WSE 3.0 / SAML v2.0 - x509v3

Discussion in 'ASP .Net Security' started by jtayamai, Jun 8, 2009.

  1. jtayamai

    jtayamai Guest

    Hi,

    I would like to develop active web pages conveying XML information
    between two servers via WebServices and making use of x509v3 and SAML
    v2.0.

    I'm also considering the use of IIS v.6.0 Servers and ASP .NET 2005 as
    programming language.

    Is it Microsoft's WSE release 3.0 compatible / enough so as to
    accomplish this task? Is there any other recommendable alternative to
    it? In principle, I discard WCF in the whole process.

    Should you give me any further link / tutorial on it, I would be
    really grateful.

    Thanks.
     
    jtayamai, Jun 8, 2009
    #1
    1. Advertisements

  2. jtayamai

    Joe Kaplan Guest

    Why did you discard WCF? It has good support for SAML tokens using the
    federation profiles. Also, now with Geneva framework there is a good source
    for creating a security token service to generate the SAML tokens.

    How do you plan to use X509 certificates?
     
    Joe Kaplan, Jun 8, 2009
    #2
    1. Advertisements

  3. jtayamai

    jtayamai Guest

    Thanks for your response,

    I discard WCF because all the other stuff I have in the IIS 6.0 server
    has been developed under ASP .NET 2.0, it has been tested to work
    properly for a long time, and I would like to add the least number of
    different technologies as possible. As far as I have understood from
    what I've googled for, my feeling is that WSE doesn't require special
    installation in my server, only affects the programming of the pages
    as a plug-in for VS2005. And my feeling about WCF is that in such a
    server it does imply some kind of upgrade. My expertise about this
    subject is limited, please feel free to correct me if necessary.

    Regarding the other matter, in principle the X509 certificates would
    reside in other server (a trusted one) and I'll use them to sign my
    XML messages.

    Thanks again for your help.
     
    jtayamai, Jun 9, 2009
    #3
  4. jtayamai

    Joe Kaplan Guest

    WCF does require having .NET 3.0 or 3.5 installed on the to use it.
    However, .NET 3.0 still uses most of the existing .NET 2.0 framework classes
    and also uses the 2.0 runtime, so adding it is not likely to cause an issue
    with any of your existing code. Additionally, WSE was developed as a bridge
    technology to make WS-* available to developers while WCF was still being
    created but it probably would not be a good idea to take a dependency on it
    at this point given that WCF has been shipping for a few years now and is
    the stated technology direction. You run a much higher risk of writing a
    bunch of code against a library that doesn't have a future. I'd serious
    suggest reconsidering.

    Regarding X509, that doesn't really provide me a lot of detail, but I can
    say that X509 certs ARE typically used for signing SAML tokens in a security
    token service which could be used for authenticating clients in a web
    services framework. Perhaps this is the type of thing you are trying to do
    with SAM:L? As I suggested before, I think you'll be well-served to
    consider WCF and the Geneva Framework for your security token service.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    Thanks for your response,

    I discard WCF because all the other stuff I have in the IIS 6.0 server
    has been developed under ASP .NET 2.0, it has been tested to work
    properly for a long time, and I would like to add the least number of
    different technologies as possible. As far as I have understood from
    what I've googled for, my feeling is that WSE doesn't require special
    installation in my server, only affects the programming of the pages
    as a plug-in for VS2005. And my feeling about WCF is that in such a
    server it does imply some kind of upgrade. My expertise about this
    subject is limited, please feel free to correct me if necessary.

    Regarding the other matter, in principle the X509 certificates would
    reside in other server (a trusted one) and I'll use them to sign my
    XML messages.

    Thanks again for your help.
     
    Joe Kaplan, Jun 9, 2009
    #4
  5. jtayamai

    jtayamai Guest

    Thanks again.

    I've looked for the WCF you propose, and once examined, I like them
    much more than at the beginning, because going on developing with WSE,
    as you indicate, would lead me to find myself at a standstill with no
    support at any moment in the future, whilst WCF is the desirable way
    of developing proposed by Microsoft, and purportedly, the one which
    will be backed by a larger community of developers and therefore,
    support. So, in that sense, you have convinced me.

    I've also found they are part - together with WPF, CardSpace and WF -
    of the Core of .NET 3.0. Obviously, if I upgrade the Server .NET
    Framework from 2.0 to 3.0 or 3.5, I see it clear they will work. But,
    due to the fact that they are an addition of new classes to the 2.0
    Core and that I only require WCF (and none of the other three parts),
    I wonder if there is any way to install a minimum so as to make them
    work, instead of having to upgrade to 3.0.

    Regarding the Geneva Framework you mention, I find it is a Beta
    Version, which frightens me a bit. How much hope can we have this
    product will become a stable version some day?

