Let’s look at a fairly simple WIF application that allows users to update their profile — their email address, name, title, and possibly other user information.  In a typical scenario, there would be a call to make a database update and then a subsequent query to retrieve the new data.  However since our claims are controlled by the Security Token Service (STS), we need to somehow force the claims to be refreshed by the central STS.

This is done by making a call to the WSFederationAuthenticationModule to “sign out” the user:

var module =
Context.ApplicationInstance.Modules["WSFederationAuthenticationModule"]
as WSFederationAuthenticationModule;
module.SignOut(true);

So what does this actually do?  Well, let’s look at the process from the beginning:

1. When a user authenticates successfully, a POST is sent back to the relying party endpoint.  This request contains our SAML token that is then stored within a browser cookie.  In fact, several cookies are written as can be seen in the list below:
   
2. When the updates are made, we need to get a reference to the WSFederationAuthenticationModule, which sits in the ASP.NET pipeline and monitors the presence of the authentication cookies.
3. With our module instance, we can then call SignOut, which simply deletes the session token cookie (FedAuth).
   
4. The next request for a secured page within our application will require a hop over to the STS.  Since the user is still authenticated based on the authentication cookies, the STS will reissue fresh claims and a new session token!

This process is transparent to the user since the hop is fairly quick, and it allows us to easily reload the user profile information.

AD FS 2.0 Endpoints

Customizing the Passive Federation Site

The endpoint that many developers will encounter the most is the Passive Federation endpoint.  This is the URI that a user will be redirected to when trying to authenticate with a Windows Identity Foundation (WIF)-enabled site.  In other words, this is the AD FS login page.

So what happens if you want to customize this site?  Well, the official documentation describes how you can easily configure three things in the sign-on pages: the accepted authentication types, the theme (CSS) of the site including the logo, and finally the “behavior and layout” of the sign-on pages.  There are extension points for creating your own pages as well as modifying the existing ones.

In this posting, I won’t go into the details of the library used to make these customizations (Microsoft.IdentityServer) but needless to say, you have the ability to control many aspects of the AD FS login process.

Changing the Passive Federation Endpoint URL

Once you’ve decided to customize the login site, it would also be nice to change the location of the site so you’re not stuck with the hard-wired URI (/adfs/ls).  In my case, I wanted to simply keep the existing site in place (for backup and testing purposes) while putting in a newly customized STS login site.

Since there’s no way to change the endpoint URI within the management console, you need to update the AD FS configuration, which is conveniently stored in a database column as a single XML file in Windows Internal Database (WID)! Have no fear.  I’ve written a SQL script (see below) to make this update process much simpler.

Connecting to Windows Internal Database (WID)

The first thing you’ll need to do is to connect to the Windows Internal Database (WID) instance on your machine.  As of the RC of AD FS, the settings are no longer stored in an external SQL Server or SQL Server Express database.  Instead, AD FS utilizes WID, which is simply SQL Server running with limited rights and visibility within Windows Server.

To connect, open SQL Server Management Studio (if you’re running this in Windows 2008, be sure to run it as an Administrator) and enter \\.\pipe\mssql$microsoft##ssee\sql\query as the server name.  Yes, that’s the connection string.  It seems like a bit of a hack getting into it, but this is well documented (it’s even on Wikipedia!) so don’t be afraid.

Windows Internal Database Connection

Updating the Endpoint

Once you’ve connected, you can execute the script below to change the address of the Passive Federation endpoint.  A couple of notes first:

1. Standard disclaimer: This is a database update script so be sure that you’ve either backed up the database or made a copy of the settings so that you can roll back if necessary.
2. Set the @EndPointAddress variable to the desired address of your STS login page.
3. If you want to just see the configuration results before committing the changes, set the @Debug variable to 1 (true).

USE AdfsConfiguration
GO

--
-- Variables
--
DECLARE @Settings XML
DECLARE @EndPointAddress VARCHAR(255)
DECLARE @Debug BIT

-- Set the new Passive Federation location here(original='/adfs/ls')
SET @EndPointAddress = '/PassiveFederationSite'

-- Set this to true(1) if you only want to see the changes and not apply them
SET @Debug = 0

--
-- Convert the settings to XML data type
-- so we can more easily work with it.
--
SET @Settings =
(
  SELECT CAST(
    REPLACE(ServiceSettingsData, 'encoding="utf-8"', '')
	AS XML) AS x
  FROM IdentityServerPolicy.ServiceSettings
)

-- Update settings in XML
SET @Settings.modify('replace value of
(/ServiceSettingsData/SecurityTokenService/PassiveEndpoint/@Address)[1] with
sql:variable("@EndpointAddress")')

