WSE 3.0 / SAML v2.0 - x509v3

[jtayamai]

Hi,

I would like to develop active web pages conveying XML information
between two servers via WebServices and making use of x509v3 and SAML
v2.0.

I'm also considering the use of IIS v.6.0 Servers and ASP .NET 2005 as
programming language.

Is it Microsoft's WSE release 3.0 compatible / enough so as to
accomplish this task? Is there any other recommendable alternative to
it? In principle, I discard WCF in the whole process.

Should you give me any further link / tutorial on it, I would be
really grateful.

Thanks.

 

[Joe Kaplan]

Why did you discard WCF? It has good support for SAML tokens using the
federation profiles. Also, now with Geneva framework there is a good source
for creating a security token service to generate the SAML tokens.

How do you plan to use X509 certificates?

 

[jtayamai]

Thanks for your response,

I discard WCF because all the other stuff I have in the IIS 6.0 server
has been developed under ASP .NET 2.0, it has been tested to work
properly for a long time, and I would like to add the least number of
different technologies as possible. As far as I have understood from
what I've googled for, my feeling is that WSE doesn't require special
installation in my server, only affects the programming of the pages
as a plug-in for VS2005. And my feeling about WCF is that in such a
server it does imply some kind of upgrade. My expertise about this
subject is limited, please feel free to correct me if necessary.

Regarding the other matter, in principle the X509 certificates would
reside in other server (a trusted one) and I'll use them to sign my
XML messages.

Thanks again for your help.

 

[Joe Kaplan]

WCF does require having .NET 3.0 or 3.5 installed on the to use it.
However, .NET 3.0 still uses most of the existing .NET 2.0 framework classes
and also uses the 2.0 runtime, so adding it is not likely to cause an issue
with any of your existing code. Additionally, WSE was developed as a bridge
technology to make WS-* available to developers while WCF was still being
created but it probably would not be a good idea to take a dependency on it
at this point given that WCF has been shipping for a few years now and is
the stated technology direction. You run a much higher risk of writing a
bunch of code against a library that doesn't have a future. I'd serious
suggest reconsidering.

Regarding X509, that doesn't really provide me a lot of detail, but I can
say that X509 certs ARE typically used for signing SAML tokens in a security
token service which could be used for authenticating clients in a web
services framework. Perhaps this is the type of thing you are trying to do
with SAM:L? As I suggested before, I think you'll be well-served to
consider WCF and the Geneva Framework for your security token service.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
Thanks for your response,

I discard WCF because all the other stuff I have in the IIS 6.0 server
has been developed under ASP .NET 2.0, it has been tested to work
properly for a long time, and I would like to add the least number of
different technologies as possible. As far as I have understood from
what I've googled for, my feeling is that WSE doesn't require special
installation in my server, only affects the programming of the pages
as a plug-in for VS2005. And my feeling about WCF is that in such a
server it does imply some kind of upgrade. My expertise about this
subject is limited, please feel free to correct me if necessary.

Regarding the other matter, in principle the X509 certificates would
reside in other server (a trusted one) and I'll use them to sign my
XML messages.

Thanks again for your help.

 

[jtayamai]

Thanks again.

I've looked for the WCF you propose, and once examined, I like them
much more than at the beginning, because going on developing with WSE,
as you indicate, would lead me to find myself at a standstill with no
support at any moment in the future, whilst WCF is the desirable way
of developing proposed by Microsoft, and purportedly, the one which
will be backed by a larger community of developers and therefore,
support. So, in that sense, you have convinced me.

I've also found they are part - together with WPF, CardSpace and WF -
of the Core of .NET 3.0. Obviously, if I upgrade the Server .NET
Framework from 2.0 to 3.0 or 3.5, I see it clear they will work. But,
due to the fact that they are an addition of new classes to the 2.0
Core and that I only require WCF (and none of the other three parts),
I wonder if there is any way to install a minimum so as to make them
work, instead of having to upgrade to 3.0.

Regarding the Geneva Framework you mention, I find it is a Beta
Version, which frightens me a bit. How much hope can we have this
product will become a stable version some day?

