Windows Identity Foundation Simplifies User Access

Microsoft Windows Identity Foundation has been released to the Web (RTW).

It helps simplify user access for developers by externalizing user access from applications via claims and reducing development effort with pre-built security logic and integrated .NET tools. Users can benefit through single sign-on and seamless collaboration across organizational boundaries.

At PDC, Microsoft announced that Windows Identity Foundation will be available in Windows Azure. This means that a federated identity can be used to provide a single sign on to multiple applications, both in the enterprise and in the cloud.

This claims-based architecture is more flexible approach to establishing a users' identity, than a straight forward, on-premises Active Directory system. The claims-based architecture can accept digital identifiers from multiple sources, such as LDAP directories, Active Directory, Outlook or Lotus Notes directories, certificates from security services, or a Windows token.

Once a user's identity verifier is supplied, a central brokering authority compares the "claim" to that required by a particular application. If there's a match, use of the application can proceed.

Any company that has, or plans to have, more than one Web application or Web service, can benefit by starting with a claims-based model for identity. One of the major benefits is to have application developers focus only on application business logic while the identity related requirements can be handled by external issuing authorities like Active Directory Federation Services ADFS 2.0 (previously known as “Geneva” Server). Or if you have in-house identity
expertise, you can build a custom provider using WIF.

To get started, see Microsoft Windows Identity Foundation (WIF) Whitepaper for Developers.

Code Sample

The WIF object model for claims may seem a bit complicated at first glance, with subjects, issuers, claim types and values, but in practice it’s easy to use.The following code sample shows a typical example from a claims-aware ASP.NET Web application. This example sends a personalized email to the user when she clicks a button.

protected void SendLetter_Click(object sender, EventArgs e)
{
IClaimsIdentity id =
((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0];

// you can use a simple foreach loop to find a claim...
string usersEmail = null;
foreach (Claim c in id.Claims) {
if (c.ClaimType == ClaimTypes.Email) {
usersEmail = c.Value;
break;
}
}

// you can also use LINQ to find a claim
string usersFirstName = (from c in id.Claims
where c.ClaimType == ClaimTypes.GivenName
select c).First().Value;

StringBuilder body = new StringBuilder();
body.AppendFormat("Dear {0},", usersFirstName);
body.AppendLine();
body.AppendLine("Thank you for shopping with us!");
new SmtpClient().Send(new MailMessage(
"admin@fabrikam.com",
usersEmail,
"Message from Fabrikam",
body.ToString()));
}

In this example, the code uses Thread.CurrentPrincipal to access the user’s identity. Then it loops through all of the claims for the user, using IClaimsIdentity.Claims, looking for the ones it needs right now: first name and email address. It then uses those claims to send a personalized email message to the user. The example also shows two ways of finding claims. The code finds the email claim with a foreach loop, and uses a LINQ expression to find the first name claim.

Claims Aware Web Site, Web Service

WIF offers built-in Visual Studio project template for creating a claims-aware ASP.NET application or WCF Web Service. Each template is available within the Visual Studio development environment when you navigate to File –> New –> Web Site… and select Claims-aware ASP.NET Web Site or Claims-aware WCF Service.

For more details, see Microsoft Windows Identity Foundation (WIF) Whitepaper for Developers.

Developer Resources

• Windows Identity Foundation Download
• Developer Training Kit
• Step by Step Guides and Virtual Machines
• Microsoft Windows Identity Foundation (WIF) Whitepaper for Developers

See the following PDC Videos:

• Windows Identity Foundation Overview. Hear how Windows Identity Foundation makes advanced identity capabilities and open standards first class citizens in the Microsoft .NET Framework. Learn how the Claims Based access model integrates seamlessly with the traditional .NET identity object model while also giving developers complete control over every aspect of authentication, authorization, and identity-driven application behavior. See examples of the point and click tooling with tight Microsoft Visual Studio integration, advanced STS capabilities, and much more that Windows Identity Foundation consistently provides across on-premise, service-based, ASP.NET and Windows Communication Foundation (WCF) applications.
• Software + Services Identity Roadmap Update. At PDC 2008, Microsoft unveiled a comprehensive offering of identity software and services, based on the industry standard claims-based architecture, and designed to address the rapidly growing requirements of modern applications both on-premises and cloud. In this session, we demonstrate the progress we’ve made using real-life use cases, discuss lessons learned in adoption of claims based identity, and preview new scenarios and capabilities of the evolving identity software + services portfolio.
• How Microsoft SharePoint 2010 was Built with the Windows Identity Foundation
• Leveraging and Extending Microsoft SharePoint Server 2010 Identity Features
• The ‘M’-Based System.Identity Model for Accessing Directory Services

Comprehensive Identity, Access Management

Windows Identity Foundation is part of Microsoft's identity and access management solution built on Active Directory that also includes:

• Active Directory Federation Services 2.0 (formerly known as "Geneva" Server): a security token service for IT that issues and transforms claims and other tokens, manages user access and enables federation and access management for simplified single sign-on
• Windows CardSpace 2.0 (formerly known as Windows CardSpace "Geneva"): for helping users navigate access decisions and developers to build customer authentication experiences for users.

 

Bruce D. KyleISV Architect Evangelist | Microsoft Corporation

 

Special thanks to Information Week: Microsoft Azure Supports Federated ID