-- Convert new settings back to NVARCHAR
DECLARE @NewSettings NVARCHAR(MAX)

SET @NewSettings =
'' +
CAST(@Settings AS NVARCHAR(MAX))

IF @Debug = 1
BEGIN
  SELECT @NewSettings
  SELECT @Settings.query
    ('/ServiceSettingsData/SecurityTokenService/PassiveEndpoint')
END
ELSE
BEGIN
  DECLARE @ObjectId UNIQUEIDENTIFIER
  DECLARE @ServiceSettingsVersion BIGINT

  -- Get the latest settings data
  SELECT TOP 1 @ObjectId = ServiceSettingId,
    @ServiceSettingsVersion = ServiceSettingsVersion
  FROM IdentityServerPolicy.ServiceSettings
  ORDER BY LastUpdateTime DESC

  --
  -- Execute stored procedure to update settings
  --
  EXEC IdentityServerPolicy.UpdateServiceSettings @ObjectId,
    @NewSettings, @ServiceSettingsVersion
END

Some Notes on the Script

1. The removal of the “utf-8″ encoding string is necessary for the configuration to be properly converted into the SQL Server XML type.  Without using the XML data type, this script would have been a lot more complex.
2. In addition to updating the configuration settings, the UpdateServiceSettings stored procedure increments the version column and updates the LastUpdatedTime column.  The version column (as far as I can tell) is only used for handling update conflicts.

Wrapping Up

Once the script has been run, the changes will be instantaneous in AD FS.  There’s no need to restart the service.  To roll back to the original URI, just set @EndpointAddress to “/adfs/ls” and rerun the script!

I’ve started writing for my company’s blog: Under the Hood.  I’ll still regularly post here to my blog, but definitely hop over there to check out the wide range of articles from my co-workers at Ironworks.

I will go ahead and throw out that Microsoft should rename its ORM solution from Entity Framework to Windows Data Access Foundation (WDAF).  You heard it here first!

Less than two weeks after the release of the Windows Identity Foundation (WIF) RC, the final RTM version has been pushed out!

Check out the official announcement on Vibro.NET or download it directly from the Microsoft site.

Still no word on any new releases for Active Directory FS v2 (Geneva Server).

The most important artifact any development team produces is raw, running, naked code. Everything else is secondary or tertiary. However, that is not to say that these other things are inconsequential. Rather, our models, our processes, our design patterns help one to build the right thing at the right time for the right stakeholders.

Yet, while code is king, one must realize that it is also a servant, for it in the end must serve some constituency, deliver some measurable value. Just as I loathe architecture astronauts—people who have no skin in the game, people who are so divorced from the reality of executables that they melt in the sight of a line of code—I also loathe code bigots who are so blinded by their own prowess and tools that they lose sight of why or for whom they are toiling. Design for design’s sake is meaningless; code for code’s sake may be fun but it is also meaningless.

Recognize also that there are very real tensions between doing the right thing in the short term and doing the right thing for the long term. Code centricity tends to draw you to the former; architectual centricity tends to draw you to the latter, and honestly, neither pole is correct, but rather it is the dance between the two for which a particular team with a specific culture working in a given domain must find balance.

How's the weather up there?

This quote probably hits home for many developers. There needs to be a balance between using an architecture to improve the process of software development versus developing working code that does what the client expects.

Trade-offs are usually made in projects due to budget, time, or resource constraints, but the chosen tools and architecture (whether custom built or based on an existing pattern) should at least exhibit these features:

1. The architecture should lend itself to scalability and maintainability. The final application will need to grow and other developers will need to take over programming duties. If your architecture is so rigid and convoluted that it can’t grow, it probably needs to be redesigned.
   
   
2. The methodology and design patterns should not be overly complex. While a learning curve is acceptable, if it takes an inordinate amount of valuable project time to learn the ins-and-outs of the architecture, it may not be worth using, especially for smaller projects.
   
   
3. The architecture must help solve the problem at hand. As Joel Splosky described in his diatribe against “Architecture Astronauts”, tools are just that — tools to help build a solution. People have a tendency to separate the business and technical problem from the underlying architecture, favoring what they know or what they view as the “acceptable” way to do things (“If all you have is a hammer, every problem looks like a nail”).
   
   
4. The architecture should promote best practices and lead programmers into developing in a structured manner. In Code Complete, Steve McConnell describes the role of good architecture:
   
   

   A well thought-out architecture provides the structure needed to maintain a system’s conceptual integrity from the top levels down to the bottom. It provides guidance to programmers — at a level of detail appropriate to the skills of the programmers and to the job at hand…

   Good architecture makes construction easy. Bad architecture makes construction almost impossible.

