Breakout Session: Security in Indigo

June 14, 2008 (Last Modified: June 15, 2008)

Well, this is my last session here at PDC. Actually, I’m pretty worn out and am definitely ready to get home to sleep on a bed that isn’t hard as a rock and take a shower without the water constantly switching from luke warm/cold to scalding.

The session was “Windows Communications Foundation (“Indigo”): A Deep Dive into Extensions for Security and Identity” and was presented by Doug Walter. Overall, it was a pretty good session, but like many of the sessions here a lot of the info could have been delivered quicker. He did a lot of typing during the session.

The key thing about the security talk was that you can remove the access checking and authorization away from your main business code and put it into checking at the message level. Security as we usually think about it (username and password) has been abstracted to the idea of “claims”. Claims are basically something that says, this is who I claim to be and the rights I claim to have. The consumer of the claim then decides if the user actually should have those claims (if they trust the issuer of the claims that is).

Claims are made up of a Resource Type (or the type of resource a claim is being made about), a right (the right being requested in the claim) and a resource value (the object that actual claim is about). You can compare claims by using a ClaimComparer object, which they provide several default ones and you can create your own.

Within the server you can create Authorization Policies which allow you to map claims coming in that you trust to your own claims (aka role mapping). Then you can also have operation requirement classes that can be registered in your config to ensure that specific claims are present before performing operations.

By abstracting your security to the idea of claims, you can basically abstract the underlying types of security being provided by your consumers and not code to any one type of security mechanism (aka, InfoCard, windows, etc.). This is then all handled in the config or outside your business logic code.

Pretty neat.?