Zulfiqar's weblog

Architecture, security & random .Net

Introducing Workflow Security Pack

Posted by zamd on February 23, 2010


Have you already started serious development with WF 4 and found security limitations?

Have you struggled to implement authenticated messaging, claims-based security, role-based security and other security features in workflow solutions?

WF 4 is a highly extensible framework so most of these features can be built using the WF extensibility model, but wouldn’t it be nice to have all of these security features available in an easy to use activity library?

 

Here comes the Workflow Security Pack (WFSP) project… WFSP is a collection of activities and associated plumbing to enable key security scenarios in WF 4.  WFSP activities blend with the rest of the WF to bring end-to-end integrated security into workflow solutions. The following diagram shows the initial set of activities which are part of WFSP.

cid:image001.jpg@01CAB458.185E10A0 

Following are some of the scenarios enabled by WFSP:

1.      Authenticated messaging

a.      Enables the use of various credentials with Send activity

b.      Follows exactly the same model when using a Username token or a Saml token issued by an STS

2.      Role-based security

a.      Enables principal permission based authorization on the Receive activity

b.      Supports standard RoleProvider extensibility model

3.      Claims-based security

a.      Ability to acquire a SAML token using the WS-Trust protocol

b.      Ability to pass this token to a SAML secured service using WS-Security

4.      End-to-end Claim-based delegation

a.      Ability to use any token as an ActAs token

5.      Transparent handling of tokens in a long-running environment

a.      Enlisted tokens are preserved during persist and reload cycles

6.      Impersonation and Delegation support

a.      Ability to impersonate incoming Identity on Receive side

b.      Ability to impersonate a User identity on the Send side

c.      Ability to call a backend service from the Impersonated scope (Kerberos delegation)

7.      WCF OperationContext access in a thread-agnostic way

 

In future posts, I’ll take an in-depth look into each of activities above and various scenarios enabled by these activities. Stay tuned.

 

 

Advertisements

10 Responses to “Introducing Workflow Security Pack”

  1. larsw said

    Hi,

    a) Great work – I’m anxious to try it out.
    b) The InitializX509Token activity seems to have a small typo in it (Initializ -> Initialize).

    –larsw

  2. zamd said

    Thanks, I’m planning to make these available to public in next few weeks.

  3. scott_m said

    Will WFSP have any sample workflows that show how to use the new security activities?

    I am surprised Microsoft has not done anything official like WFSP yet.

    • zamd said

      Hi Scott,

      Most of these security scenarios (including in-workflow integration with WIF) are on the list for next version of .Net Framework. Regarding WFSP, yes there will be samples illustrating all of the security features.

      Thanks, Zulfiqar

  4. […] Introducing Workflow Security Pack […]

  5. […] Introducing Workflow Security Pack […]

  6. scott_m said

    Is the W.F.S.P. code available on Codeplex or Github?

    thanks

  7. […] Introducing Workflow Security Pack « Exposing Service metadata via HTTP Get on the Service Bus […]

  8. Mark Fang said

    Can you try to have a working WSE3 client to this WSE3 service and post here the SOAP that this client sends? (you can use a tool like fiddler or tcpmon to capture it.
    sexy lingerie manufacturer in china

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: