Matias Woloski’s Blog

Implementing authentication and authorization mechanisms for applications is something we do over and over. However designing the identity architecture to be adopted across an enterprise is a more challenging task. Based on my experience, reusability ends up happening at the application level as opposed to the enterprise level. So, designing this architecture requires think about: different trust boundaries, complex access checks and centralized management.

The solution that I’ve been using lately with good results is Security Token Service. Today, standards like WS-Trust and SAML among others are mature enough and technology stacks like WCF or Sun Metro fully support them, making it easier to have an interoperable and strategic infrastructure in place. The Security Token Service provided me with a generic and customizable architecture component that became part of my architecture toolbox.

However, the concepts behind Security Token Services are not trivial to understand, and the value they provide is sometimes hidden under its complexity. The good news is that Microsoft has started to invest on a high-level identity framework that will work on top of CardSpace, WCF and ASP.NET. The new kid on the block is codenamed “Zermatt” and will help approaching the separation of concerns on authentication and authorization; the federated security scenario; tackling real claim-based authorization on both presentation and service layer; and potentially integrate with “cloud” infrastructure like the Internet Service Bus.

Extrapolating the scenario I wrote about in March 2007 we might be able to create something like the following diagram with much less code:

Finally, I recommend you to add Vittorio’s RSS to your feed reader because he will share, as usual, much more info (already started actually).

We‘ve been working with the Microsoft Learning group at Redmond to define the upcoming TS (Technology Specialist) exam for WCF 3.5. Howard Dierking hosted the design session and it was a great experience. 

He explained us the refactoring of the exam stack. Now they have these new TS exams that are specific to a single technology and other exams on top of TS called PRO that will be more scenario oriented. They are doing the right thing by bringing Subject Matter Experts to the design sessions. We brainstormed on the most important aspects of WCF that someone should be tested on.

I’ll be waiting for the beta exams to see how it finally shapes… 

While reviewing DinnerNow.net I found an interesting workflow implementation.

Scenario:

A customer place an order for food from multiple restaurants. DinnerNow acts as a hub that will grab the order, will check each item and will group them by restaurant.

How this is implemented? They have two workflows:

• Sequential: this workflow receive a customer order, splits and gorup the order items within a set of restaurant orders. For each restaurant order a state machine workflow is started.
• State machine: this workflow represents a single order workflow (open, ready for pickup, delivered, payed, complete)

You can download DinnerNow today and see this workinf in NET 3.0.

We’ve been working on some training material lately to show how to do this using NET 3.5. There is a new feature code-named "Silver" (read more on Matt Winkler blog) that basically are a couple of activities to integrate Workflow Foundation with Windows Communication Foundation: the ReceiveActivity and SendActivity.

The following illustration shows how to implement a splitter workflow exposed as a service with WCF:

This workflow is hosted using the new WorkflowServiceHost (that derives from the regular WCF ServiceHost). This new host will read the workflow and will associate the endpoints configured with specific contracts with the workflow implementation.

If you do the analogy with WCF, in WCF you create a service interface and then the implementation with a regular c# class. With Workflow Services you create the interface but the implementation is the workflow itself! And even more easy you can embed the contract metadata in the workflow and the host will read it and associate them with the endpoints.

When a client make a call to the PlaceOrder operation of the IOrderWorkflowService, a new workflow will be started (there is a property in the ReceiveActivity called CanCreateInstance to tell the runtime to do so). This call will be syncrounous but the workflow will start running and will split the orders.

The replicator is similar to a "foreach" statement but it can execute either in sequential or paralel. The first activity that executes is a "SendActivity". This is the counter part of the other activity and will allow calling a service. Either we can call a regular service or we can call another workflow that has a ReceiveActivity listening. And that is what we are doing here: a workflow conversation where the sequential calls the state and when the state finishes it will call the sequential again.

Of course, you will need to somehow manage a context between calls. If not how the workflow knows if you are refering to instance A or instance B.

We are provided with a new set of bindings that allow to do that (netTcpContextBinding and wsHttpContextBinding). This bindings provide a property to access the context:

proxy.PlaceOrder(order);
IContextManager cm = proxy.InnerChannel.GetProperty();
IDictionary<XmlQualifiedName, string>  context = cm.GetContext();

This context will have the workflow instance id of the recently created workflow. You can add things to the context and read them on the client and the workflow.

IContextManager cm = proxy.InnerChannel.GetProperty();
cm.SetContext(context);
proxy.UpdateShipping();

In the case of the child state machine workflow, how do we know which sequential workflow to return after we finish the order process? Simply, we bind the context on the ReceiveActivity of the initial state to a workflow depdendency property. This context is the one sent by the SendActivity of the parent workflow. Then when we get to the complete state we bind the saved context to the SendActivity.

More info:

Matt Winkler’s blog

Alex Thissen blog

Ezequiel Morito posted on his blog a hello world tutorial in spanish for the march ctp

A couple of years ago, the platform was not rich enough to create complex security solutions for service oriented applications based on standards. WSE was a half way path. With the advent of WCF we finally have a foundation to build a security subsystem flexible and robust for the enterprise.

The following illustration shows the different components involved and how they interact between each other.

Most of enterprise line of business apps have used a login to authenticate their users and roles to authorize them. When webservices were not there, the business logic was hosted in the application itself and advanced users hosted in COM+. The authentication and access checks were mixed in the same code that performed the business logic. Sometime later enterprises started to realize that integration between applications was getting harder: SOA implemented with webservices came to the rescue.

Now, the business logic lived in the application server and was accessed through webservices. The problem became to "how can I secure my services?". I’ve seen many different implementations: using kerberos, using custom tickets, certificates, etc. However they were coupled to the platform or they were custom solutions. Single sign on and access check across applications of different platform is hard to accomplish: WS-Trust, STS and SAML comes to the rescue.

Let’s describe the scenario:

1. A user browses to Login.aspx, enters his username and password and click "Login". As this is the only time when we have username and password available from the user, we can fill the UserName token on the proxy. We call a Ping service which is just a dummy service that we use to obtain a SamlToken.

using (SystemServiceChannel channel = new SystemServiceChannel())
{
    channel.ClientCredentials.UserName.UserName = LoginControl.UserName;
    channel.ClientCredentials.UserName.Password = LoginControl.Password;
    channel.Ping();
}

2. The client endpoint is configured to use wsFederationHttpBinding and the issuer of the token is the Authorization STS. Since the client does not have a SamlToken yet, it will send the UserName token to the Authorization STS so he can issue one. Below is the binding.

<binding name="SecureConversationBinding">
  <security mode="Message">
    <message issuedKeyType="SymmetricKey" 
             issuedTokenType="http://….saml-token-profile-1.1#SAMLV1.1">
      <issuer address="http://services.litwarehr.com/Authz/STS.svc"
        binding="wsFederationHttpBinding" bindingConfiguration="AuthorizationSTS">
        <identity>
          <dns value="SaasyLongTailCert" />
        </identity>
      </issuer>
    </message>
  </security>

3.  The Authorization STS trust on the Authentication STS and request him a SamlToken. The Authentication STS message security is configured to use wsHttpBinding with UserName token.

<binding name="AuthorizationSTS">
  <security mode="Message">
    <message issuedKeyType="SymmetricKey"
                     issuedTokenType="http://…-saml-token-profile-1.1#SAMLV1.1">
      <issuer address="http://services.litwarehr.com/Auth/Sts.svc"
        binding="wsHttpBinding" bindingConfiguration="AuthenticationSTS">
        <identity>
          <dns value="SaasyLongTailCert" />
        </identity>
      </issuer>
    </message>
  </security>
</binding>

<binding name="AuthenticationSTS">
  <security mode="Message">
    <message clientCredentialType="UserName"
                     negotiateServiceCredential="true"
                     establishSecurityContext="false" />
  </security>
</binding>

4. The Authentication STS service has a custom UserName Password validator behavior configured. Before the request actually gets to the STS it will go through the username/password validation. LitwareHr default implementation uses ADAM.

<serviceBehaviors>
   <behavior name="AuthenticationSTS">
      <serviceCredentials>
        <userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="CustomValidator, Sts"/>
       </serviceCredentials>
   </behavior>
</serviceBehaviors>

5. If the authentication was succesful , the Authentication STS will issue a basic SamlToken containing the identity name of the caller.

Collection GetIssuedClaims(RequestSecurityToken rst)
{
    string caller = ServiceSecurityContext.Current.PrimaryIdentity.Name;
    Collection samlAttributes =
                    new Collection();
    samlAttributes.Add(
        new SamlAttribute(
        new Claim(ClaimTypes.Authentication,
                  caller,
                  Rights.PossessProperty)));

    return samlAttributes;
}

6. Since the Authorization STS trusts on the SamlTokens issued by the Authentication STS, it will grab the token, extract the username claim and retrieve the actions available for the user. This happens in the IAuthorizationPolcy configured on the STS.

public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
    // check if this context was updated for this user
    if (state == null)
    {
        // Create an empty list of Claims
        IList claims = new List();
        // Add list of actions the user can perform
        string user = GetUserFromClaimSets(evaluationContext.ClaimSets);
        foreach (string action in GetActionsForUser(user))
        {
            claims.Add(new Claim(
                    ClaimTypes.AuthorizationDecision,
                    action,
                    Rights.PossessProperty));
        }
        …
     }
}

7. The SamlToken enriched now is ready to go through the service pipeline.

8. This is where the access check happens. The ServiceAuthorizationManager class has access to the AuthorizationContext which exposes the SamlToken with the claims.