Grady Booch summed up the balance between architecture and working code pretty well, and this is coming from a man that has been at forefront of object-oriented design. There are no hard and fast rules about which design to use in which situation, and this is why a good deal of thought needs to be given in the architectural phase of any project.

The release candidate (RC) for Windows Identity Foundation (formerly the Geneva Framework) is now available for download.

The latest release has several new features and fixes:

• Refactored WSTrustClient as WSTrustChannelFactory and WSTrustChannel
• Extended tracing functionality for better diagnosibility
• Unifying SAML end points through WrappedTokenAuthenticator
• Crypto agility
• Bootstrap tokens availability through ClaimsIdentity
• Security token cache updates to support session mode for ASP.NET cookies
• FedUtil leveraged for control-based applications

The full list of changes between Beta 2 and the RC is available in a whitepaper.

To go along with this new update, there are also new versions of the Identity Training Kit, the FabrikamShipping example application, and the Claims-Driven Modifier Control (which is really nice if you haven’t tried it out).

There is no word on any new versions of Active Directory FS (Geneva Server) and no update on the final release date, but the word is that they are still shooting for RTM this quarter.

It all starts with the IDE. While the tool has been built to provide a development environment for the new .NET 4.0 framework, there are several other features that make Visual Studio 2010 something to look forward to:

• Microsoft has cleaned up the user interface a bit, which will be the most obvious change when you first run VS 2010.  For the first time, Visual Studio is now a full-fledged WPF application.
  

  The new welcome screen in Visual Studio 2010

• There are several enhancements to better support new languages such as F# and parallel programming.
• Most exciting to many developers will be the full IntelliSense support for JavaScript (finally!)
• A new visual editor for XAML-based Silverlight applications has been added.  It’s no longer necessary to use Microsoft Blend to do front-end visual design, which is a big win for Silverlight developers.
• Several tools have been either added or enriched: new built-in modeling capabilities, better testing options, and some really nice improvements to TFS.

I’ve had the beta version installed for a while now, and I would have used it more had it not blue-screened my computer a few times.  Regardless, the best development IDE out there has added a number of nice additions to keep it ahead of the game.

Projected Release: March 22, 2010
Further Reading: http://www.microsoft.com/visualstudio/en-us/products/2010/default.mspx

2. .NET 4.0/C# 4.0

There is a laundry list of new features in the upcoming .NET Framework 4.0 and C# 4.0 (VB.NET has new features as well, but mostly they either mimic C# enhancements or add abilities that were already in C#).  The .NET Framework has numerous additions, which are detailed throughout this list.

C# adds several new abilities that I’m sure a lot of developers can’t wait to start using, namely:

• Dynamically typed objects
• Optional parameters – Visual Basic has had this forever and now C# finally adds this ability!
• Better interoperability with COM objects – Not that anyone wants to deal with COM anymore, but its out there.

Projected Release: March 22, 2010
Further Reading: http://msdn.microsoft.com/en-us/netframework/default.aspx

3. Windows Identity Foundation/Active Directory Federation Services (formerly codename “Geneva”)

The new identity offerings from Microsoft present a means for ASP.NET developers to jump into the world of claims-based security and federated authentication.  While the approach isn’t new, the tools to make all of this relatively seamless in ASP.NET are a significant advancement for enterprises.  See my previous posting about some of the advantages that come along with this shift in security thinking.

Projected Release: Windows Identity Foundation: Released, Active Directory Federation Services: Q1 2010
Further Reading: http://msdn.microsoft.com/en-us/security/aa570351.aspx

4. Windows Azure Platform

The Cloud – we’ve been hearing about it in articles, TV commercials, and just about everywhere.  Microsoft will be doing the hard sell on their cloud-based services platform in the coming months with the release of Azure.

What does it mean to developers?  Well, for one it’s part of the ongoing move to Internet-based services.  As architects plan out their systems, it may not be a matter of installing a new SQL Server or setting up an Active Directory server.  Instead, the company may opt to host their systems on the Azure platform, which will present its own set of challenges dealing with latency, network concerns, and system interoperability.  [Insert your own rain cloud analogy here.]

Projected Release: November 2009
Further Reading: http://www.microsoft.com/windowsazure/

5. ASP.NET MVC 2

No, MVC doesn’t stand for Microsoft Voluminous Code, although some web forms developers may feel that way after they first get into ASP.NET MVC.  Since MVC ditches server controls, some long-time ASP.NET programmers may see MVC as adding a lot of work and extra code.  While this fear is somewhat unjustified, the next version of MVC hopes to ease the transition to MVC with some nice improvements.

