Most developers are not security experts and many feel uncomfortable being given the job of authenticating, authorizing, and personalizing experiences for users. It’s not a subject that has been traditionally taught in computer science curriculum, and these features tend to be ignored until late in the software development lifecycle.
It’s not surprising nowadays to see a single company with tens or hundreds of Web applications and services, many of which have their own private silo for user identities, and most of which are hardwired to use one particular means of authentication. Developers know how tedious it is to build identity support into each application, and IT professionals know how expensive it is to manage the resulting set of applications.
One very useful step toward solving the problem has been to centralize user accounts into an enterprise directory. Commonly it’s the IT professional that knows the most effective and efficient way to query the directory, but today the task is typically left up to the developer. And in the face of mergers, acquisitions, and partnerships, the developer might be faced with accessing more than one directory, using more than one API.
In the Microsoft .NET Framework, there are lots of different ways of building identity support into an application, and each communication framework treats identity differently, with different object models, different storage models, and so on. Even in ASP.NET, developers can get confused about where they should look for identity: should they look at the HttpContext.User property? What about Thread.CurrentPrincipal?
The rampant use of passwords has lead to a cottage industry for phishers1. And with so many applications doing their own thing, it’s difficult for a company to upgrade to stronger authentication techniques.
A Better Solution
One step toward solving these problems is to stop building custom identity plumbing and user account databases into every new application that comes along. But even developers who rely on a central enterprise directory still feel the pain of mergers, acquisitions, and external partnerships, and may even be blamed for poor performance that is actually due to another application bogging down the directory with inefficient queries. The claims-based solution described in this paper does not require developers to connect to any particular enterprise directory in order to look up identity details for users. Instead, the user’s request arrives with all of the identity details the application needs to do its job. By the time the user arrives with these claims, the user has already been authenticated, and the application can go about its business without worrying about managing or finding user accounts.
Factoring authentication out of applications leads to many benefits for developers, IT professionals, and users. Simply put, there are less user accounts for everyone to manage, and the resulting centralization of authentication makes it easier to upgrade to stronger authentication methods as they evolve, and even federate identity with other platforms and organizations.
This paper will help you, as a developer, to understand the claims-based identity model and take advantage of it using Windows Identity Foundation (WIF), the new framework from Microsoft that is focused on identity.
What is Windows Identity Foundation?
Windows Identity Foundation (WIF) is a set of .NET Framework classes. It is a framework for implementing claims-based identity in your applications. By using it, you’ll more easily reap the benefits of the claims-based identity model described in this paper. Windows Identity Foundation can be used in any Web application or Web service that uses the .NET Framework version 3.5 SP1.
WIF is just one part of Microsoft’s Identity and Access Platform software family that implements the shared industry vision for an interoperable Identity Metasystem. Active Directory Federation Services (ADFS) 2.0 (previously known as “Geneva” Server), Windows CardSpace 2.0, and Windows Identity Foundation (previously known as “Geneva” Framework) form the core of Microsoft’s new claims based access strategy. You can refer to the Identity and Access Management web site for more information about AD FS and CardSpace components. Also, the white paper “Claims-based Identity for Windows“ provides an overview of these three components. As of this writing, the RTW of Windows Identity Foundation and Beta 2 releases of the other two products are available for download.