WIF basic principle (1) Identification Library

WIF is a development framework that integrates identity based security models and scenarios, as well as implementation details. WIF brings us three main benefits:

Q is based on declarative identity processing.

Q Makes business logic completely separate from authentication and authorization.

Q A security architecture that is available for learning and extension.

This series focuses on its rationale and learns from the basic elements and methods of building a security framework. It is important to understand the general terminology and technical model of identity security from its rationale.

Identity Library

For some applications, it is easy to use a user identity. As an example of a Windows application, it is only accessible to users in a single organization without much knowledge of user information. This application can rely on Kerberos only to authenticate its users and communicate basic information about them. As an example of an application that is accessible only to Internet users, this application can require only a user name and password for each user and store this user information in the database.

However, for most applications, the use of user identities is more complex. An example of an application that requires more information from each user (more detailed than the information provided by Kerberos or simple username and password). This application must obtain this information from some other sources or store this information on its own. As an example of an application that must be accessible to employees and Internet users within an organization, this application must support Kerberos based logins as well as logins based on user names and passwords. Finally, assume that the application must be accessible to different organizations without having to log on separately. This identity federation cannot be properly implemented through Kerberos or user name and password logons.

Figure 15-1 shows the identity library issues in a typical organization. As shown in the figure, you need to force users to log on individually to access different applications in their own domain, not to mention the applications in other domains.

Figure 15-1 Identifying the Library

As shown in Figure 15-1, different regions require different identity libraries, and for the application of the enterprise as a whole, these identities need to be consolidated to form a federated tag library (at least logically Federated logo library). However, we are faced with great challenges with the modification of existing firmware, such as the identity of the user already stored in different databases, or the consolidation of validated logic, especially in different business systems. How do you solve the above problem with only one identification scheme?

A claims-based identity provides an identity that can be used in all of these cases. It is based on widely recognized industry standards that can be used across platforms and organizational boundaries. At the same time, it has been widely implemented in many vendors ' products and is easy for developers to use.

---------------------------------------Note: This part of the text is adapted from the ". NET Security Secrets"
Author: Hyun-Soul

Source: http://www.cnblogs.com/xuanhun/

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Programming/net/