Talking about the SAML 2.0, yes, I am thinking of authenticate clients
of a Web session. These clients, after having been sent a mail with an
URL from the authentication server, they enter it and introduce ID and
password, so as to initiate a secure session.

 

[Joe Kaplan]

There is no way that I know of to get WCF without installing one of the
framework versions that supports it. However, I don't believe you'll have
any issues with your existing .NET 2.0 apps.

Regarding Geneva, yes it will ship. A date has not been announced yet but I
don't believe it will be too far away. This is not an early beta at this
point. I'm counting on it to ship fairly soon.

Geneva is probably your best bet for creating a security token service (STS)
that can generate SAML assertions that can be used in your web application
(via passive profile) and also in your services layer. It is pretty hard to
implement all that stuff yourself without using Geneva. There have been
some good MSDN magazine articles recently you can find online that cover
many of these details.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
Thanks again.

I've looked for the WCF you propose, and once examined, I like them
much more than at the beginning, because going on developing with WSE,
as you indicate, would lead me to find myself at a standstill with no
support at any moment in the future, whilst WCF is the desirable way
of developing proposed by Microsoft, and purportedly, the one which
will be backed by a larger community of developers and therefore,
support. So, in that sense, you have convinced me.

I've also found they are part - together with WPF, CardSpace and WF -
of the Core of .NET 3.0. Obviously, if I upgrade the Server .NET
Framework from 2.0 to 3.0 or 3.5, I see it clear they will work. But,
due to the fact that they are an addition of new classes to the 2.0
Core and that I only require WCF (and none of the other three parts),
I wonder if there is any way to install a minimum so as to make them
work, instead of having to upgrade to 3.0.

Regarding the Geneva Framework you mention, I find it is a Beta
Version, which frightens me a bit. How much hope can we have this
product will become a stable version some day?

Talking about the SAML 2.0, yes, I am thinking of authenticate clients
of a Web session. These clients, after having been sent a mail with an
URL from the authentication server, they enter it and introduce ID and
password, so as to initiate a secure session.

 

[jtayamai]

Maybe it's a tricky question, not very easy to answer... you say
trying to write one's own SAML specification is some kind of "wishful
thinking", but is the amount of WCF classes (in fact, only those
related to the SAML 2.0) so "small" so as to try to implement them in
code, e.g. in the form of a customized library, to be added as a
reference in a .NET 2.0 project?

Do these MSDN magazine articles you indicate mention this, or do they
refer to Geneva's potential? Could you please send me links of them?

Thanks

 

[Joe Kaplan]

http://msdn.microsoft.com/en-us/magazine/2009.01.genevests.aspx
http://www.microsoft.com/downloads/...85-3172-4d8f-81cb-1a59bdc9f7e3&displaylang=en
http://msdn.microsoft.com/en-us/magazine/dd278426.aspx

WCF already has good support for SAML tokens via the federation profile and
the overall support for WS-Federation Active Requester Profile. The really
hard part is creating a security token service to generate the tokens and
implemenet the protocol for requesting them. That's what you want Geneva
for. The articles discuss that.

If you don't want to use WS-Federation in WCF and want to implement your own
SAML usage at the WS-Security level, you have a significant amount of work
to do on both sides.

To add SAML support via WS-Federation Passive Requester Profile or SAML 2.0,
Geneva will also help a lot here. It also supports delegation scenarios
using ActAs so your web app can call services on behalf of the authenticated
web user. This is challenging to do without having support for it.

Do some more research and decide for yourself what you are looking at to
make this type of architecture work.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
Maybe it's a tricky question, not very easy to answer... you say
trying to write one's own SAML specification is some kind of "wishful
thinking", but is the amount of WCF classes (in fact, only those
related to the SAML 2.0) so "small" so as to try to implement them in
code, e.g. in the form of a customized library, to be added as a
reference in a .NET 2.0 project?

Do these MSDN magazine articles you indicate mention this, or do they
refer to Geneva's potential? Could you please send me links of them?

Thanks

 

[jtayamai]

Thanks a lot for this conversation and your entirely helpful comments.
You have helped me see clearer the way to go on with.