Monday, August 26, 2013

Single Sign On Made Simple: Part 1-WIF

Almost every organization I have ever worked at, with, or for has discussed and dreamed about implementing a Single Sign On (SSO) solution for either some or all of their applications and/or websites. It is a very interesting and enticing prospect to be able to enable your users to enter one username and password in order to access multiple applications. I am not going to take the time to explain SSO any more than that but if you are not familiar with SSO or would like to learn more about it there is a plethora of blogs and articles on the internet that should help get you up to speed.

In this series of blog articles I am going to go over a way I have found to very quickly and easily implement a SSO solution - without writing a lick of code! But I won’t stop there; the solution I will suggest will also enable your organization to authenticate your users via one or more of the many well known identity providers out there such as Active Directory Federated Services, Google, Live, Facebook, and more – or you can roll your own if so inclined. Finally I will take this SSO solution and extend it to your Windows based applications as well.

In this first part I am going to introduce you to the underlying framework that will be doing most of the work. While I don’t expect you to understand everything about this framework, I do want to point out its existence and role in our solution. If you are developer or you are at an organization that is going to want to write their own identity provider then you are going to want to know about the framework.

At the center of our solution is Microsoft’s Windows Identity Foundation (WIF). Until recently it was an add on framework but starting with .NET Framework 4.5, WIF has been fully integrated into the .NET framework. At it’s core WIF is a framework for building identity-aware applications; it abstracts the WS-Trust and WS-Federation protocols and presents developers with APIs for building security token services and claims-aware applications. I won’t go into too much detail about the framework but I do want to point out the major parts of the framework because when I get to my solution for SSO you will need to have a basic understanding to appreciate what it does for you.

I do want to point out that WIF is based on a concept called the Claims-Based Identity Model which simply means that a user in your applications is presented as a set of claims. One claim could be the user’s name, others might be their email address or display name. The basic idea is your application will be given a set of data an external identity system is configured to provide about the user – along with cryptographic assurance the identity data you receive comes from a trusted source, of course. [1]

A basic WIF scenario usually consists of one or more Relying Party (RP) applications and a Security Token Service (STS). The Relying Party (RP) is basically an application that relies on claims issued by a STS. An RP is also often called a “claims aware application” or “claims-based application.” The Security Token Service (STS) is the service that builds, signs, and issues security tokens according to the WS-Trust and WS-Federation protocols. The STS will be the one responsible for collecting and validating user credentials and if successful, returning to the RP a claims-based token representing the user. [2,3] If you are confused don’t worry, the solution I propose should help make this abstract concept a little more concrete.

Microsoft’s Windows Identity Foundation is a great start but it doesn’t give us anything to immediately get up and running – let alone a SSO solution. It is as it’s name implies – a foundation, not a solution. Continue to part 2 of this blog series to be introduced to a solution I have discovered that makes implementing WIF and SSO a snap and all without writing a single line of code. I welcome your comments and feedback on this first part. Also you may contact me via the “Contact Us” page at http://www.yosttechnologies.com/contact.


References:
1. The Claims-Based Identity Model (http://msdn.microsoft.com/en-us/library/ee517291.aspx)
2. Relying Party (http://msdn.microsoft.com/en-us/library/ee748466.aspx)
3. Security Token Service (http://msdn.microsoft.com/en-us/library/ee748490.aspx)

Thursday, August 22, 2013

WebAPI, NServiceBus, and SignalR, Oh My!!

I just recently got done helping prove out a very interesting concept that I thought I would share. This may not be anything new for some of you but for many this may be a very eye opening concept. It has to do with how you can combine three technologies to give you a very resilient and “push event” driven RESTful API for your applications and/or customers to use.

A technology many of us already know and love is Microsoft’s WebAPI framework that comes built into their ASP.NET MVC framework. It enables developers to very quickly build truly RESTful APIs that by default use JSON for the data messages. I have been using this platform ever since it was in pre-release and if you are in the process of evaluating your options for building an API – this is the one to look at. More information about it can be found at http://www.asp.net/web-api.

Now, this is only part of the picture and I have said nothing earth shattering so let's get on to the good stuff.

So lets say you or your organization/team has spent the time to build your API on the WebAPI platform and everything is going great but now you have come to the point where you need your services to talk to each other. Do the services call each other? Well that doesn't feel right. Plus, how do I  know when one of the services does something that another service needs to respond to as well? Do I use SQL data triggers? Ick!! Enter NServiceBus by Particular Software (http://particular.net/NServiceBus).
As it’s name implies, it is at its core a service bus that can be used to distribute events and messages between various listeners. It enables you to decouple your services to achieve a true SOA (service oriented architecture) but maintains a transactional consistency, reliability, and scalability you will need. This means your services can subscribe to events other services publish. Ok, a bit tough to follow so lets look at an example.

Say for simplicity sake you have two WebAPI services; a Inventory API and and a Products API. Now, lets say your Products API needs to know when the Inventory API changes available inventory so it can update the “availability” information on its products. This can be easily achieved by the Inventory API publishing a “InventoryUpdate” event to NServiceBus which then puts it in its queue and broadcasts the event to all subscribers of that event. For the ProductsAPI to get this event it simply subscribes to the “InventoryUpdate” event. Bam! You have “connected” your services together with NServiceBus.

So, thanks to NServiceBus your services are “talking” to each other via events but that is really only part of the picture. Wouldn’t it be nice if you could take those events and pass them on to the consumers of your APIs? But wait, we are talking about a WEB API so how can this be done? Enter SignalR.

Only until recently it was just wishful thinking of API builders to be able to push notifications to consumers of their APIs. Now, thanks to a new framework put out by Microsoft called ASP.NET SignalR these dreams have coming true. Essentially ASP.NET SignalR is a library that makes it incredibly simple to “push” events over the HTTP protocol. Without going into too much detail, SignalR uses HTTP web sockets to push in real time data to a website. More information about the framework and how to use it can be found at http://signalr.net/.

So how does this apply to WebAPI you ask?

Well, since your WebAPI is really just a website it can use SignalR to push events to your API consumers so they get real time notifications. In the past your API consumers would need some kind of “heartbeat” that constantly called your API for status updates to determine if an event occurred but with SignalR they will be notified immediately via “events” your API pushes out. Whether the consumer of your API is another website or application it can attach event handlers to these push notifications – essentially closing the loop on service events.

While all of this may seem very confusing and complicated, for what is being achieved it is actually very simple and elegant. This approach allows you to develop a very distributed API while maintaining interconnectivity between each of your services and their consumers. I can almost guarantee you we are going to see more and more need for this type workflow and with WebAPI, NServiceBus, and SignalR, there is no reason you can’t do it now.

Feel free to leave me comments or feedback. If you have specific questions about this post please contact me at matt@yosttechnologies.com or go to our website at http://www.yosttechnologies.com and submit your comments.