Web Sites and Identity Version: 1.1.0 Description The first exercise of the lab describes the most basic form of claims-based authentication for web sites, demonstrating how to take advantage of the integration between Windows Identity Foundation and Visual Studio. If you are interested in authorization, this lesson is for you: you will see how claims allow you to use the traditional ASP.NET role model, or to use sophisticated access rules (such as imposing an age limit to users) via claims. The second exercise you will take a peek inside a custom STS, discovering how claims are issued and how you can back an STS with arbitrary credentials and attributes stores. The third exercise is very short: you will experience firsthand how easy it is to take advantage of existing identity providers for externalizing the authentication logic for your website. How would you like to instantly grow your audience to more than 500 million users? The fourth exercise will show you how you can add Live Id to your list of trusted identity providers The fifth and final exercise of the lab is for expert developers. It shows you how you can avoid trusted subsystems without relying on sophisticated infrastructure. You will learn how to take advantage of Windows Identity Foundation for flowing the identity of your users across application tiers, ensuring that the access privileges are always referring to the actual user access levels. Overview Authentication, authorization and identity driven customization are all essential aspects of application development, however mastering secure development techniques is not straightforward and a skill that not every developer will want to invest in. The solution to this problem is simple: we remove from the application code most or all of the identity management logic, leaving the application developer free to focus on the business logic and removing the need to impose everybody to become a security expert. The externalization of the identity management logic is made possible by the use of standard protocols, which can describe the details of the identity transactions we need regardless of the platforms or technologies involved; and by providing for every platform infrastructure components and developer tools, which decouple applications and developers from the low level details of message formats, cryptography and all the other things which are necessary for guaranteeing secure communications. Windows Identity Foundation is one of such tools. Windows Identity Foundation extends Visual Studio and the .NET Framework with advanced identity capabilities, which can be leveraged by any application regardless of the hosting model (ASP.NET pages and WCF services). With Windows Identity Foundation you can: Outsource application authentication to external services (“security token services”, or STS) without writing a line of code Offload credentials management: no more need for managing account and passwords, or to write complicated code for multifactor or high assurance authentication methods Easily federate with the identity systems of customers, partners or even across internal boundaries Drive authorization and application behavior according to user attributes, without the need of looking up directories or other attributes stores Handle identity delegation without exposing your systems to excessive risks and much more. This hands-on lab will explore how to take advantage of Windows Identity Foundation for enhancing a classic ASP.NET Web application with advanced identity capabilities. We will see how to accept identities from a number of different sources, and how to use the identity information we will receive for driving the application’s behavior. At the end of the lab you will be able to take your own ASP.NET applications and externalize authentication and authorization code. Identity has never been so easy! Objectives In this Hands-On Lab, you will learn how to: Modify an ASP.NET Web application to factor out authentication code in a local Security Token Service (STS) Explore the structure of a local STS by modifying the credentials it accepts Modify the ASP.NET Web application to accept identities from an external STS (implemented with Active Directory Federation Services (ADFS) ) Enable the ASP.NET Web application to invoke a WCF service on the backend by delegated access System Requirements You must have the following items to complete this lab: Microsoft® Windows® Vista SP2 (32-bits or 64-bits) , Microsoft® Windows Server 2008 SP2 (32-bit or 64-bit), Microsoft® Windows Server 2008 R2, Microsoft® Windows® 7 RTM (32-bits or 64-bits) Microsoft® Internet Information Services (IIS) 7.0 Microsoft® .NET Framework 4 Microsoft® Visual Studio 2010 Microsoft® SQL Express 2005 (or later) Microsoft® Windows Identity Foundation Runtime Microsoft® Windows Identity Foundation SDK 4.0 Setup You must perform the following steps to prepare your computer for this lab. You must perform the following steps to prepare your computer for this lab. Open a Windows Explorer window and browse to the lab’s Source\Setup folder. Double-click the Dependencies.dep file in this folder to launch the Dependency Checker tool and install any missing prerequisites. This will also install some code snippets that will be used across the lab and the localhost certificate used in the second exercise by the local STS. Note: This process may require elevation. The .dep extension is associated with the Dependency Checker tool during its installation. For additional information about the setup procedure and how to install the Dependency Checker tool, refer to the Setup.docx document in the Assets folder of the training kit. Once closed the code snippets installer, the setup script will proceed with the certificates installation. Press Y if you want to continue with the required certificates installation. Note: Next, the setup script will proceed by replacing any existing localhost certificate with a new one. If you already have a "localhost" certificate needed by another application, ensure to make a backup copy of it before continue with the lab's certificates installation. Figure 7 Certificates installation finished Note: If you are running Windows 7 or Windows 2008 R2 you might not see this window. When finished press any key to close the setup console. Note: In addition to the setup script inside the %YourInstallationFolder%\Labs\WebSitesAndIdentity\Source\Setup folder, there is a Cleanup.cmd file you can use to uninstall all the code snippets installed by the SetupLab.cmd script. Exercises The following exercises make up this Hands-On Lab: Enabling claims based access for an ASP.NET Web Application by generating a local STS [optional] Customizing the credentials accepted by a local STS Accepting Tokens from an Active Directory Federation Service (ADFS) STS Invoking a WCF service on the backend via delegated access Note: Each exercise is accompanied by a starting solution. These solutions are missing some code sections that are completed through each exercise and therefore will not work if running them directly. Inside each exercise you will also find an end folder where you find the resulting solution you should obtain after completing the exercises. You can use this solution as a guide if you need additional help working through the exercises. Using the Code Snippets With code snippets you have all the code you need at your fingertips. The lab document will tell you exactly when you can use them. For example, Add the following using statements. (Code Snippet – Web Sites And Identity Lab - Ex01 Default Page Usings) C# using System.Linq; using System.Threading; using Microsoft.IdentityModel.Claims; To add this code snippet in Visual Studio you simply place the cursor where you'd like the code to be inserted, start typing the snippet name, in this case WebSitesAndIdentityLabEx01DefaultPageUsings, watch as Intellisense picks up the snippet name, and hit the TAB key twice once the snippet you want is selected. The code will be inserted at the cursor location. To insert a code snippet using the mouse rather than the keyboard (i.e. for web.config file and any other XML document), right-click where you want the code snippet to be inserted, select Insert Snippet... then My Code Snippets and then select the relevant snippet. To learn more about Visual Studio IntelliSense Code Snippets, including how to create your own, please see https://msdn.microsoft.com/en-us/library/ms165392.aspx. Estimated time to complete this lab: 50 minutes (90 minutes with the optional exercises) next >

Downloads Download The Offline Training Kit Download Hands-on Lab Document (DOCX) Download Hands-on Lab Source Files Contents Exercise 1: Enabling claims based access for an ASP.NET Web Application by generating a local STS Exercise 2: Customizing the Credentials Accepted by a Local STS Exercise 3: Accepting Tokens from an Active Directory Federation Services (ADFS) STS Exercise 4: Invoking a WCF Service on the Backend via Delegated Access Summary