Project Description
This project was started as a WCF based SSO solution that serves ASP.NET websites (through membership providers ) and other winform / web services. Then we realized that we need to bring in claim-based funcitionalities and make it work as our own identity foundation.

I started this project when I needed to migrate my existing ASP.NET websites to a DMZ or hosted environment where the SQL or AD membershipship/role/profile providers won't work through the firewall etc..

There are many projects and sample codes that provide a WCF based single-signon solution by wrapping the ASP.NET providers into WCF services, but most of them are not considering the fact that these WCF services themselves need to be secured and authorized. If we simply wrap methods like 'CreateUser' into a service method, then we need to configure the service and the front end application for impersonation and message\transport security, and will have to trust and depend on the front end application to check the authorization of users before calling that method. While it may be ok to use the simple providers to secure a couple web applications, it may not be a good and secure solution if we want to use these services as a SSO providers to serve winform, silverlight and applications on other platforms or from trading partners that we may not have control of.

Meanwhile, I was requested to implement these security services so it can be used by other web services to handle the authentication and authorization of web service requests. Again there are many approaches and sample codes/projects, but many of them will require WS* that can be hard to implement for the client side if the client is not a WCF client. The solutions will often require the user name and password as part of the message or transport that need to be authenticated for every access, and limits the choice of authentication/authorization providers. Furthermore, I was also asked to implement object and field level security, so it can be enforced in these resource services so that only controlled and authorized information are returned to the front-end or client applications, therefore, every call of the services need to be authenticated and authorized. These WCF or ASP.NET web services and their clients may only support basic bindings, and we certainly don't want to pass user name and password in every method call. Identity Foundation came to mind but it seemed too complex for our simple need.

This project tried to address both requirements. It uses ASP.Net Provider model on the service itself to allow different providers configured to be used, and uses a STS concept and has the validation request register then issue a simple token back to the client application when the user is successfully authenticated. The client application will then keep and pass the token to all the web services and resources the user want to access, including the membership/role/profile services themselves. The 'resource' web services will check the authorization of the user based on the user token.

These WCF services, which I named Security Agent services (SAS), can use any ASP.NET membership providers to do the authentication and authorization etc. The client applications are configured in a configuration database that controls which providers each application use. The SAS service will detect the application of the incoming requests and simply pass the parameters to the corresponding providers. A 'Realm' concept was introduced to simplify the management and configuration when a group of applications and web servcies use the same set of providers.

Besides the membership, role, and profile provider methods, I also added other services for object and field level security control.

For client side support, I implemented the ASP.NET providers so the existing ASP.NET webform applications can simply swap their SQL or AD providers with these new WCF based providers, and start working and utlizing these SAS services without any code change. We do need to swap the ASP.NET login control and add a HttpModule to handle and maintain the new user token.

I also created controls for the win form applications to use. There are also a few sample projects to demonstrate the usage of these services and controls in web form, win form, or wcf service applications.

The code is done in C# and I used PostSharp on the service side. I am sure you will see some issues in the code and please let me know if you have any suggestions. Hopefully it may save you some time with your projects.

Last edited Mar 28, 2012 at 3:00 AM by boguan, version 4