A Guide to Claims-Based Identity and Access Control

Front Cover
Microsoft Press, Aug 19, 2010 - Computers - 196 pages
0 Reviews

As systems have become interconnected and more complicated, programmers needed ways to identify parties across multiple computers. One way to do this was for the parties that used applications on one computer to authenticate to the applications (and/or operating systems) that ran on the other computers. This mechanism is still widely used-for example, when logging on to a great number of Web sites. However, this approach becomes unmanageable when you have many co-operating systems (as is the case, for example, in the enterprise). Therefore, specialized services were invented that would register and authenticate users, and subsequently provide claims about them to interested applications. Some well-known examples are NTLM, Kerberos, Public Key Infrastructure (PKI), and the Security Assertion Markup Language (SAML). Most enterprise applications need some basic user security features. At a minimum, they need to authenticate their users, and many also need to authorize access to certain features so that only privileged users can get to them. Some apps must go further and audit what the user does. On Windows®, these features are built into the operating system and are usually quite easy to integrate into an application. By taking advantage of Windows integrated authentication, you don't have to invent your own authentication protocol or manage a user database. By using access control lists (ACLs), impersonation, and features such as groups, you can implement authorization with very little code. Indeed, this advice applies no matter which OS you are using. It's almost always a better idea to integrate closely with the security features in your OS rather than reinventing those features yourself. But what happens when you want to extend reach to users who don't happen to have Windows accounts? What about users who aren't running Windows at all? More and more applications need this type of reach, which seems to fly in the face of traditional advice. This book gives you enough information to evaluate claims-based identity as a possible option when you're planning a new application or making changes to an existing one. It is intended for any architect, developer, or information technology (IT) professional who designs, builds, or operates Web applications and services that require identity information about their users.

What people are saying - Write a review

We haven't found any reviews in the usual places.

About the author (2010)

Dominick Baier splits his time between being an independent security consultant and an instructor for DevelopMentor - teaching and authoring the ASP.NET and the .NET security curriculum. He has a degree in computer science (German Diplom Ingenieur), is a certified BS7799/ISO17799 Lead Auditor and speaks at various conferences (WinDev, DevWeek, ADC) about application security. When not teaching he spends his time researching security, doing audits and penetration tests and helps other developers around the world to build more secure applications. Dominick maintains a security blog at http: //www.leastprivilege.com.

Keith Nathan Brown received a B.S. in Physics from Marlboro Keith Nathan Brown received a B.S. in Physics from Marlboro College. His essay "Network Subrealism: Sketch of an EmerginCollege. His essay "Network Subrealism: Sketch of an Emerging Literary Trend," published in Puerto del Sol, traces the pg Literary Trend," published in Puerto del Sol, traces the philosophical and technological origins of a new branch of lihilosophical and technological origins of a new branch of literature. His hybrid texts and visual poetry have appeared iterature. His hybrid texts and visual poetry have appeared in Word For/ Word, elimae, Unsaid and elsewhere. EMBODIED is n Word For/ Word, elimae, Unsaid and elsewhere. EMBODIED is his first book. He lives in Brattleboro, VT. his first book. He lives in Brattleboro, VT.

Matias Woloski is a Software Architect at Southworks who specializes on identity and cloud computing. For the past 10 years he has been designing and developing software and helping companies to take advantage of emergent technologies. He is a co-author of the "A Guide to Claims based Identity and Access Control." You can find him at http: //blogs.southworks.net/mwoloski or on Twitter @woloski.

Eugenio Pace works in the Software and Services group for the Microsoft(R) Architecture Strategy team. He develops architecture guidance to help ISVs, Hosters and Companies, build, run and consume software delivered as a service. His blog can be found at http: //blogs.msdn.com/eugeniop/