Alik Levin's

Goodbye Microsoft, Hello Caradigm

Alik Levin — Fri, 27 Jul 2012 22:41:59 GMT

“Life is like riding a bicycle. To keep your balance you must keep moving.” – Albert Einstein.

I am moving on. I am leaving Microsoft and joining Caradigm, a Microsoft/GE joint venture, as security engineer. I won’t be updating this blog going forward. I will keep blogging on my personal blog at www.PracticeThis.com.

I was with Microsoft for 8 years, 6 years as a Principal Consultant with MCS (Microsoft Consulting Services) in the field working with enterprise customers and 2 years as Senior Programming Writer in Server and Cloud Division creating content for identity related technologies – WIF, AD FS, ACS, Graph API – and how they fit in the cloud dev story.

Here are few highlights related to my tenure at Microsoft.

Principal Consultant at Microsoft Consulting Services (2004 - 2010)

On-hire took on struggling big project (hundreds of billable hours) and drove to customer’s success and as a result signing up for another three years retainer.
Created and delivered Security Engineering delivery kit, generated pipeline to allow to hire two more security consultants.
Created and delivered Performance Engineering delivery kit, generated pipeline to help another consultant to get off the bench beyond my utilization and capacity.
Received WW Services CTO award for services community contribution in security engineering space.
6 years of utilization consistently above the target without burnout. This is how (slides avail here).
Contributed for several patterns&practices guides: Improving Web Services Security, Team Development with Visual Studio Team Foundation Server, A Guide to Claims-Based Identity and Access Control (2nd Edition)
Made ton of friends at Microsoft, with Customers, and within the Industry.

Sr. Programming Writer at Server and Cloud Division (2010 - 2012)

Developed Information Architecture (IA) for developers content. Applied the IA for WIF, ACS, Graph API, AD FS SDK and RMS SDK content.
Developed and applied Agile Content Engineering practices.
Drove delivery and created original content for ACS 2.0.
Drove delivery and created original content for WIF 4.5 through BUILD, Beta, and RC milestones.
Drove AD FS SDK content improvements.
Drove delivery and created original content for Graph API.
Created original content for Windows Azure Security Guidance.

Things I Have Learned

This is partial list of things I have learned during my tenure at Microsoft:

How to apply proven engineering practices
How to ask cutting questions
How to ask for effective feedback and give one
How to assess architecture, code, and deployment of an app
How to avoid paralysis by analysis
How to be ahead of the pack
How to be aligned with business
How to be always prepared to move on
How to build a knowledge map
How to build commitments and deliver on it
How to build network of v-peers using WIIFM
How to carry out a simple message to the masses about complex topic
How to coach/mentor and be coached/mentored
How to cope with tough people
How to cope with tough situations
How to deliver value incrementally
How to discover latent needs
How to distinguish doing vs. achieving and focus on the later
How to drive execution forward
How to effectively communicate on emails and verbally
How to get in the game quickly
How to give effective presentation
How to hold effective meetings
How to identify and avoid drainers and stick with catalysts
How to invest time in technology that matters
How to know what’s hot and what’s not
How to listen to customer needs
How to manage conflict
How to manage emails
How to manage energy
How to manage information
How to manage time
How to manage up (vs. kiss up)
How to win hearts and minds optimizing around usefulness and usability
How to plan and deliver daily, weekly, monthly, and annually
How to prepare to interview (as interviewer and interviewee)
How to read the signs time to move on
How to reduce friction
How to sell an idea to difference audiences
How to set clarity on vision, mission, values, deliverables, execution
How to share information effectively
How to use social media to collect feedback and drive adoption
How to write sample code that others can use effectively and efficiently
How to write effective guidance

Thank you, Microsoft, and thank you all who helped and inspired me along the way.

My LinkedIn profile is here. Connect with me. Recommend me.

Graph API Code Sample: Authenticate and Read an Object From Windows Azure Active Directory (AD)

Alik Levin — Tue, 24 Jul 2012 20:25:06 GMT

This code sample is a very basic console application written using Visual Studio 2010:

Download the code sample: Authenticate and Read and Object From Windows Azure AD

It demonstrates the following key features:

How to request JWT token from Windows Azure AD Access Control using symmetric key.
How to authenticate with the JWT token to Windows Azure AD using Graph API.
How to read Windows Azure AD Object using Windows Azure AD Graph API.

