IsNullOrEmpty(authzAction) &&
            authzAction.Equals(action,
                              StringComparison.InvariantCultureIgnoreCase))
        {
            return true;
        }
    }

    // If no AuthorizationDecision claim had a resource value that matched the 
    // current action name, return false (Access Denied)
    return false;
}

9. Finally, the SOAP message gets to the service implementation and the response is sent back to the client with the SamlToken attached.

10. The SamlToken is cached on the client using an HTTP cookie. This is achieved by using a custom IssuedSecurityTokenProvider.

Conclusion and a bit of SaaS

WCF provides an extensible foundation that allow taking the service oriented on the enterprise to the next level using standards like WS-Trust and SAML.

Since SOA is part of the deal for Software as a Service apps we implemented this architecture on LitwareHR to get ready for future scenarios like Federated Security. In this scenario the tenant wants to manage authentication and authorization using its own infrastructure. He owns an STS that issues SamlTokens for every app in the enterprise and the IT guys don’t want to manage yet another user/password. The SaaS provider (LitwareHR) will allow the tenant to configure the claims mapping and the tenant STS to rely on. By doing this, the IT administrator for Contoso (the tenant) will manage a single authorization store and will configure the claim mappings on the "cloud" apps: the "Administrator" role in my enterprise is the "ConfigureAndCustomize" role in the SaaS application.

If you want to see a working implementation of the scenario described in the figure above download LitwareHr Software as a Service sample application and look for Shp.Security.BrokeredReceiver and Shp.Security.BrokeredSender projects. If you are taking SOA seriously, then it might worths looking at it.

Go get it from http://msdn.microsoft.com/webclientfactory

Lot of stuff shipped:

• PageFlow Application Block: design the navigation process of a web application using a state machine from Windows Workflow Foundation.
• Composite Web Application Block: helps you build web clients composed of independent, yet cooperating, modules and increase productivity and reduce overall development time through consolidating architect and developer efforts. From the wiki:
  • Decompose a complex Web site into independent visual and non-visual parts that can be built, assembled, and deployed by independent teams.
  • Minimize cross-team dependencies that allows team specialization for areas such as UI design, business logic implementation (business logic development may occur across multiple teams), and infrastructure code development.
  • Utilize an architecture that promotes reusability across independent teams.
  • Increase the quality of applications by abstracting common services that are available for the independent teams to use.
  • Promote proven practices for security without requiring everyone to be a security expert.
  • Incrementally deploy new capabilities while minimizing downtime.
  • Maximize the coverage of automated tests in the code base.
• Object Container DataSource: this is a web control similar to ASP.Net ObjectDataSource but instead of relying on a class that provides you with data it will raises events when it needs the data or when the data contained changes (insert/update/delete). This design allows the view (Web page) to delegate the responsibility of performing select operations, update operations, delete operations, and insert operations to the presenter.
• Web Client Development Automation: I posted about this already.
• QuickStarts: these are the quickstarts included: View-Presenter (with Application Controller), ObjectContainerDataSource, Modularity, Page Flow, Page Flow with Shopping Cart
• A Reference Implementation: this is a banking application inspired in a real world example to demonstrate the guidance in action.
• Documentation, How-Tos, patterns, etc.: available when you install the factory and soon to be published in the codeplex community

It was 6 months of hard work and it was great working again with the patterns & practices team: Blaine (PM), Eugenio (PDM), Mike (Dev Lead), Ed (Architect), Johnny (Dev), Mariano (Dev), Alan (Dev), Bob(Dev), Dragos (Architect), Tim (Tech writer), Juan Carlos (Dev), Prasad (Test) and Terrence (Test).