Wednesday, April 18, 2012 9:48 PM
I've been going through the identity training kit - hoping that it would teach me the "must know" skills to be effective with WCF and WIF security. And while it has definitely helped be a practical engineer (being so step by step, and so focused on username tokens rather than windowidentity tokens) when compared to learning the art (earlier) from best practice samples it reinforced something that I now question:
in visual studio 11 and .NET 4.5 era, will one be able to have use svcutil to built a working proxy (and .config) that can exploit a server's actAs bindings, or Just even act as a WCF client talking to an STS talking to a server (with claims authz manager within).
What I find with todays stuff is that there are many manual steps still involved, all requiring very precise knowhow. There is not an out of the box generated WCF project that works with an STS. Default projects throw up useless cardspace dialogues. Proxy' config files generated need manual modification (for audience management to address spoofed endpoints); load balancing is a mess with too many tweaks required, etc. its trivially easy to run into the "could not validate security token message", and WIF tracing within the ws-secureconversation flows seems useless (to try and figure what step is causing issues).
Is this cleaned up in the next version? its making me nervous to adopt it (even though the demos are great). What I have to measure as a CISO is sustainability, appropriateness, etc - not can an expert do it, in a one site deployment.
now its a good sign when I can do it myself (following instructions). But, we cannot afford everyone to have the learning curve I've gone through . The next generation tools need to doing the work, that requires certification-level expertise and training today.
how about I put it this way: is ws-security work at Microsoft finished? or is there lots of more tools and integrations coming (based on the largely finished baseline)?
Thursday, April 19, 2012 5:08 AM
Some comments -
svcutil has always worked - building complete code and config to talk to a WCF service via STS authentication. Not sure what you mean with "ActAs Binding".
But yeah - WCF always was, and will always be complex and requiring you to have a deep understanding how things work. The guys that know how things work need to build the service agents and service factories etc - to make it easier for the "normal" devs. This is very typical for any WCF work (The F stands for Foundation after all).