It effectively reflects on the following scenario:

Creating Enterprise Applications by Using Windows Azure AD Graph

I have used the following resources to implement the sample:

Sample Application for Azure Active Directory Graph API (RESTful API). I cannibalizes code from this sample.
Windows Azure Active Directory Graph Prerequisites. I have used this content to sign up for Office 365 which effectively gives me a Windows Azure AD subscription.
How-to: Authenticate To Windows Azure AD Graph Using Windows Azure AD Access Control. I have used this sample to request JWT token. The difference is that in the How-To Client Certificate is used as a credential and in my sample I use symmetric key as a credential.
How-To: Implement Role-Based Access Control When Using Windows Azure AD Graph. I have used this How-To to create Service Principal and add it to a proper role. If I don’t add the Service Principal to a proper role then the request for the JWT token will result in the insufficient privileges exception.
How-to: Read Windows Azure Active Directory Objects Using Windows Azure AD Graph. I have used this How-To to request actual data from Windows Azure AD using Windows Azure AD Graph API.

Subscribe to Office 365 to get your Windows Azure AD subscription, grab the sample and start programming against it using the sample and the How-To’s.

Windows Azure AD Graph API Guidance Is Available on MSDN

Alik Levin — Thu, 12 Jul 2012 19:11:02 GMT

Hot off the press, Windows Azure AD Graph API Guidance available now on MSDN here.

Here are key sections of the guidance:

Windows Azure Active Directory (AD) Graph API and Hybrid Cloud Identity

Alik Levin — Fri, 15 Jun 2012 07:44:00 GMT

Windows Azure Active Directory (AD) Graph API is a feature that allows programmability against MS cloud directory, Windows Azure AD. Windows Azure AD powers Office 365 and Windows Intune.

Scott Guthrie mentioned Graph API in his keynote (01:03:10). There is also drill down session during Teched by Ed Wu:

Session Code: SIA322

Directory Graph API: Drill Down

Speaker(s):: Edward Wu
Thursday, June 14 at 4:30 PM - 5:45 PM in S310E

This session introduces the new Directory Graph API, a REST-based API that enables access to Windows Azure Active Directory (Directory for Office 365 Tenants and Azure customers). We review the data directory model, the Graph API protocol (based on Odata V3 protocol), how authentication and authorization is managed, and demonstrate an end-to-end scenario. We walk through sample code calling the Directory Graph API. A roadmap is also reviewed. #TESIA322

With the introduction of Graph API the hybrid (public/private) cloud identity story becomes even better:

Deploy your app anywhere – Windows Server, Windows Azure.
Manage your identity anywhere – Windows Server AD or Windows Azure AD, and they sync!
Authenticate and query user’s profile from on-prem/private and public cloud.

Consider the following high level model to help embracing the idea of the hybrid cloud organization identity:

Windows Azure Security Guidance – Focus on Identity and Access

Alik Levin — Wed, 13 Jun 2012 22:02:27 GMT

Hot off the press: Windows Azure Security Guidance topic. We decided first to tackle things that are significantly different from security perspective in Windows Azure comparing to what we know in on-premises world. And that turned out to be scenarios related to identity – authentication and authorization. These are key scenarios, including graphics, that are covered in the topic:

ASP.NET Web Form Application with Federated Authentication. In this scenario you control access to your ASP.NET Web Forms app using either Internet identity such as Live ID / Microsoft Account or corporate identity managed in Windows Server Active Directory.
WCF (SOAP) Service with Federated Authentication.In this scenario you control access to your WCF (SOAP) service using Service Identities managed by Windows Azure AD Access Control.
WCF (SOAP) Service with Federated Authentication, Identities in Active Directory. In this scenario you control access to your WCF (SOAP) web service using identities managed by corporate Windows Server Active Directory.
WCF (REST) Service With Federated Authentication.In this scenario you control access to your WCF (REST) service using Service Identities managed by Windows Azure AD Access Control.
WCF (REST) Service With Live ID / Microsoft Account, Facebook, Google, Yahoo!, Open ID. In this scenario you control access to your WCF (REST) service using Internet identity such as Live ID / Microsoft Account.
ASP.NET Web App to REST WCF Service Using Shared SWT Token. In this scenario you have distributed application with front end ASP.NET web app and downstream REST service and you want to flow end user’s context through physical tiers.
Role-Based Access Control (RBAC) Authorization In Claims-Aware Applications and Services. In this scenario you want to implement authorization logic in your app based on roles.
Claims-Based Authorization In Claims-Aware Applications and Services. In this scenario you want to implement authorization logic in your app based on complex authorization rules.
Windows Azure Storage Service Identity and Access Scenarios.In this scenario you need to securely share access to Windows Azure storage blobs and containers.
Windows Azure SQL Database Identity and Access Scenarios.SQL Database supports only SQL Server Authentication. Windows Authentication (integrated security) is not supported. Users must provide credentials (login and password) every time they connect to SQL Database.
Windows Azure Service Bus Identity and Access Scenarios.In this scenario you need securely access Windows Azure Service Bus queues.
In-Memory Cache Identity and Access Scenarios.In this scenario you need to securely access data managed by in-memory cache.
Windows Azure Marketplace Identity and Access Scenarios.In this scenario you need to securely access Windows Azure Marketplace datasets.

