Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / April 2006

Tip: Looking for answers? Try searching our database.

Architecture Advice

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
LockyBoy - 29 Mar 2006 10:25 GMT
Hi All

we currently run several web services which run from a sql back end.
Currently all users are authenticated before using each webmethod by passing
a user id in the soap body, and authenticating against sql.

I want to implement a single sign on whereby users are authenticated and
then don't have to go through the authentication process again, and services
are authorised by windows roles assigned at sign on.

I'd like to authorise users against ADAM, but the examples I've seen are for
direct authentication with username and wse3, which as far as I can gather,
does not allow for single sign on.

I assume I need to use ADAM as a brokered authentication service and issue a
security token to negate authentication calls after the first time.

Am I right in my assumptions, or could someone please clarify what steps I
need to take to accomplish this?

Thanks in advance for any help.
Reply to this Message
Pablo Cibraro - 29 Mar 2006 16:27 GMT
Hi,

In my opinion, you should use SAML to implement a sigle sign on solution.
There is an implementation of SAML for WSE 3.0 here
http://practices.gotdotnet.com/projects/saml
Usually, the architecture for an application that uses SAML tokens contains
three main components:

1. Client Application
2. Secure Token Service (STS): It is the authority responsible of emitting
SAML tokens. The client and the service, both trust this authority.
3. Service

You can authorize user against ADAM in the STS.  If you want to know more
information about SAML, take a look to these articles I wrote in my blog,

http://weblogs.asp.net/cibrax/archive/2005/08/01/421233.aspx
http://weblogs.asp.net/cibrax/archive/2006/02/02/437180.aspx

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

> Hi All
>
[quoted text clipped - 22 lines]
>
> Thanks in advance for any help.
Reply to this Message
LockyBoy - 03 Apr 2006 13:21 GMT
Thanks Pablo

Could you point out the benefits of sts over Kerberos authentication in this
situation?

Also, we will have multiple users accessing our services with the same
username/password, i.e Comapny a has 100 employees, their username/password
is test/test1, and company b has 50 employees with username/pass test2/test2
- would there be a problem with multiple users logging on to our service with
the same username and password?

Thanks

> Hi,
>
[quoted text clipped - 45 lines]
> >
> > Thanks in advance for any help.
Reply to this Message
Pablo Cibraro - 03 Apr 2006 15:01 GMT
Hi,

Kerberos only works if your client application and your service are in the
same windows domain or different windows domains with trust relationship.
(This does not work when the trust relationship goes beyond this boundary,
for example, different companies).
WS-Federation with SAML has the following benefits over Kerberos:

1. The trust relationship can expand to different realms or domains (In
other words, companies)
2. It is completely extensible, you can modify it to add your own
attributes. (You can not do the same with kerberos)

The bad thing is that you need to manage X509 certificates. A Kerberos token
already has a symmetric  key to perform cryptographic operations so it does
not need a X509 certificate.

No, you won't have any problem, but you won't able to identify the 100
employees (You will always identify one employee for the company A). If you
use SAML, you can identify the company with a X509 certificate and the user
with a custom attribute inside of the token.

Regards,
Pablo Cibraro.

> Thanks Pablo
>
[quoted text clipped - 68 lines]
>> >
>> > Thanks in advance for any help.
Reply to this Message
LockyBoy - 03 Apr 2006 15:43 GMT
Thanks Pablo

My last question is, do all our clients have to have wse3 installed on their
pc's to enable us to take advantage of wse3 on our web services?

If so, doesn't that defeat the non-propriety aspect of web services?!

Many Thanks

> Hi,
>
[quoted text clipped - 93 lines]
> >> >
> >> > Thanks in advance for any help.
Reply to this Message
Pablo Cibraro - 03 Apr 2006 17:33 GMT
WSE3 is only a framework that adds WS-* support to the Web services stack.
You can use your own code or other product to do the same but the generated
messages must be compatible with the messages accepted by WSE.

Regards,
Pablo Cibraro.

> Thanks Pablo
>
[quoted text clipped - 113 lines]
>> >> >
>> >> > Thanks in advance for any help.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.