public override bool CheckAccess(OperationContext operationContext)
{
    // Extract the AuthorizationContext from the ServiceSecurityContext
    AuthorizationContext authContext =
        operationContext.ServiceSecurityContext.AuthorizationContext;

    // Guard denies exectuion if the action is not in the token as a claim
    string action = operationContext.IncomingMessageHeaders.Action;
    IEnumerable authorizationDecisionClaims =
        claimSet.FindClaims(ClaimTypes.AuthorizationDecision, Rights.PossessProperty);

    foreach (Claim claim in authorizationDecisionClaims)
    {
        string authzAction = claim.Resource as string;
        if (!string.IsNullOrEmpty(authzAction) &&
            authzAction.Equals(action,
                              StringComparison.InvariantCultureIgnoreCase))
        {
            return true;
        }
    }

    // If no AuthorizationDecision claim had a resource value that matched the 
    // current action name, return false (Access Denied)
    return false;
}

9. Finally, the SOAP message gets to the service implementation and the response is sent back to the client with the SamlToken attached.

10. The SamlToken is cached on the client using an HTTP cookie. This is achieved by using a custom IssuedSecurityTokenProvider.

Conclusion and a bit of SaaS

WCF provides an extensible foundation that allow taking the service oriented on the enterprise to the next level using standards like WS-Trust and SAML.

Since SOA is part of the deal for Software as a Service apps we implemented this architecture on LitwareHR to get ready for future scenarios like Federated Security. In this scenario the tenant wants to manage authentication and authorization using its own infrastructure. He owns an STS that issues SamlTokens for every app in the enterprise and the IT guys don’t want to manage yet another user/password. The SaaS provider (LitwareHR) will allow the tenant to configure the claims mapping and the tenant STS to rely on. By doing this, the IT administrator for Contoso (the tenant) will manage a single authorization store and will configure the claim mappings on the "cloud" apps: the "Administrator" role in my enterprise is the "ConfigureAndCustomize" role in the SaaS application.

If you want to see a working implementation of the scenario described in the figure above download LitwareHr Software as a Service sample application and look for Shp.Security.BrokeredReceiver and Shp.Security.BrokeredSender projects. If you are taking SOA seriously, then it might worths looking at it.

It was the last week during the Strategic Architecture Forum (SAF) here at Redmond.
More than 250 architects from all over the world assisted to this event where Billg gave a 90 minutes Q&A session among other great presentations by the Architecture Strategy Team. Wojtek from patterns & practices presented CAB and the Smart Client Software Factory. Also there was lots of Software as a Service content

From left to right: Matias Woloski, Bill Gates, Eric Rudder (behind) and Mariano Szklanny

I’m in the early stages of writing my thesis about SaaS. As
part of this process I’m reading loads of SaaS content. Mainly, I’m monitoring Gianpaolo Carraro and Fred Chong blogs (from
the Microsoft Architect Strategy group) and a weekly SaaS newsletter.

SaaS is
in its infancy in terms of guidance and realization and as a result, my
thesis outline consists of analyzing the state of the art and fulfills the architectural
concepts by writing a reference implementation of Software as a Service using
Microsoft technologies (WinFx, ASP.Net 2, etc.).

Fred and Gianpaolo wrote a great paper that has been
published on MSDN about architectural
strategies for SaaS.

The paper starts by talking about the business value proposition of SaaS. Leveraging
economy of scale and selling for the long tail are really attractive concepts.

The other half of the paper examines architectural implications
when adopting this model: the SaaS maturity level, metadata services,
multi-tenant and scale out among other things.

This paper is a first approach on the subject and it introduces
concepts like Metadata Services which I found one of the key challenges
to fulfill in terms of guidance because it is a cross-cutting concern in SaaS
architectures.

The following is my first approach on how I would like to achieve
Metadata Services using the Microsoft stack.

I would like to make a special comment on “Extensions to
the data model”. In the previous months we, at Southworks, customized extensively the
process template of VSTS
to fit our needs. This customization has been really straightforward and it
allowed tailoring our specific requirements not only for our SDLC but also on
other business processes. That proved us that XML succeeded as a metadata
language. The guys from VSTS did a great job by providing these metadata
services and I would like to explore more the intrinsic of it.

Don Smith started a series of blogcasts where he is showing some of the Service Factory functionality. As usual this is very good stuff and very developer-friendly.

On Augus 22nd. 2005 I left a comment in Kenny’s Wolf blog:

    [on writing custom channels]
    “…I think there should be more documentation and examples regarding the
different interfaces provided (IOutputChannel, IRequestChannel,
IReplyChannel, etc). I didn’t know which one I would need in my
bindingelement.”