Give it a try. Consider leaving comments and suggestions how to improve it in the comments section at the end of the topic or through this blog. Huge thank you goes to Mike Howard for the shout out, the man and the legend and the author of epic book Writing Secure Code. Mike is now principal architect in Cybersecurity team in the field continuing to fight a good fight in the trenches.

ASP.NET Web App To REST WCF Service Delegation Using Shared SWT Token

Alik Levin — Thu, 09 Feb 2012 20:01:00 GMT

Just published the article for the following scenario:

ASP.NET Web App To REST WCF Service Delegation Using Shared SWT Token

Scenario:

In this scenario you are developing distributed application that includes front end ASP.NET web app and the backend REST WCF service. You are interested to use public identity providers, such as Live ID, Google, Facebook, Yahoo!, and OpenID 2.0, to authenticate users. You are also interested to flow the original identity of the end users down to the backend REST WCF service for authentication and authorization purposes at the backend.

Solution Approach:

Windows Identity Foundation (WIF) and Windows Azure Access Control Service (ACS) is used to solve this scenario. The approach is to have one relying party configured in ACS that issues SWT token. This SWT token is used with both front end ASP.NET web app and downstream REST WCF service. The signing keys shared with all three - ACS, ASP.NET RP, REST WCF RP.

Resources:

Code Sample: ASP.NET Web App To REST WCF Service Delegation Using Shared SWT Token
Visio Diagrams: ASP.NET to WCF (REST) Delegation With Live ID, Google, Facebook Using SWT.vsd

REST WCF: Authentication With SWT Token Issued By Windows Azure Access Control Service (ACS)

Alik Levin — Wed, 08 Feb 2012 20:05:01 GMT

This is second part following the first part, ASP.NET: Authentication With SWT Token Using Windows Azure ACS and WIF Custom Token Handler, of the overall scenario that should answer the following question:

How I can flow security context of end user through tiers between ASP.NET web app and the downstream REST WCF service?

Just published code sample on MSDN Code Gallery for the REST WCF part. Bits are here:

REST WCF With SWT Token Issued By Windows Azure Access Control Service (ACS)

It largely follows the instructions available here:

How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS

Next is to connect both parts and enable the scenario of flowing the security context of end user through the tier. The challenge will be to make the original SWT token that was issued for the front end ASP.NET web app available to the backend REST WCF service. Will outline in the third and final part of these series of blog posts.

ASP.NET: Authentication With SWT Token Using Windows Azure ACS and WIF Custom Token Handler

Alik Levin — Wed, 08 Feb 2012 00:58:00 GMT

This is first part of the overall scenario that should answer the following question:

How I can flow security context of end user through tiers between ASP.NET web app and the downstream REST WCF service?

Uploaded sample code to MSDN Code Gallery that shows how to use SWT token issued by Windows Azure Access Control Service (ACS). The bits are here:

ASP.NET Security: SWT With Windows Azure ACS and WIF Custom Token Handler

The plan is next to add another Visual Studio Project to the solution based on the following walkthrough:

How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS

The idea is simple – create one relying party in Windows Azure ACS and share the issued SWT token between the ASP.NET app and REST service. The challenge here is that WIF does not come with ready to use SWT token implementation and SWT token handler. To solve this scenario the code sample implements custom token handler, cannibalized from the following sample:

Code Sample: Windows Phone 7 Application

ASP.NET To WCF (SOAP) Delegation Of Security Token Using Live ID

Alik Levin — Tue, 07 Feb 2012 18:19:31 GMT

Just added another scenario to the Cloud Identity Scenarios and Solutions for Developers including solution approach, code sample, walkthrough . Courtesy of Todd Foust who created it all from scratch. The scenario is distributed application with ASP.NET web app calling to the back end WCF (SOAP) web service. Users are authenticated using Windows Live ID. End user’s security context needs to flow down to the WCF service.

Custom STS using WIF and ACS are used to solve this scenario, read the whole story here - ASP.NET Relying Party to WCF (SOAP) Relying Party Delegation With Windows Live ID

PracticeThis.com Blog Is Available On Amazon Kindle

Alik Levin — Mon, 23 Jan 2012 05:28:44 GMT

Practice This, my personal blog, is now available on Amazon Kindle through monthly subscription.

If you are happy owner of Amazon Kindle reader you can now read www.PracticeThis.com blog on it.

It’s a digital information age and it’s a thrill to experiment with what’s possible especially when the entry bar is so low.

Enjoy reading Practice This on Amazon Kindle.

