A Guide to Claims-Based Identity and Access Control (Patterns & Practices) [Paperback]

Dominick Baier (Author), Vittorio Bertocci (Author), Keith Brown (Author), Matias Woloski (Author), Eugenio Pace (Author)

Book Description

Publication Date: April 21, 2010 | ISBN-10: 0735640599 | ISBN-13: 978-0735640597 | Edition: 1

As systems have become interconnected and more complicated, programmers needed ways to identify parties across multiple computers. One way to do this was for the parties that used applications on one computer to authenticate to the applications (and/or operating systems) that ran on the other computers. This mechanism is still widely used-for example, when logging on to a great number of Web sites. However, this approach becomes unmanageable when you have many co-operating systems (as is the case, for example, in the enterprise). Therefore, specialized services were invented that would register and authenticate users, and subsequently provide claims about them to interested applications. Some well-known examples are NTLM, Kerberos, Public Key Infrastructure (PKI), and the Security Assertion Markup Language (SAML). Most enterprise applications need some basic user security features. At a minimum, they need to authenticate their users, and many also need to authorize access to certain features so that only privileged users can get to them. Some apps must go further and audit what the user does. On Windows®, these features are built into the operating system and are usually quite easy to integrate into an application. By taking advantage of Windows integrated authentication, you don't have to invent your own authentication protocol or manage a user database. By using access control lists (ACLs), impersonation, and features such as groups, you can implement authorization with very little code. Indeed, this advice applies no matter which OS you are using. It's almost always a better idea to integrate closely with the security features in your OS rather than reinventing those features yourself. But what happens when you want to extend reach to users who don't happen to have Windows accounts? What about users who aren't running Windows at all? More and more applications need this type of reach, which seems to fly in the face of traditional advice. This book gives you enough information to evaluate claims-based identity as a possible option when you're planning a new application or making changes to an existing one. It is intended for any architect, developer, or information technology (IT) professional who designs, builds, or operates Web applications and services that require identity information about their users.

Editorial Reviews

About the Author

Dominick Baier splits his time between being an independent security consultant and an instructor for DevelopMentor - teaching and authoring the ASP.NET and the .NET security curriculum. He has a degree in computer science (German Diplom Ingenieur), is a certified BS7799/ISO17799 Lead Auditor and speaks at various conferences (WinDev, DevWeek, ADC) about application security. When not teaching he spends his time researching security, doing audits and penetration tests and helps other developers around the world to build more secure applications. Dominick maintains a security blog at http://www.leastprivilege.com.

Vittorio Bertocci is a Senior Architect Evangelist in the Windows Azure Platform Evangelism team with Microsoft® Corp. After four years in the Italian Microsoft Consulting Services, Vittorio moved to the U.S. headquarters in Redmond, where he has spent the past four years helping customers deploy solutions based on identity and access management, SOA, and services. He currently focuses on all things identity, working with the developer's community, large enterprises and partners. Vittorio is a published author; he frequently speaks about identity at international conferences and maintains a popular blog at http://blogs.msdn.com/vbertocci.

Keith Brown is a co-founder of Pluralsight, a premier Microsoft® .NET training provider. Keith is the author of Pluralsight's Applied .NET Security course as well as several books, including The .NET Developer's Guide to Windows® Security, which is available both in print and on the Web. Learn more at www.pluralsight.com/keith

Matias Woloski is an Enterprise Architect at Southworks S.R.L. He's been involved in software development for 6 yeasr. Currently, he's working with the patterns & practices team at Microsoft® in a Scrum-driven project. He maintains a blog at http://blogs.southworks.net/mwoloski/

Eugenio Pace is a Senior Program Manager in the patterns & practices group at Microsoft®. He is responsible for developing guidance for migrating and building application for the Windows Azure® platform and for Windows® Phone 7. Before that he worked on architecture guidance for claims based identity and identity federation. You can find his blog here: http://blogs.msdn.com/eugeniop and on twitter @eugenio_Pace.

Product Details

• Paperback: 196 pages
• Publisher: Microsoft Press; 1 edition (April 21, 2010)
• Language: English
• ISBN-10: 0735640599
• ISBN-13: 978-0735640597
• Product Dimensions: 7.3 x 0.4 x 8.9 inches
• Shipping Weight: 12.8 ounces (View shipping rates and policies)
• Average Customer Review: 4.3 out of 5 stars  See all reviews (6 customer reviews)
• Amazon Best Sellers Rank: #227,732 in Books (See Top 100 in Books)
  • #62 in Books > Computers & Technology > Hardware > Parallel Processing Computers

Most Helpful Customer Reviews

5 of 5 people found the following review helpful

4.0 out of 5 stars A good pre-cursory overview of Claims-based ID on the Microsoft platform August 8, 2010

By Jeffrey Sanders

Format:Paperback

Identity solutions on the Microsoft platform have always been a varied story. Between Windows Integrated, Forms, Passport/Live ID, SSO, Web SSO, Kerberos, SAML, AD, ADFS, AzMan, ADAM, custom providers, etc., the story goes on and on.

