Setup a Full Federation Scenario with Web Application, Web Service, Windows Client, and ADFS Server Development Environment – Part 1

As a developer, we participate in many projects. In each project, there is a kind of Framework-Ready. By having framework-ready, developers just need to focus on developing business functionalities. It is a good setup, a good environment. Each person focuses on their best.

I have been working in Federation-Business-Application where the interaction is complicated, secured. And it needs a lot of environment setup. Most of the time, there is already Framework-Ready setup; I just use it.

So far so good, except I have not had enough skill in those areas. What if I have to setup a full environment locally for my sake of testing/experiencing? I felt pain just thinking about it.

5-4-3-2-1 GO! I decided to give it a GO.

Scenario

The common scenario is that there are 3 components

  1. WCF Web Service: The central service taking care of business application/logic. This service is secured and not exposed to the outside world.
  2. WPF (Windows)/Console Client: A UI application that will allow users to do their jobs internally. This client will connect to WCF service. Most of the time, users used this client has a lot of permissions.
  3. ASP.NET Web MVC Application: A public web application that allows public users to interact with the WCF Service. This application supports a subset limited of functionalities.
  4. ADFS Server: User management is done by AD FS Server.

The implementation of those applications are out of the scope, and not that interested either. The interesting part is the communication between them in a development environment.

I want to setup something like this

Scenario
General overview of components

I want to have

  1. A local AD FS server
  2. https communication between services
  3. Use Windows Identity Foundation (WIF) to manage login

Ask Google

I can explain the whole thing in words, in my mind, in the logic. I would have thought that I googled and get the job done. Reality? Google gives me so many information. All the information I need is out there. The problem is when you actually start to read them and apply in your job.

Why? Because Google can give you pieces, but you have to connect them. Google cannot help you connect the dots.

That said, I will use those piece and write the way I connect them. You might have your own way.

AD FS Server

Sounds a trivial task. Sounds like I can google it and follow the instructions. But, hell NO. Problem? Because I do not have System Administration background. Therefore, I have had a hard time understand the relationship between components. I could not draw a mental representation of them.

Googling around, I know that I have to setup things called: Domain Service (AD DS), Certificate Service (AD CS), and Federation Service (AD FS). Unfortunately, none of them knows me 🙁 I do not know them either 😛

So instead of following the instructions, I decided to make sense of them first. I have to draw a picture of them, AKA mental representation.

At the minimum, I need 3 things: Users, Certificates, and Login.

Active Directory Domain Services (AD DS)

Less than a second, I can find this useful document from Microsoft Docs.

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

My take:

ADDS allows me to create and manage users. That’s it! That is all I need to know.

Active Directory Certificate Services (AD CS)

Now that I have users. I need certificates to setup https communication. ADCS allows me to generate certificates that use in my lab environment. It does so many other things. However, all I need is some valid certificates to use for development purpose.

Turn it on with the instruction from Microsoft Site.

Active Directory Federation Services (AD FS)

And finally, I need to setup ADFS. There is a perfect instruction here. If you are a developer, you should check out the Microsoft Docs. At the highest abstract level (at least to my understanding), what it does is that it gives you a nice login form. It manages users who consume your service.

My ADFS Local
My AD FS Local Server. 3 services in a computer

With very little knowledge about Administration, Server, I manage to install just enough for my needs. Once I know what I have to install, it is rather easy to do. Because most of the information you need is already there, for free. The most important thing is to figure what I need, and how to make sense of them.

In my development environment, I decided

  • Everything is in one single Virtual Machine (Hyper-V from Windows)
  • Computer name: DC01. Because I might want to have other servers later on.
  • Domain: tad.local
  • AD FS: adfs.tad.local
  • Windows Server 2016 Data Center (trial version for 180 days)

The main purpose of this post is to document what I understood about them. I do not write the detail of installation processes and other problems I have had while doing it. I did that for 2 purposes

  1. Those instructions are already there, well-written, on the internet.
  2. After 6 months, when the trial is over, I have to reinstall everything again. That is a good test for my understanding. The more I do the more skill I get.

 

Next

I want to take advantage of the setup by exploring various scenarios

  1. A website uses AD FS for login.
  2. A WCF Service which serves the requests from the Website.
  3. How about a Windows Client application consumes the service? Oh yes, there is.

Again, one can easily find those topics on the internet. Nothing is new in here. I just try to write it in my own way, my own understanding.

The more I write, the better I am.

wcf – endpoint basic

I have just finished reading about WCF – Service Endpoint basics. So what is it?

Endpoint is where consumer contacts with service. To remember about endpoint, just need to remember this: ABC of endpoint, stand for: Address, Binding, and Contract.

  1. Address: The URL of the service location: http://localhost/SomeService/Service/
  2. Binding: Define how to access the service, how to communicate with service.
  3. Contract: Define what service does

There are 2 ways of creating endpoint: by configuration and by code. Should use configuration as best practice. Since you can change it later point of time when the service is deployed without recompile the code.

Creating endpoint using configuration is quite simple. Just create a wcf library project then VS takes care of all stuffs for you 🙂

For services exposed to multiple clients, you can specify more than one endpoints so client can use the one most suitable for them. You add one more endpoint tag in configuration and make sure that the address is unique for each. If the address is the same, then the contract should be different.

Take advantage of baseAddress tag to specify the common part of the address. And again, VS already takes care of that 🙂

The default configuration generated by VS exposes meta data to the client. To turn it off set the httpGetEnabled to false.

I just wrote them down here as a way of learning it, if you do not understand or have any question, please post a comment.

WCF – Contracts

This is the first time i spend time to read about WCF, even thought it has been there for long time. And i have just finished chapter 1 🙂 . With the OOP in mind, since i have been working with OOP quite long enough, i got surprised with the advise from the book:

DO NOT THINK IN OOP WAY, IN DOCUMENT INSTEAD.

So what are behind the scene here? WCF is SOA ( Service Oriented Architect), everything is seen as contract and message. Whereas, OOP is the way we build our object model to solve the business needs.

Summary of some keys word:

  • To define a service: Mark interface with ServiceContract attribute, always remember to give it a Name and Namesapce as best practice.
  • To define a function: Mark the function with OperationContract, in case of throwing exception, an FaultException object, then FaultContract attribute is require. Remember that never use this property for OneWay operation.
  • To define a class containing data sent through the service: Mark class/enum with DataContract attribute, mark each member to be serialized with DataMember or EnumMember

In case of you really need to make an inheritance and the return type is for base class, for instance, Task class. And you have a class ApprovalTask inherited from Task. Consider the situation you want to return a collection of Task, and there are some ApprovalTask. THEN, the Task class must be decorated with KnowType(typeof(ApprovalTask)) attribute.

Continue reading ….

%d bloggers like this: