Re: Architecture Advice

Thanks Pablo

My last question is, do all our clients have to have wse3 installed on their
pc's to enable us to take advantage of wse3 on our web services?

If so, doesn't that defeat the non-propriety aspect of web services?!

Many Thanks

"Pablo Cibraro" wrote:

Hi,

Kerberos only works if your client application and your service are in the
same windows domain or different windows domains with trust relationship.
(This does not work when the trust relationship goes beyond this boundary,
for example, different companies).
WS-Federation with SAML has the following benefits over Kerberos:

1. The trust relationship can expand to different realms or domains (In
other words, companies)
2. It is completely extensible, you can modify it to add your own
attributes. (You can not do the same with kerberos)

The bad thing is that you need to manage X509 certificates. A Kerberos token
already has a symmetric key to perform cryptographic operations so it does
not need a X509 certificate.

No, you won't have any problem, but you won't able to identify the 100
employees (You will always identify one employee for the company A). If you
use SAML, you can identify the company with a X509 certificate and the user
with a custom attribute inside of the token.

Regards,
Pablo Cibraro.

"LockyBoy" <LockyBoy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:623E0CFD-3299-4949-BCAC-B0C0FA6A577F@xxxxxxxxxxxxxxxx
Thanks Pablo

Could you point out the benefits of sts over Kerberos authentication in
this
situation?

Also, we will have multiple users accessing our services with the same
username/password, i.e Comapny a has 100 employees, their
username/password
is test/test1, and company b has 50 employees with username/pass
test2/test2
- would there be a problem with multiple users logging on to our service
with
the same username and password?

Thanks

"Pablo Cibraro" wrote:

Hi,

In my opinion, you should use SAML to implement a sigle sign on solution.
There is an implementation of SAML for WSE 3.0 here
http://practices.gotdotnet.com/projects/saml
Usually, the architecture for an application that uses SAML tokens
contains
three main components:

1. Client Application
2. Secure Token Service (STS): It is the authority responsible of
emitting
SAML tokens. The client and the service, both trust this authority.
3. Service

You can authorize user against ADAM in the STS. If you want to know more
information about SAML, take a look to these articles I wrote in my blog,

http://weblogs.asp.net/cibrax/archive/2005/08/01/421233.aspx
http://weblogs.asp.net/cibrax/archive/2006/02/02/437180.aspx

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax


"LockyBoy" <LockyBoy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8CD31D21-6DC5-490E-ACED-3F09603F8662@xxxxxxxxxxxxxxxx
Hi All

we currently run several web services which run from a sql back end.
Currently all users are authenticated before using each webmethod by
passing
a user id in the soap body, and authenticating against sql.

I want to implement a single sign on whereby users are authenticated
and
then don't have to go through the authentication process again, and
services
are authorised by windows roles assigned at sign on.

I'd like to authorise users against ADAM, but the examples I've seen
are
for
direct authentication with username and wse3, which as far as I can
gather,
does not allow for single sign on.

I assume I need to use ADAM as a brokered authentication service and
issue
a
security token to negate authentication calls after the first time.

Am I right in my assumptions, or could someone please clarify what
steps I
need to take to accomplish this?

Thanks in advance for any help.






.

Relevant Pages

  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    (microsoft.public.inetserver.iis.security)
  • Re: Sporadic IAS Authentication problems
    ... * Some times however, a physical reboot of the client laptop is required, ... *The remote access policy in IAS is set to grant access to the group 'Domain ... Proxy-Policy-Name = Use Windows authentication for all users ...
    (microsoft.public.internet.radius)
  • Re: ISAPI Authentication
    ... The job of your authentication filter is to accept ... non-Windows credentials from the client and then map them to a Windows ...
    (microsoft.public.inetserver.iis.security)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)