Identity and Access Control in WCF 4.5

Implementing claims-based identity, federation, authentication and authorization in WCF 4.5.
Course info
Rating
(231)
Level
Intermediate
Updated
Dec 14, 2012
Duration
3h 12m
Table of contents
Overview
Security Best Practices
Windows Authentication
UserName Authentication
X.509 Certificate Authentication
External Authentication with WS-Trust
Claims Transformation
Authorization
Federation and Identity Delegation
Description
Course info
Rating
(231)
Level
Intermediate
Updated
Dec 14, 2012
Duration
3h 12m
Description

If you need to implement authentication and authorization in a WCF service, this course is for you. Topics covered include how to use Windows, UserName and WS-Trust authentication, as well as how to work with claims-based identity and authorization. This course also presents patterns such as federation and identity delegation.

About the author
About the author

Dominick works as an associate consultant for the Germany-based company thinktecture. His main area of focus is security in general and identity & access control in particular.

More from the author
Web API v2 Security
Intermediate
6h 12m
Apr 12, 2014
More courses by Dominick Baier
Section Introduction Transcripts
Section Introduction Transcripts

Security Best Practices
Dominick Baier: Many people complain that WCF is very, very complex and it's true that WCF is very, very powerful and with that comes a certain complexity but I think knowing some of the things how they work, under the covers and having some best practices in mind, I think you can trim down WCF to a reasonable complexity. And that's the idea of that cause is that I will apply some constrains to what WCF can do to my services, and thus making WCF a little bit more easy to use. And these constrains and these things going on under the covers I want to show you under this module. So we're going to first look at the bindings that are what's the role of a binding in WCF and the security modes they implement. We have a look or a brief look at state management. I want to briefly show you this new identity pipeline that got introduced in WCF 4. 5 and also the recommended way how you access the client's identity from billing your service code.

Windows Authentication
So now that we know some of the basics and the constraints we're going to operate in, let's have a look at the first authentication method which is Windows Authentication. Well first have a look at why you would want to use Windows Authentication, we look at the configuration. We look at how to call a service that uses Windows Authentication. We look at the claims that you will gather from a Windows Authentication process and I want to show you some new features when it comes to Windows Authentication and Windows Server 2012.

UserName Authentication
The next authentication method we want to look at is UserName/password-based authentication. So we first have a look at why and when you would do that. We look at a configuration. We look at how you validate those incoming credentials in that scenario which is a little bit different than in previous versions. And we look at which claims you get when you use the UserName/password-based authentication approach.

X.509 Certificate Authentication
The next authentication method we're going to look at is based on X. 509 certificates. So we'll first have a look at the scenarios why you want to use that and where it's useful. We have a look at how to configure the service. We have a look at certificate validation and various options you have there. We have a look at how you call the service actually using a client certificate, and we have a look at which claims you will get out of certificate-based authentication.

External Authentication with WS-Trust
The last authentication scenario we're going to look at is External Authentication with WS-Trust. Now, as always, we're going to look at scenarios, why you would want to use WS-Trust? We'll look at WS-Trust itself and the same old token that is used in the WS-Trust typically. We'll look at the configuration of the service. We'll look at the token validation and how to establish trust with an external authentication provider. We'll look at how to call the service and we'll look at claims.

Claims Transformation
Dominick Baier: In this module, we'll have a look how claims transformation fit into the WCF pipeline. So we have a brief look at how claims transformation works, then we'll look at how you configure that and then we'll look at state management issues you have to deal with in WCF. I can totally recommend going back to the introduction course where I give you the full background on claims transformation and general approaches and so on so forth; this here basically covers how this all fits into WCF.

Authorization
In this module, we have to look at the different authorization techniques you can use in WCF. So we start with looking at some of the fundamental approaches here that means that we're going to look at authorization happening in the WCF request processing pipeline. We have to look at a declarative approach to authorization, and then imperative approach.

Federation and Identity Delegation
In this last module, we're going to look at two strictly speaking, unrelated topics, Federation and Identity Delegation. But they are both considered to be advanced topics so I put them together in this module. So we're going to, first, look at this scenario where you want to federate with multiple token services or WS-Trust. And the second big topic here is how can you delegate client identity across multiple hops in a service-oriented application?