Troubleshooting Windows Azure Platform

Alik Levin — Sat, 19 Nov 2011 06:06:00 GMT

Error Codes
Tools
- Debugging and Troubleshooting Windows Azure Applications
- Fiddler Federation Inspector (Useful when debugging ACS/WIF)
Known Issues and Limitations
Support
Media

Windows Azure Pricing

Alik Levin — Fri, 18 Nov 2011 23:07:28 GMT

Staging Windows Azure Cloud Applications and Service Integrated With ACS

Alik Levin — Tue, 04 Oct 2011 18:36:00 GMT

This post outlines my thinking on possible ways to stage application and services that are integrated with ACS.

It’s a common practice to have at least three environments – development, test, production - when developing applications and services. Application that use ACS should not be an exception. The key question here is how to move the application between the environments and how to maintain the environments regarding ACS?

One approach is specifically targeted at Windows Azure outlined here. In this post I’d like to explore manual options that are available. In a nut shell, there are two ways:

1 ACS namespace with 3 configured relying parties – development, test, production.
3 ACS namespaces – one per environment – and 1 relying party that represents the application.

1 ACS Namespace 3 Relying Parties

Consider the following diagram that represents single ACS namespace with 3 configured relying parties and key configuration elements:

Single ACS namespace
3 different relying parties with its own Return URL and realm pairs.

What varies here is the realm of each relying party application to reflect on the environment – Dev, Test, Prod. The return URL also varies between the relying parties to reflect on the environments.

Consider the following diagram for the application configuration that uses the above ACS configuration:

In each environment the application shares the same trusted issuer thumbprint since it was issued by the same ACS namespace.
federatedAuthentication/wsFederation/issuer URL stays the same.
The realm changes according to the environment

When deploying to Windows Azure staging environment the application assigned a URL that includes GUID that’s not known beforehand. It means there is no possible way to properly configure related ACS relying party. To fix this configure the Return URL of Relying Party: Test after deploying to Windows Azure. Another approach is to leverage OnStart event of the WebRole outlined here.

3 ACS Namespaces 1 Relying Party

Consider the following diagram that depicts three different ACS namespaces for each environment:

3 different ACS namespaces for each environment – Dev, Test, Prod.
One Relying Party in each namespace.

What varies here is the Return URL for each Relying Party while realm is the same. Since there are different ACS namespaces the issuer is different for each one and also the signing certificate would be different. It will reflect on the configuration in the web.config file of the application.

Consider the following diagram that depicts the key attributes in the configuration file of the application:

Issuer thumbprint is different since it was issued by different ACS namespaces.
federatedAuthentication/wsFederation/issuer URL is different.
The realm stays the same.

When deploying the application or a service to Windows Azure staging environment which includes GUID in the URL the ACS testing environment should be updated accordingly with relevant Return URL each time you deploy. That’s not the case though with Dev and Prod environments.

How To: Use AD FS Endpoints When Developing Claims Aware WCF Services Using WIF

Alik Levin — Fri, 30 Sep 2011 21:48:49 GMT

This post is based on WIF Built-in Bindings Overview and AD FS Endpoints. This information should provide a more cohesive view for developers when developing claims aware WCF services using AD FS and WIF.

There are 30 scenarios here. Working on guidance when to use what.

WS-Trust 1.3 endpoints

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/windows	Trust13WindowsMessage
WindowsWSTrustBinding windowsTrust13MessageBinding = new WindowsWSTrustBinding();

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/windowsmixed	Trust13WindowsMixed
WindowsWSTrustBinding windowsTrust13MixedBinding = new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential);

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/windowstransport	Trust13WindowsTransport
WindowsWSTrustBinding windowsTrust13TransportBinding = new WindowsWSTrustBinding(SecurityMode.Transport);

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/certificate	Trust13CertificateMessage
CertificateWSTrustBinding certificateTrust13MessageBinding = new CertificateWSTrustBinding();

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/certificatemixed	Trust13CertificateMixed
CertificateWSTrustBinding certificateTrust13MixedBinding = new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential);

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/certificatetransport	Trust13CertificateTransport
CertificateWSTrustBinding certificateTrust13TransportBinding = new CertificateWSTrustBinding(SecurityMode.Transport);

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/username	Trust13UserNameMessage
UserNameWSTrustBinding userNameTrust13MessageBinding = new UserNameWSTrustBinding();

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/usernamemixed	Trust13UserNameMixed
UserNameWSTrustBinding userNameTrust13MixedBinding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/usernamebasictransport	Trust13UserNameBasicTransport
UserNameWSTrustBinding userNameTrust13TransportBasicBinding = new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Basic);

AD FS Endpoint	WCF Binding
N/A	Trust13UserNameDigestTransport
UserNameWSTrustBinding userNameTrust13TransportDigestBinding = new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Digest);

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/kerberosmixed	Trust13KerberosMixed
KerberosWSTrustBinding kerberosTrust13MixedBinding = new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential);

