views:

245

answers:

2

My employer currently has most of its access to the database through C# sqlDataAdapters and sqlCommands on a WebServices server or components in applications. These are mostly Windows Forms apps that are ran on intranet and internet depending on their functionality.

I have been researching WCF quite a bit and I feel it would be a good fit for our us. Also my manager has a copy of ILM(MS Identity Lifecycle Management Server) that he would like to use to to provide SSO support for authentication and authorization for all of our applications.

Our applications request data from the database and it is returned in dataTables primarily. I know collections are better, it is just the established practice used. So I am trying to find a solution that will be secure, authenticate through ILM and return data to the client in a dataset(at first, migrate to collections later) from webServices server.

My question is will this work or will it be too slow?

  1. Client calls routine on WCF requesting data
  2. WCF server checks with ILM to see if its ok to do so
  3. WCF calls webServices server to get the data
  4. Dataset or collection is passed back to the client.

If this is feasible how would I go about connecting to ILM for authentication. Is there a slick way to do it in the Web.Config file or would I have to do it on the message level on my own?

Thanks in advance.

A: 

I'm not hugely familiar with ILM, but I'm guessing that it is pretty granular to specific data queries. With WCF you can hook your own identity-provider by implementing IAuthorizationPolicy (like so) and providing your own "principal". I suspect it would be pretty easy to write a principal that works against ILM, but this would presumably be for pretty broad checks - "do I have CustomerAudit access", rather than "can I access CustomerAudit for customers in the north-east".

A nice thing about using a principal is that you can also use [PrincipalPermission] checks on methods, so you don't need to add broad security checks to your code (the CLR enforces [PrincipalPermission] directly).

Marc Gravell
+2  A: 

I am familiar with ILM. It's not an authentication service. ILM means Identity Lifecule Manager and it's a pretty good description of what it can do. It can provision new users, deprovision old users and allows you to copy identity data between identity stores. It also provides a password synchronisation service. You still use Active Directory or AD LDS (ex-ADAM) or some other directory for AuthN and AuthZ.

Whilst ILM stores a whole load of data about your users, you are strongly discouraged from accessing that data directly.

[EDIT]

ILM does not provide LDAP services. Think of it as a manager: it doesn't do any work itself, it just rearranages things periodically. As your manager moves round data in the form of emails, it moves round data in the form of account details.

ILM is a tool for managing identities across directories and databases. It doesn't make sense to consider ILM in the context of a single store, SQL, AD or any other - its job is to marshall data between stores. It wouldn't have anything to do if there was only a single store.

Here's a typical scenario: you create a SQL table called People containing columns for firstName, lastName, jobTitle, department, a uniqueID, startDate and endDate. ILM is hooked into this table. It does a daily import and there is a new row. ILM uses the data in this row to create a userID in AD, another in Domino and another in a different SQL Database. It uses the jobTitle and department fields to assign group membership in AD, mailing lists in Domino and permissions in SQL.

The user starts and works for a few weeks and then resigns. You set the endDate in the table and ILM notices this change on its next import. It updates the AD account to expire on that date and stores a delayed action to delete it after 90 days. 90 days later, it deletes the account. Likewise with the other accounts.

You can use your personnel system instead of the SQL table but (a) it's not usually in the right format or maintained timely enough and (b) they're often itchy about letting you have access to their data.

serialhobbyist
So if our users are currently managed though a custom users table in SQL Server, ILM can manage that or should we create AD or ASP.net users for these and have ILM manage them that way? We also discussed using LDAP in ILM. Does that provide any authentication? Thanks!
JasonBlackwoodStone
I've fleshed out my response in light of your comments.
serialhobbyist
Thank you for your responses, they are very helpful. So if I understand you correctly if we were to move to WCF and currently all of our user data was stored in a SQL server table, ASP.NET, and AD we could utilize ILM to synchronize of all those user accounts between each other as well as use it to synchronize to AD LDS(ADAM) user store that I can use to authenticate against? In the end I would really like to take all of our User passwords, user groups and access rights out of SQL Server tables and put them in AD LDS if possible. Thanks.
JasonBlackwoodStone
Yes, you can use it to do the synchronization. Good luck!
serialhobbyist