Projected Release: March 22, 2010
Further Reading: http://aspnet.codeplex.com/wikipage?title=Road%20Map&referringTitle=MVC

6. Entity Framework 4.0

With the ADO.NET Entity Framework, Microsoft stepped up to bat in the ORM (Object Relational Mapping) marketplace, and according to many people, swung and missed.  With NHibernate, .netTiers, and their own LINQ to SQL already out there as better ORM options, Microsoft’s first version of the Entity Framework left a lot to be desired.

Thankfully, Microsoft has taken the hint and the next version of the Entity Framework fills in a lot of gaps.  For one, you can now easily customize the code generated by the tool using T4 templates.

Another complaint was the ability to deal with disconnected entity objects in an n-tier architecture.  Since the Entity Framework relies on the state of an object to determine whether a record should be updated, deleted, or inserted; dealing with stateless entity objects passed over a WCF service was a bit of a chore.  Microsoft corrects this with “self-tracking” entities that will set their own state on the client side.

Projected Release: Q1 2010
Further Reading: http://blogs.msdn.com/efdesign/

7. WCF 4, WF 4, and Windows Server “Dublin”

Yes, another European city codename for Microsoft.  With the .NET 4.0 framework, Microsoft has made significant improvements to Windows Communication Foundation (WCF) and Windows Worflow Foundation (WF).  ”Dublin” meanwhile is a set of enhancements to Windows Server and IIS that provides a standard host for WCF and WF applications.

One of the biggest headaches with WCF is configuration. The range of web.config or app.config settings that need to be specified for WCF negates the ease with which the rest of a WCF service can be developed. With .NET 4.0, WCF now has a default endpoint configuration so you don’t actually need to configure anything if you don’t need to. In addition, WCF now supports a more simplified REST interface. This was available before with the WCF REST Starter Kit, but the new version of WCF makes this a lot easier.

On the Workflow side of things, Microsoft has greatly improved the visual designer for WF in Visual Studio while also completely revamping the programming model to be more robust. They’ve also made enhancements to the interaction between WCF and WF, which brings both of these technologies more in line with each other.

Projected Release: Q1 2010
Further Reading: http://www.microsoft.com/NET/Dublin.aspx

8. F#

Like many developers out there, I got my first taste of functional programming in college with LISP, and that was enough to scare me away forever.  Recently however, there’s been a resurgence in functional programming interest, stemming partly from the introduction of LINQ in .NET and leading to the development of F#.  What started out as a research project within Microsoft is now the fully-realized F# language that will be available with Visual Studio 2010.

Here is a quick sample program in F#:

(* Sample Windows Forms Program *)

(* We need to open the Windows Forms library *)
open System.Windows.Forms

(* Create a window and set a few properties *)
let form = new Form(Visible=true, TopMost=true, Text="Welcome to F#")

(* Create a label to show some text in the form *)
let label =
let temp = new Label()
let x = 3 + (4 * 5)
(* Set the value of the Text*)
temp.Text <- sprintf "x = %d" x
(* Remember to return a value! *)
temp

(* Add the label to the form *)
do form.Controls.Add(label)

(* Finally, run the form *)
[]
do Application.Run(form)

So why consider F# over object-oriented languages such as C# and Java?  That can be better summed up by someone else so check out Scott Hanselman’s write-up.

Projected Release: March 22, 2010
Further Reading: http://msdn.microsoft.com/en-us/fsharp/default.aspx

9. ASP.NET AJAX v4.0

If you do web development these days, odds are that you’re designing much better user interfaces than were written 5 years ago before the advent of AJAX and rich JavaScript libraries like jQuery.  Within ASP.NET web forms, the ability to do asynchronous operations gets more complicated when you’re dealing with ViewState and generated HTML elements.  To remedy this, Microsoft introduced ASP.NET AJAX in 2007.

The previous versions of ASP.NET AJAX used the UpdatePanel control to define a region of “AJAX-enabled” content that could be replaced using asynchronous updates.  The data sent back and forth in these calls was a large block of ViewState and HTML content, which is clearly inefficient.  With v4.0, ASP.NET AJAX introduces client-side templating, which provides an easier and simpler method of displaying dynamic data.  Take a look at this overview to get an idea of how this all works and how this brings pure AJAX and JSON data interaction into ASP.NET AJAX.

