Approximately two years ago, I was asked to build security integration between the open-source applications I manage and a large web application written in .NET. The knowns at the outset of the project included:
- The integration point was a custom built authentication/authorization server
- The server was a .NET application built on Windows Identity Foundation (WIF).
- The server implemented claims based authentication
- I was given a link to the server’s MetaDataExchange (mex) document
- I barely knew anything about claims based authentication
- I’d be hard pressed to cover the head of a pin with my .NET knowledge
- My Microsoft counterparts had little availability
- No one had any idea how cross platform integration actually worked
Effectively, my team was completely on its own.
No problem…
I started with my trusty friend Google. After several minutes, I noticed that the term interoperability frequently appeared in the search results. Dictionary.com defines interoperability as:
…of or relating to the ability to share data between different computer systems, esp on different machines: interoperable network management systems…
That makes sense. I needed to share user data and authentication credentials between a java application, a ruby application, and a Microsoft backed security system. Google the words “interop java Microsoft” and you hit what at first glance looks to be an embarrassment of riches. Narrow the search terms to “interop java Microsoft security” and it appears as if this problem has been solved many times over.
No problem…
Little did I know that this would turn out to be one of the most difficult projects of my career.
The first order of business was to bone-up on claims based authentication. I also needed to figure out what in blazes I do with a mex. Luckily, there is no shortage of documentation on the subject. Some of the resources I found helpful included the ws-federation documents hosted by Oasis (https://www.oasis-open.org/), and numerous guides hosted at Microsoft (A Guide to Claims-Based Indentity, Claims-Based Identity for Windows, and the Windows Identity Foundation White Paper for Developers).
These docs provide a great overview of claims based authentication. The concept is not difficult to grasp and it solves several authentication and authorization challenges quite elegantly. Wikipedia provides a nice overview. Simply put,
…Claims-based identity is a common way for applications to acquire the identity information they need about users inside their organization, in other organizations, and on the Internet. It also provides a consistent approach for applications running on-premises or in the cloud…
At this point I was feeling pretty good. The concept seemed sound and the documents were very clear and easy to follow. There was one problem. Despite referring numerous times to how easy this architecture lends itself to interoperability between platforms, the documentation contained no details on how to actually do it. Furthermore, I was doing this research right after Oracle purchased Sun. That event proved to be the bane of my existence due to nearly every Sun link redirecting to a generic Oracle page. I lost count of the number of times Google returned search results with teaser text suggesting I’d found the perfect interoperability how-to, only to click it and watch the browser redirect to Oracle’s site with a “page not found”.
Perhaps this will be a problem…
After days of struggling, we made a small breakthrough when I found a Sun link that actually worked with documentation on something called WSIT (Web Services Interoperability Technologies). Using the information in that document, we were able to generate client code from the mex URL. But that is the story of another post.
This is the introduction to a multi-part article that will describe the challenges, pitfalls, roadblocks and – ultimately – the solution for integrating two different open-source applications with a claims based authentication/authorization service written in .NET. It will be a journey of knowledge expressed via my adventure in pain. My hope is that I’ll spare you the pain and provide just knowledge. 😉