9 months later…

    Resources for Custom Channel Authors:
    http://windowscommunication.net/customchannels/customchannels.htm

This is the place to go if you ever want to take WCF to the limit by writing a custom channel
On a side note, I must admit these guys created a master piece of
software. WCF is the most extensible thing I ever seen in my life.

The first public drop of Service Factory is available on the workspace.

Download it and give feedback on the message boards! If you want to
keep updated with this project, here you have a list of Service Factory
bloggers:

• Don Smith
• Jason Hogg
• Tom Hollander
• Pablo Galiano
• Pablo Cibraro
• Christian Weyer
• Edward Bakker
• Beat Schwegler
• Matias Woloski

I will post more about this exciting project in the next weeks.

I’ve been concerned about the relationship between ClickOnce and WCF. Lot of buzz has been generated regarding partial-trust scenario not being supported for WCF v1. I see this as something desirable, but it is not the end of the world

I’ve written a Smart Client application that leverage WCF.  I wanted to deploy it so I choose ClickOnce. ClickOnce supports installing prerequisites as part of the whole process, so I downloaded WinFx and include it as part of the installation. If you are insterested in how to do this, keep reading.

WCF is part of
the WinFX Runtime Components, which is currently in Beta 2 (Feb CTP). The installation of this runtime requires
Admin privileges and the size of the Redistributable package is 45.3 MB.
These are the alternatives to distribute it on client desktops:

• Install
  WinFx manually on each desktop
• Use SMS
  to distribute WinFx
• Include
  WinFx as part of the prerequisites of the ClickOnce application
• Distrubute
  an MSI which includes WinFx

I was interested in the 3rd option, so let’s analyze it further

Include WinFx as part of the prerequisites of the
ClickOnce application

ClickOnce has a feature that allows including the
prerequisites of the application to be deployed. When the application is published
it creates a setup bootstraper that will download and install all the
prerequisites (if they were not installed yet) before the ClickOnce application
is executed. This way the deployment will be more controlled as it will be a
single package.

The user executing the setup bootstraper must have
Admin
privileges. If the user logged does not have Admin privileges, an
option would
be to execute Internet Explorer with “Run As…” and login with a local
administrator account. This will at least install the prerequisites and
also the application in the Administrator profile. Later you would need
to open a new IE instance and launch the app again from the currently
logged user.

The following sequence illustrates the install of

prerequisites (.Net Framework 2.0 and WinFx Beta 2)

<!–[if !vml]–>

Figure 1. Prerequisites of the
application listed in the Publish ClickOnce html file

Figure 2. Pressing
Install will launch the bootstrapper that detects the uninstalled
prerequisites: Net Framework 2.0 and WinFx Runtime Components Beta 2

 
Figure 3. The setup downloads the prerequisites from a specific location

<!–[if !vml]–><!–[endif]–>

Figure 4. After
downloading, the setup will install the WinFx Runtime Components

Using WCF on your application requires more
CAS permissions (FullTrust)

In many real scenarios, developers need their applications
to run as a Partial Trust Application, but need more permissions. For example,
you may need to use a SQL Client. To solve this kind of problems, ClickOnce introduces a feature called Permission
Elevation, which allows an application without enough permissions to
request them to the user. If the user accepts, then the needed permissions are
granted and the application can run normally. This could goes up till
FullTrust which is the requirement for WCF. Besides, in scenarios in which users should not make these kinds of
decisions, a practical solution is offered: system administrators can sign the
application manifests or set a deployment policy that specifies that a
publisher is a trusted source. This way, permissions will automatically be
granted before the application loads.

Figure 5. Installing the application and permission elevation

Creating the prerequisites

WinFx does not come as a prerequisite in the
Visual Studio 2005 Publish tab. However, we can create our own
prerequisite with any MSI or EXE installation.

The process to do this is:

1. Create a new folder called "WinFx" here %Program Files%\Microsoft Visual Studio 8\SDK\v2.0\BootStrapper\Packages
2. Use the Bootstrapper Manifest Generator to create the manifest for WinFx. I’ve created it already for WinFx.
3. Copy the manifest to %Program Files%\Microsoft Visual Studio 8\SDK\v2.0\BootStrapper\Packages\WinFx
4. Copy the WinFx Runtime Components redistributable to the same folder
5. Restart Visual Studio 2005

More resources

• Adding
  Custom Prerequisites:  http://msdn2.microsoft.com/en-us/library/ms165429.aspx
• How
  to: Install Prerequisites with a ClickOnce Application: http://msdn2.microsoft.com/en-us/library/8st7th1x.aspx
• Brian Noyes ClickOnce article, http://msdn.microsoft.com/msdnmag/issues/04/05/clickonce/default.aspx
• Security
  Considerations for ClickOnce Deployments: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/ClickOnceSec.asp
• ClickOnce
  Deployment and Security: http://msdn2.microsoft.com/en-us/library/76e4d2xw.aspx