Projected Release: March 22, 2010
Further Reading: http://aspnet.codeplex.com/wikipage?title=AJAX&ProjectName=aspnet

10. .NET RIA Services

Microsoft .NET RIA (Rich Internet Application) Services simplifies the traditional n-tier application pattern by bringing together the ASP.NET and Silverlight platforms. The RIA Services provides a pattern to write application logic that runs on the mid-tier and controls access to data for queries, changes and custom operations. It also provides end-to-end support for common tasks such as data validation, authentication and roles by integrating with Silverlight components on the client and ASP.NET on the mid-tier.

Put simply, .NET RIA bridges the gap between Silverlight and data access by providing a middle tier layer for defining business and application logic.

Projected Release: Q1 2010
Further Reading: http://go.microsoft.com/fwlink/?LinkID=144687

The reality of this situation has been brought home over the past week for me.  I’m going on day 6 of not having access to Facebook.  The login page just tells me that my account is “temporarily unavailable due to site maintenance” and it should be back “within a few hours.”  Easy means of support is pretty much unavailable, which is sort of understandable for a site that boasts more than 300 million active users (and growing).  Unfortunately, there’s nobody to contact for any sort of problem, and all I can find is a few blogs where other people are having the same problem.

Just a few more hours...

So imagine the hypothetical case that some of your users had registered for your site using Facebook Connect, they normally come in and simply login using their Facebook ID on the Facebook login page, and over time they’ve entered a wealth of information under this account.  Now all of a sudden, they can’t get in to your site since Facebook is “undergoing maintenance” for days on end.  With Facebook being unavailable for support, they’ll more than likely turn to your company for answers.  Unfortunately, Facebook, as they say, has no skin in the game so there is no motivation for them to fix the problem.

Just a few things to think about when relying on a third party for authenticating your users.  It adds convenience when all is well, but it could mean a lot of unhappy users if something breaks.

Claims-based authentication scenario

If you haven’t been exposed to the concept of claims-based security, it’s a bit of a mind-shift from how application rights and user properties have been typically implemented so it may take some time to fully grasp.  A claim, to put it simply, is any attribute that can be ascribed to a user (or any resource).  For example, a user’s claims may consist of his name, birth date, gender, and role within an organization.

What makes this different from traditional role-based security is that these claims are authenticated by a trusted third-party.  One of the best analogies is to think of a person going to buy alcohol at a bar.  The bartender must prove that the person is of legal age so he asks for an authenticated record from a trusted third-party, which in this case is a driver’s license from the DMV.  The claim is that this person is over 21 years old, and the identity provider is the Department of Motor Vehicles.

A Boon to Developers and Organizations

OK, so this is all well and good but how does this make developing applications easier?  The short answer is that claims alone don’t make things much easier, but what does simplify matters is the use of federated authentication.  In our previous example, the bar knew nothing about the person buying a drink.  There was no big filing cabinet with everybody’s name and birth records stored in the back room of the bar (at least you hope not).  The problem is that this is how many applications work today.  Each application stores off its own set of users and profile data, and therefore, the application (and consequently, the application developers) must be responsible for authenticating users.

By utilizing federation, the job of validating that a user is who he claims to be is now handed off to a third party, and a trust is established between our application (the relying party, or RP).  If our identity provider (IP) says that Joe Smith is really Joe Smith, we can trust that this is true.  Immediately, you can probably see that this is a boon for developers everywhere, who are tired of creating user login pages and databases.  In addition, this now enables Single Sign-On (SSO) within a network of applications that share the same IP.

Putting it All Together

Now that you can probably see how claims and federated security can be of benefit, the next question is how all of this works within the current world of application security.  The good news is that Microsoft seems to have done an admirable job of building on top of existing technologies (e.g., Active Directory and ASP.NET authentication) and providing flexibility to leverage existing security mechanisms (e.g., OpenID, Live ID, etc.).

The Geneva Framework is a set of assemblies that forms the foundation of the entire security suite.  Using the Framework (otherwise known as Windows Identity Foundation, or WIF), developers can claims-enable their ASP.NET applications with just a handful of configuration settings.  In addition, WIF can be used to create a custom Secure Token Server (STS) that can perform user authentication and claims look-ups using any technique imaginable.  This open foundation will encourage developers and IT organizations to move towards this model.  In addition, Geneva Server is a robust and freely available STS that can be rolled out within an organization, making federated security a reality in fairly short order.

Further Reading

This discussion barely scratches the surface and depth of Geneva so I would encourage you to read more on the blogs and Microsoft sites out there:

• Vibro.Net – Vittorio Bertocci is a Microsoft architect/evangelist and a prolific blogger on Geneva
• Geneva Framework Whitepaper for Developers
• Microsoft Identity Management Developer Center