    Talking about the SAML 2.0, yes, I am thinking of authenticate clients
    of a Web session. These clients, after having been sent a mail with an
    URL from the authentication server, they enter it and introduce ID and
    password, so as to initiate a secure session.
     
    jtayamai, Jun 10, 2009
    #5
  6. jtayamai

    Joe Kaplan Guest

    There is no way that I know of to get WCF without installing one of the
    framework versions that supports it. However, I don't believe you'll have
    any issues with your existing .NET 2.0 apps.

    Regarding Geneva, yes it will ship. A date has not been announced yet but I
    don't believe it will be too far away. This is not an early beta at this
    point. I'm counting on it to ship fairly soon. :)

    Geneva is probably your best bet for creating a security token service (STS)
    that can generate SAML assertions that can be used in your web application
    (via passive profile) and also in your services layer. It is pretty hard to
    implement all that stuff yourself without using Geneva. There have been
    some good MSDN magazine articles recently you can find online that cover
    many of these details.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    Thanks again.

    I've looked for the WCF you propose, and once examined, I like them
    much more than at the beginning, because going on developing with WSE,
    as you indicate, would lead me to find myself at a standstill with no
    support at any moment in the future, whilst WCF is the desirable way
    of developing proposed by Microsoft, and purportedly, the one which
    will be backed by a larger community of developers and therefore,
    support. So, in that sense, you have convinced me.

    I've also found they are part - together with WPF, CardSpace and WF -
    of the Core of .NET 3.0. Obviously, if I upgrade the Server .NET
    Framework from 2.0 to 3.0 or 3.5, I see it clear they will work. But,
    due to the fact that they are an addition of new classes to the 2.0
    Core and that I only require WCF (and none of the other three parts),
    I wonder if there is any way to install a minimum so as to make them
    work, instead of having to upgrade to 3.0.

    Regarding the Geneva Framework you mention, I find it is a Beta
    Version, which frightens me a bit. How much hope can we have this
    product will become a stable version some day?

    Talking about the SAML 2.0, yes, I am thinking of authenticate clients
    of a Web session. These clients, after having been sent a mail with an
    URL from the authentication server, they enter it and introduce ID and
    password, so as to initiate a secure session.
     
    Joe Kaplan, Jun 10, 2009
    #6
  7. jtayamai

    jtayamai Guest

    Maybe it's a tricky question, not very easy to answer... you say
    trying to write one's own SAML specification is some kind of "wishful
    thinking", but is the amount of WCF classes (in fact, only those
    related to the SAML 2.0) so "small" so as to try to implement them in
    code, e.g. in the form of a customized library, to be added as a
    reference in a .NET 2.0 project?

    Do these MSDN magazine articles you indicate mention this, or do they
    refer to Geneva's potential? Could you please send me links of them?

    Thanks
     
    jtayamai, Jun 10, 2009
    #7
  8. jtayamai

    Joe Kaplan Guest

    http://msdn.microsoft.com/en-us/magazine/2009.01.genevests.aspx
    http://www.microsoft.com/downloads/...85-3172-4d8f-81cb-1a59bdc9f7e3&displaylang=en
    http://msdn.microsoft.com/en-us/magazine/dd278426.aspx

    WCF already has good support for SAML tokens via the federation profile and
    the overall support for WS-Federation Active Requester Profile. The really
    hard part is creating a security token service to generate the tokens and
    implemenet the protocol for requesting them. That's what you want Geneva
    for. The articles discuss that.

    If you don't want to use WS-Federation in WCF and want to implement your own
    SAML usage at the WS-Security level, you have a significant amount of work
    to do on both sides.

    To add SAML support via WS-Federation Passive Requester Profile or SAML 2.0,
    Geneva will also help a lot here. It also supports delegation scenarios
    using ActAs so your web app can call services on behalf of the authenticated
    web user. This is challenging to do without having support for it.

    Do some more research and decide for yourself what you are looking at to
    make this type of architecture work.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    Maybe it's a tricky question, not very easy to answer... you say
    trying to write one's own SAML specification is some kind of "wishful
    thinking", but is the amount of WCF classes (in fact, only those
    related to the SAML 2.0) so "small" so as to try to implement them in
    code, e.g. in the form of a customized library, to be added as a
    reference in a .NET 2.0 project?

    Do these MSDN magazine articles you indicate mention this, or do they
    refer to Geneva's potential? Could you please send me links of them?

    Thanks
     
    Joe Kaplan, Jun 10, 2009
    #8
  9. jtayamai

    jtayamai Guest

    Thanks a lot for this conversation and your entirely helpful comments.
    You have helped me see clearer the way to go on with.
     
    jtayamai, Jun 11, 2009
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.