This book attempts to cover only one aspect of Identity Management and Access Control, that of Claims-based systems, which have become increasingly popular and more adapted in recent years (see SharePoint 2010 if you have any doubt). While covering claims in depth with code samples, and real-world scenarios such as federated identity for web-based applications, the book also uses visually appealing means to do so. The diagrams are like those you'd see on any whiteboard, and the personalities presented in the book are definitely like those you'd come across in any Enterprise IT shop.

My detractors for this book are as follows:

1) It's too brief (100 pgs). Just as a chapter seems to be heading in the right direction, it tends to taper off.
2) Code samples start in chapter 3, some 33 pages into the book, which seems quite big for an intro and basic concepts. That being said, some of the later chapters are heavily code-laden and the context for these scenarios seems a little light.
3) Maybe it's the fact that it's a relatively nascent technology, but it seems more real-world tips should be included. This is a Microsoft-originated publication, but I think it would have benefitted from real-world experience.
4) Lack of coverage of the other identity offerings, and putting them in context. A flowchart or series of tables which explains where Claims fit into the alphabet soup of identity offerings would have probably given this book more credibility....

That being said, if you're looking for a solid coverage of Claims and when/how to use them, this is a great book as a starting point. Read more ›

5.0 out of 5 stars Dense material presented simply... September 30, 2012

By Michael J. Johnson

Format:Paperback|Amazon Verified Purchase

this is a difficult topic and if most developers are presented with the need to put a security wrapper around their application they will invariably go with the easiest approach (windows authentication for internal apps and login pages and authentication embedded within an external application).

this book presents the topic of claims-based identity - a very dense and feature rich topic - in a simple < 150 page book. it even includes examples that easy to follow.

now what is wrong with the book?

* it would be nice if included examples (screen shots) of working with the ADFS 2.0 Manager Windows 2008 server. i think this is germane tdn'to the overall topic, would have been nice to have it online too.

* would have been nice to provide some direction on a custom provider that uses both AD and SQL server.

2 of 4 people found the following review helpful

5.0 out of 5 stars Excellent Introduction to Claims August 22, 2011

By JEREMY J CLARK

Format:Paperback|Amazon Verified Purchase

A Guide to Claims-Based Identity and Access Control is an excellent overview for the software developer or architect. There is a lot of talk about federation and claims-based security in the software community. This guide gives understandable examples and practical reasons for using claims-based security in your systems. The material is approachable and fairly brief (the content in only about 100 pages). It is a great starting point. Like most publications from the Microsoft Patterns & Practices group, this is also available as a free PDF on their website.

0 of 3 people found the following review helpful

5.0 out of 5 stars A fine, technical guide for any serious development collection! December 16, 2010

By Midwest Book Review

Format:Paperback

A Guide to Claims-Based Identity and Access Control: Authentication and Authorization for Services and the Web provides a fine survey of patterns and practices that hold proven results for application developers. Designs that work provides a survey of claims-based identity systems drawing links between innovative approaches and building applications that authenticate and authorize users. A fine, technical guide for any serious development collection!

7 of 16 people found the following review helpful

2.0 out of 5 stars Sales pitch August 24, 2011

By Vo Blinn

Format:Paperback

MS sales pitch: the world, apparently, is flat, starting and ending in Redmond.
Other platforms are called "different", other applications - "non-.NET Framework".
If one ever needs "a program", it is, of course, AD.
One might argue: what did you expect, it's published by MS!
Yes, but the title, then, should be: "Guide to Claims-Based Identity in Microsoft Environment."
And the book would be a perfect 5 stars (from those, who are interested in that environment).
Shame.

0 of 4 people found the following review helpful

5.0 out of 5 stars A great book from thought leaders September 12, 2010

By Jovita Nsoh

Format:Paperback

Vittorio and crew did a fantastic job bringing this book out. I have followed them in their various blogs and have attended Vittorio's "All Will Be Revealed: ~7 Hours Recordings from the WIF Workshops" published here: [...]

As powerful as this book is, I will emplore readers to check out [...] and read from Kim Cameron. Also follow Vittorio on MSDN. These resources in addition to this book will enhance your quest for deep Claims Based Identity knowledge.

I must point out that there are numerous resources on this topic on MSDN and Technet. I have been investigating WIF, WS-* for over 5 years and I will strongly encourage developers and architects to pick up this book.

Jovita Nsoh, CISSP, CISM, CITA-P, MCA
Senior Security Architect
Microsoft Corporation
Seattle, WA