WS-Trust 1.3 Issued Token endpoints

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/issuedtokenasymmetricbasic256	Trust13IssuedTokenAsymmetricBasic256
IssuedTokenWSTrustBinding issuedTokenBinding = new IssuedTokenWSTrustBinding(); issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256	Trust13IssuedTokenMixedAsymmetricBasic256
IssuedTokenWSTrustBinding issuedTokenBinding = new IssuedTokenWSTrustBinding(); issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential; issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey;

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256	Trust13IssuedTokenMixedSymmetricBasic256
IssuedTokenWSTrustBinding issuedTokenBinding = new IssuedTokenWSTrustBinding(); issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential;

AD FS Endpoint	WCF Binding
/adfs/services/trust/13/issuedtokensymmetricbasic256	Trust13IssuedTokenSymmetricBasic256

WS-Trust 2005 endpoints

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/windows	TrustFeb2005WindowsMessage
WindowsWSTrustBinding windowsTrustFeb2005MessageBinding = new WindowsWSTrustBinding(); windowsTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/windowsmixed	TrustFeb2005WindowsMixed
WindowsWSTrustBinding windowsTrustFeb2005MixedBinding = new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential); windowsTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/windowstransport	TrustFeb2005WindowsTransport
WindowsWSTrustBinding windowsTrustFeb2005TransportBinding = new WindowsWSTrustBinding(SecurityMode.Transport); windowsTrustFeb2005TransportBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/certificate	TrustFeb2005CertificateMessage
CertificateWSTrustBinding certificateTrustFeb2005MessageBinding = new CertificateWSTrustBinding(); certificateTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/certificatemixed	TrustFeb2005CertificateMixed
CertificateWSTrustBinding certificateTrustFeb2005MixedBinding = new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential); certificateTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/certificatetransport	TrustFeb2005CertificateTransport
CertificateWSTrustBinding certificateTrustFeb2005TransportBinding = new CertificateWSTrustBinding(SecurityMode.Transport); certificateTrustFeb2005TransportBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/username	TrustFeb2005UserNameMessage
UserNameWSTrustBinding userNameTrustFeb2005MessageBinding = new UserNameWSTrustBinding(); userNameTrustFeb2005MessageBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/usernamemixed	TrustFeb2005UserNameMixed
UserNameWSTrustBinding userNameTrustFeb2005MixedBinding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential); userNameTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/usernamebasictransport	TrustFeb2005UserNameBasicTransport
UserNameWSTrustBinding userNameTrustFeb2005TransportBasicBinding = new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Basic); userNameTrustFeb2005TransportBasicBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
	TrustFeb2005UserNameDigestTransport
UserNameWSTrustBinding userNameTrustFeb2005TransportDigestBinding = new UserNameWSTrustBinding(SecurityMode.Transport, HttpClientCredentialType.Digest); userNameTrustFeb2005TransportDigestBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/kerberosmixed	TrustFeb2005KerberosMixed
KerberosWSTrustBinding kerberosTrustFeb2005MixedBinding = new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential); kerberosTrustFeb2005MixedBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

WS-Trust 2005 Issued Token endpoints

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/issuedtokenasymmetricbasic256	TrustFeb2005IssuedTokenAsymmetricBasic256
issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey; issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256	TrustFeb2005IssuedTokenMixedAsymmetricBasic256
issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential; issuedTokenBinding.KeyType = SecurityKeyType.AsymmetricKey; issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256	TrustFeb2005IssuedTokenMixedSymmetricBasic256
issuedTokenBinding.SecurityMode = SecurityMode.TransportWithMessageCredential; issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

AD FS Endpoint	WCF Binding
/adfs/services/trust/2005/issuedtokensymmetricbasic256	TrustFeb2005IssuedTokenSymmetricBasic256
issuedTokenBinding.TrustVersion = TrustVersion.WSTrustFeb2005;

Cloud Identity Stories for Developers–Application Architecture Scenarios

Alik Levin — Thu, 29 Sep 2011 22:46:00 GMT

I have packaged Cloud Identity Scenarios and Solutions for Developers into PDF document. I hope it will be easier to consume and share for you. It only includes Application Architecture scenarios. The link though provides more scenarios and solutions.

Each scenario is organized as follows:

Scenario, including visual
Solution approach, including visual
Analysis
List of links to How-To’s
List of links to Code Samples
List to more Resources

Grab the PDF file and use it to solve Cloud Identity related scenarios. Use TOC/Bookmarks to easily navigate the content.

At your service!

Windows Phone 7 (WP7) App For The Field Warriors - Instant Expert

Alik Levin — Tue, 27 Sep 2011 00:08:13 GMT

I have developed a simple WP7 app that provides quick navigation to key resources related to Windows Azure platform when you need it the most on the go – Videos, Slides, How-To’s, and Troubleshooting. It is called Instant Expert and available on WP7 marketplace for free.

Give it a test drive. Here are the screen shots. Enjoy.

