.net 4.5 proxy's and config generation; making advanced modes of WIF and WCF 'easier"

Question

I've been going through the identity training kit - hoping that it would teach me the "must know" skills to be effective with WCF and WIF security. And while it has definitely helped be a practical engineer (being so step by step, and so focused on username tokens rather than windowidentity tokens) when compared to learning the art (earlier) from best practice samples it reinforced something that I now question:

in visual studio 11 and .NET 4.5 era, will one be able to have use svcutil to built a working proxy (and .config) that can exploit a server's actAs bindings, or Just even act as a WCF client talking to an STS talking to a server (with claims authz manager within).

What I find with todays stuff is that there are many manual steps still involved, all requiring very precise knowhow. There is not an out of the box generated WCF project that works with an STS. Default projects throw up useless cardspace dialogues. Proxy' config files generated need manual modification (for audience management to address spoofed endpoints); load balancing is a mess with too many tweaks required, etc. its trivially easy to run into the "could not validate security token message", and WIF tracing within the ws-secureconversation flows seems useless (to try and figure what step is causing issues).

Is this cleaned up in the next version? its making me nervous to adopt it (even though the demos are great). What I have to measure as a CISO is sustainability, appropriateness, etc - not can an expert do it, in a one site  deployment.

now its a good sign when I can do it myself (following instructions). But, we cannot afford everyone to have the learning curve I've gone through . The next generation tools need to doing the work, that requires certification-level expertise and training today.

how about I put it this way: is ws-security work at Microsoft finished? or is there lots of more tools and integrations coming (based on the largely finished baseline)?

What I'm hoping to hear is someone say: well you know, we will be release the json serializer with different token blobs, and everything you know from SOAP will carry over to the next generation of tools (that are easier to use, better integrated with javascript, yada yada). thus, the WCF investment is not wasted - its all valuable going forward (now with a new blob format, and javascript event handlers, interceptors etc etc)

Answer 1

Some comments -

svcutil has always worked - building complete code and config to talk to a WCF service via STS authentication. Not sure what you mean with "ActAs Binding".

But yeah - WCF always was, and will always be complex and requiring you to have a deep understanding how things work. The guys that know how things work need to build the service agents and service factories etc - to make it easier for the "normal" devs. This is very typical for any WCF work (The F stands for Foundation after all).

But you are right - WS-* work is considered almost "done" (not speaking for MS of course - just my personal opinion). The JavaScript, JSON etc efforts all go into the HTTP/REST stack called ASP.NET Web API. But this is a totally different thing compared to SOAP.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com