Re: Architecture Advice

WSE3 is only a framework that adds WS-* support to the Web services stack.
You can use your own code or other product to do the same but the generated
messages must be compatible with the messages accepted by WSE.

Regards,
Pablo Cibraro.

"LockyBoy" <LockyBoy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82B4F0EA-661B-497B-B72D-905F848BB6D0@xxxxxxxxxxxxxxxx
Thanks Pablo

My last question is, do all our clients have to have wse3 installed on
their
pc's to enable us to take advantage of wse3 on our web services?

If so, doesn't that defeat the non-propriety aspect of web services?!

Many Thanks

"Pablo Cibraro" wrote:

Hi,

Kerberos only works if your client application and your service are in
the
same windows domain or different windows domains with trust relationship.
(This does not work when the trust relationship goes beyond this
boundary,
for example, different companies).
WS-Federation with SAML has the following benefits over Kerberos:

1. The trust relationship can expand to different realms or domains (In
other words, companies)
2. It is completely extensible, you can modify it to add your own
attributes. (You can not do the same with kerberos)

The bad thing is that you need to manage X509 certificates. A Kerberos
token
already has a symmetric key to perform cryptographic operations so it
does
not need a X509 certificate.

No, you won't have any problem, but you won't able to identify the 100
employees (You will always identify one employee for the company A). If
you
use SAML, you can identify the company with a X509 certificate and the
user
with a custom attribute inside of the token.

Regards,
Pablo Cibraro.

"LockyBoy" <LockyBoy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:623E0CFD-3299-4949-BCAC-B0C0FA6A577F@xxxxxxxxxxxxxxxx
Thanks Pablo

Could you point out the benefits of sts over Kerberos authentication in
this
situation?

Also, we will have multiple users accessing our services with the same
username/password, i.e Comapny a has 100 employees, their
username/password
is test/test1, and company b has 50 employees with username/pass
test2/test2
- would there be a problem with multiple users logging on to our
service
with
the same username and password?

Thanks

"Pablo Cibraro" wrote:

Hi,

In my opinion, you should use SAML to implement a sigle sign on
solution.
There is an implementation of SAML for WSE 3.0 here
http://practices.gotdotnet.com/projects/saml
Usually, the architecture for an application that uses SAML tokens
contains
three main components:

1. Client Application
2. Secure Token Service (STS): It is the authority responsible of
emitting
SAML tokens. The client and the service, both trust this authority.
3. Service

You can authorize user against ADAM in the STS. If you want to know
more
information about SAML, take a look to these articles I wrote in my
blog,

http://weblogs.asp.net/cibrax/archive/2005/08/01/421233.aspx
http://weblogs.asp.net/cibrax/archive/2006/02/02/437180.aspx

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax


"LockyBoy" <LockyBoy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8CD31D21-6DC5-490E-ACED-3F09603F8662@xxxxxxxxxxxxxxxx
Hi All

we currently run several web services which run from a sql back end.
Currently all users are authenticated before using each webmethod by
passing
a user id in the soap body, and authenticating against sql.

I want to implement a single sign on whereby users are authenticated
and
then don't have to go through the authentication process again, and
services
are authorised by windows roles assigned at sign on.

I'd like to authorise users against ADAM, but the examples I've seen
are
for
direct authentication with username and wse3, which as far as I can
gather,
does not allow for single sign on.

I assume I need to use ADAM as a brokered authentication service and
issue
a
security token to negate authentication calls after the first time.

Am I right in my assumptions, or could someone please clarify what
steps I
need to take to accomplish this?

Thanks in advance for any help.








.

Relevant Pages

  • Re: Windows Authentication, Single sign on and Active Directory
    ... your web server is probably a workgroup mode machine. ... Co-author of "The .NET Developer's Guide to Directory Services ... web service proxy client fails to connect due to authentication failure ... Windows authentication on the web services. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... web service proxy client fails to connect due to authentication failure ... the web services anyway, as it is generally important to protect any ... web server is also a member of the domain). ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Architecture Advice
    ... Kerberos only works if your client application and your service are in the ... WS-Federation with SAML has the following benefits over Kerberos: ... Could you point out the benefits of sts over Kerberos authentication in ... the architecture for an application that uses SAML tokens ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Architecture Advice
    ... same windows domain or different windows domains with trust relationship. ... WS-Federation with SAML has the following benefits over Kerberos: ... Could you point out the benefits of sts over Kerberos authentication in ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Trying to determine best strategy for web service security
    ... I would check out the Hands On Labs for WSE 2.0. ... > I have a group of web services which provide a facade for a COM+ ... The only clients of the web services will be ASP.NET ... > What I would like to have is an authentication web service that would ...
    (microsoft.public.dotnet.framework.webservices.enhancements)