Windows Azure Platform Content For Most Urgent Cases

Alik Levin — Mon, 19 Sep 2011 21:34:53 GMT

This is collection of resources for Windows Azure Platform technologies that should be suitable for most urgent cases such as learn the speak quickly, write code quickly, fix the error on the spot. The content categorized with the following categories:

Slides
Videos
How-To’s
Troubleshooting.

Here are the links;

Windows Azure AppFabric Caching Under Fire Scenarios

Alik Levin — Mon, 19 Sep 2011 02:57:00 GMT

This is a quick list of resources for the under fire scenarios for Windows Azure Caching (Windows Azure is here, SQL Azure here, Service Bus here, and ACS here). Under fire scenarios in my speak is when something needs to be done quickly. Example, fix error, write working code, get up to speed with the folksonomy.

How-To’s

Error codes

DataCacheErrorCode Class

Slides

Videos

Introduction to the Windows Azure AppFabric Cache

Windows Azure ACS Resources For Under Fire Scenarios

Alik Levin — Fri, 16 Sep 2011 20:27:08 GMT

This is a quick list of resources for the under fire scenarios for Windows Azure ACS (Windows Azure is here, SQL Azure here, and Service Bus here). Under fire scenarios in my speak is when something needs to be done quickly. Example, fix error, write working code, get up to speed with the folksonomy.

How-To’s

Troubleshooting

Slides

What is ACS? (Slides)
What ACS Can Do For Me? (slides)
ACS Functionality (slides)
ACS Architecture (slides)
ACS Deployment Scenarios (slides)
ACS and the Cloud (slides)
ACS And WIF (slides)
ACS and ADFS (slides)

Videos

Windows Azure Service Bus Resources For Under Fire Scenarios

Alik Levin — Thu, 15 Sep 2011 19:36:41 GMT

This is a quick list of resources for the under fire scenarios for Windows Azure Service Bus (Windows Azure is here and SQL Azure here). Under fire scenarios in my speak is when something needs to be done quickly. Example, fix error, write working code, get up to speed with the folksonomy.

How-To’s

Troubleshooting

Slides

Windows Azure AppFabric Service Bus

Videos

60 Seconds On Developing Claims Aware ASP.NET Web Applications And WCF Services Using AD FS

Alik Levin — Wed, 14 Sep 2011 21:28:54 GMT

As a developer of ASP.NET web applications and WCF service what should I know about AD FS and how to integrate it with my apps and services?

First, realize if your scenario requires AD FS. To do so consider the following three key scenarios and their characteristics:

Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services
- Employees logged on to the corporate Active Directory.
- SSO is required (reuse of the same credentials).
- Access applications or services in the perimeter network in your own organization.
Or
- Application needs to take advantage of claims, effectively become claims-aware application, for example, if you want to implement Claims Authorization in a Claims-Aware ASP.NET Application.
Provide Your Active Directory Users Access to the Applications and Services of Other Organizations
- Employees logged on to the corporate Active Directory.
- SSO is required (reuse of the same credentials).
- Need to provide access for your organization’s employees applications or services in in other organization.
Provide Users in Another Organization Access to Your Claims-Aware Applications and Services
- Other organization employees logged on to their corporate Active Directory.
- SSO is required(reuse of the same credentials).
- Need to provide access for other organization’s employees applications or services in your organization.

Second, review the high level steps needed to make the application claims-aware so it can integrate with AD FS:

In most cases you will need to install and use Windows Identity Foundation or WIF. You will need Windows Identity Foundation runtime when running the applications and services and Windows Identity Foundation SDK when developing them using Visual Studio. Note: WIF is now out of band installation that ships separately from .Net Framework. It also is not available at present with Windows Azure instance by default. In .Net 4.5 WIF is part of the .Net Framework.
You will need to consult your system administrator what the endpoints URL’s that are exposed by AD FS.
The end point URL’s will be used when configuring your ASP.NET web applications and services using FedUtil or programmatically.

Related Materials

SQL Azure Resources For Under Fire Scenarios

Alik Levin — Tue, 13 Sep 2011 22:03:00 GMT

This is a quick list of resources for the under fire scenarios for SQL Azure (Windows Azure are here). Under fire scenarios in my speak is when something needs to be done quickly. Example, fix error, write working code, get up to speed with the folksonomy.

How-To’s

Troubleshooting

Error Messages (SQL Azure Database)

Slides

Videos

Windows Azure Resources For Under Fire Scenarios

Alik Levin — Tue, 13 Sep 2011 18:00:18 GMT

This is a quick list of resources for the under fire scenarios. Under fire scenarios in my speak is when something needs to be done quickly. Example, fix error, write working code, get up to speed with the folksonomy.

How-To’s

Troubleshooting

Slides

Microsoft Cloud Computing - Windows Azure Platform

Videos

What is Windows Azure?

How To: Obtain SWT Security Token From Windows Azure AppFabric ACS In WPF Application Using WebBrowser Control

Alik Levin — Mon, 12 Sep 2011 00:36:00 GMT

This post assumes you have completed steps outlined in Displaying List Of Identity Providers (IdP’s) For Windows Azure AppFabric ACS Namespace In WPF Application

In this post I will show how to obtain SWT token from Windows Azure AppFabric Access Control Service (ACS) in WPF application using WebBrowser control when federating with Internet Identity Providers (IdP’s) such as Live ID, Google, Facebook, Yahoo!, or Open ID identity providers. The SWT token can then be used when communicating with RESTful WCF service that requires issued SWT token for authentication purposes.

If you are interested to obtain SWT token from ACS when ACS manages service credentials (vs. Internet IdP’s) using Service Identities refer to the following article - WCF (REST) Service With Federated Authentication.

Summary of steps

Step 1 – Add WebBrowser And Other Controls To Your WPF Application
Step 2 – Configure The WebBrowser Control For Interaction Between Its Contents And The WPF Application
Step 3 – Test Your Solution

Step 1 – Add WebBrowser And Other Controls To Your WPF Application

To add controls to your WPF application

From the toolbox drag TextBox control and place it beneath ListBox control on the Grid. This is not required and it will be used for visualization purposes only. This is where you will see the selected IdP’s sign in URL.
Double click on the ListBox control. It should open listBox1_SelectionChanged event handler in MainWindow.xaml.cs file for editing.
Paste the following code as the event handler implementation. Clicking on different IdP’s in the ListBox will show sign in URL related to the selected IdP.
string idpUrl = ((IdpInfo)e.AddedItems[0]).LoginUrl;
textBox1.Text = idpUrl;
From the toolbox drag WebBrowser control on the Grid next to the ListBox. This is where the IdP’s sign in web form will display.
From the toolbox drag another Button control on the Grid and place it above the WebBrowser control. Clicking on the button will trigger the WebBrowser control navigate to the sign in URL of the selected IdP. Double click on the button to open button2_Click event handler in the MainWindow.xaml.cs file for editing.
Paste the following code as the button2_Click event handler’s implementation. Remember I am using textBox1for visualization purposes only and it is not required.
webBrowser1.Navigate(textBox1.Text);
From the toolbox drag another TextBox control on the grid and place it beneath all other controls. Resize it to accommodate large amount of text. It will display acquired SWT token. This is not required and it is used for visualization purposes only. Configure its TextWrapping property to WrapWithOverflow.

Step 2 – Configure The WebBrowser Control For Interaction Between Its Contents And The WPF Application

To configure the WebBrowser control for interaction between its contents and the WPF application

The code here is based on what’s outlined in How does WPF WebBrowser Control handle window.external.notify()?.

Open MainWindow.xaml markup for editing by double clicking on it in the Solution Explorer.
Add the following attribute to the WebBrowsercontrol markup:
Loaded="webBrowser1_Loaded"
Add related event handler to the MainWindow class in MainWindow.xaml.csfile
private void webBrowser1_Loaded(object sender, RoutedEventArgs e)
{
((WebBrowser)sender).ObjectForScripting = new HtmlInteropClass();
}
Add related class to the MainWindow.xaml.csfile or in its own file added to the solution with the following implementation:
[System.Runtime.InteropServices.ComVisibleAttribute(true)]
public class HtmlInteropClass
{
    public void Notify(string token)
    {
        ((MainWindow)Application.Current.MainWindow).textBox2.Text = token;

    }
}
The Notify method will be called by a script hosted in a web page generated by ACS upon successful authentication with selected IdP.
Compile the solution to make sure there are no compilation errors.

Step 3 – Test Your Solution

To test your solution

Run your solution by pressing F5.
Click on the button above the ListBox. The ListBox should be populated with the configured IdP’s. Click on the IdP’s in the ListBox. Their related sign in URL’s should appear in the TextBox under the ListBoxwith IdP’s. Here is how mine looks:
Click on the other Button on the right to load sign in page related to the selected IdP. Here is how it looks when loading Live ID sign in page:
Provide your credentials to the sign in web form and click Sing in button in it.
Upon successful authentication you should see the contents of the SWT token received from ACS. Here is mine:
Do the same with other IdP’s where you have active account.
Next you can use the token to submit to your RESTful WCF service and then validate it at the RESTful WCF service end. For the details on how to do it consult the following steps in How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS:

Step 3 - Implement Code That Validates the SWT Token at the REST WCF Service
Step 4 – Implement a Client That Requests The SWT Token From ACS and Forwards It To The REST WCF Service

How To: Display List Of Identity Providers (IdP’s) For Windows Azure AppFabric ACS Namespace In WPF Application

Alik Levin — Fri, 09 Sep 2011 16:19:00 GMT

This is a quick walkthrough of the code required to obtain the list of Identity Providers (IdP’s) configured for specific ACS namespace. The code in this post is vastly simplified and based on what’s demonstrated in the Code Sample: Windows Phone 7 Application. To obtain the list of IdP’s for any ACS namespace authentication is not required – this information is available without authentication.

Summary of steps

Step 1 – Create Basic WPF Application
Step 2 – Add Required Assemblies And Namespaces
Step 3 – Implement The Code That Retrieves IdP’s
Step 4 – Test Your Solution

Step 1 – Create Basic WPF Application

To create basic WPF application

Run Visual Studio.
In the menu choose File, New, Project….
In the New Project dialog box click on Windows node on the left, select WPF Application from the list, and click OK button.
MainWindow.xaml should open in the designer. If it is not, double click on it in the Solution Explorer.
From the Toolbox drag Button and Listbox controls on the Grid. .
Double click on the Button. button1_Click event handler should open for editing in the MainWindow.xaml.cs file. This is where you will be implementing the code that retrieves the list of available IdP’s for specific ACS namespace.

Step 2 – Add Required Assemblies And Namespaces

To add required assemblies and namespaces

In the Solution Explorer right click on the References node and select Add References…
Click on the .NET tab and select System.Net, System.Web, System.ServiceModel.Web, System.Runtime.Serialization assemblies from the list. Press Ctrl to make multiple selection.
If MainWindow.xaml.cs us bit already opened in the editor open it by double clicking on it in the Solution Explorer.
Add the following declarations to the MainWindows.xaml.csfile:
using System.Globalization;
using System.Web;
using System.Net;
using System.IO;
using System.Runtime.Serialization.Json;
using System.Collections.ObjectModel;
Save your work.

Step 3 – Implement The Code That Retrieves IdP’s

To implement the code that retrieves IdP’s

Add new class to the solution by right clicking on it in the Solution Explorer and choosing Add, Class… option. Give a name to the new class, for example, IdpInfo.cs.
Add the following declaration to the top of the IdpInfo.cs file:
using System.Runtime.Serialization;
Paste the following code for the IdpInfo class:
[DataContract]
public class IdentityProviderInfo
{
    [DataMember]
    public string Name { get; set; }

    [DataMember]
    public string LoginUrl { get; set; }

}
Save your work.
Open MainWindow.xaml.cs file in the editor by double clicking on it in the Solution Explorer.
Add the following private members to the MainWindow class, these should be exactly copy and pasted from your configuration on ACS management portal, Edit Relying Party Application page.
private string m_realm = "http://YourRealm/";
private string m_serviceNamespace = "YourNamespace";
private string m_acsHostUrl = "accesscontrol.windows.net";
Add the following two private methods to the MainWindowclass:
private void GetIdentityProviders()
{
    {
        Uri identityProviderDiscovery = new Uri(
            string.Format(CultureInfo.InvariantCulture,
                "https://{0}.{1}/v2/metadata/IdentityProviders.js?protocol=javascriptnotify&realm={2}&version=1.0",
                m_serviceNamespace,
                m_acsHostUrl,
                HttpUtility.UrlEncode(m_realm)),
                UriKind.Absolute
            );

        WebClient webClient = new WebClient();

        webClient.DownloadStringCompleted += new DownloadStringCompletedEventHandler(webClient_DownloadStringCompleted);
        webClient.DownloadStringAsync(identityProviderDiscovery);
    }
}
private void webClient_DownloadStringCompleted(object sender, DownloadStringCompletedEventArgs e)
{
    using (MemoryStream ms = new MemoryStream(Encoding.Unicode.GetBytes(e.Result)))
    {
        DataContractJsonSerializer serializer = new DataContractJsonSerializer(typeof(IdpInfo[]));
        listBox1.ItemsSource = serializer.ReadObject(ms) as IEnumerable<IdpInfo>;
    }
}
Call GetIdentityProviders() method in the button1_Click event handler.
Open MainWindow.xaml markup in the editor by double clicking on it in the Solution Explorer.
Add the following item template to the Listbox to make sure the IdP’s Name property is bound to be displayed in the Listbox.
<ListBox.ItemTemplate>
    <DataTemplate>
        <TextBlock Text="{Binding Name}"/>
    </DataTemplate>
</ListBox.ItemTemplate>
Compile the solution to make sure there is no compilation errors.

Step 4 – Test Your Solution

To test your solution

Press F5 to run the solution. You should see MainWindow application appears with the button and the empty listbox.
Click on the button once, the list box should be filled with the names of the IdP’s for the specific ACS namespace and the real you specified.
This is how mine looks for the following app - https://wawithacsv2.cloudapp.net/ (need to figure out what are these special characters in Live ID IdP):