WCF & # 8594; ILM & # 8594; Web Services & # 8594; SQL Server
Currently my employer has most of their database access through C # sqlDataAdapters and sqlCommands on the server or WebServices components in applications. These are mostly Windows Forms applications that run on the intranet and the Internet depending on their functionality.
I am learning WCF quite a bit and I feel it will be good for us. Also my manager has a copy of ILM (Identity Lifecycle Management Server) that he would like to use to provide SSO support for authentication and authorization for all of our applications.
Our apps request data from the database and basically return it to dataTables. I know collections are better, it's just common practice. So I am trying to find a solution that is secure, authenticate through ILM and return data to the client in the dataset (first transfer to collections later) from the webServices server.
My question is will this work or is it too slow?
- Client calls WCF data processing routine
- WCF Server checks with ILM to make sure it's ok.
- WCF calls webServices server to get data
- The dataset or collection is passed to the client.
If feasible, how can I connect to ILM for authentication. Is there a way to do this in the Web.Config file, or will I have to do it at the message level myself?
Thanks in advance.
source to share
I am familiar with ILM. This is not an authentication service. ILM stands for Identity Lifecule Manager and that's a pretty good description of what it can do. It can provide new users, secure old users, and allow copying identity data between identity stores. It also provides a password sync service. You are still using Active Directory or AD LDS (ex-ADAM) or some other directory for AuthN and AuthZ.
While ILM stores the entire load of data about your users, you are strongly discouraged from accessing this data directly.
[EDIT]
ILM does not provide LDAP services. Think of it as a manager: he doesn't do any work, he just rewrites things periodically. When your manager moves data in the form of emails, he moves data in the form of account data.
ILM is a directory and database identity management tool. It doesn't make sense to think of ILM in the context of one store, SQL, AD, or any other β its job is to sort data between stores. There would be nothing to do if there was only one store.
Here's a typical scenario: you create a SQL table called People containing columns for firstName, lastName, jobTitle, department, uniqueID, startDate, and endDate. ILM is connected to this table. It does daily imports and a new line appears. ILM uses the data in this string to create a user ID in AD, another in Domino, and another in a different SQL database. It uses the jobTitle and department fields to assign AD group membership, Domino distribution lists, and SQL permissions.
The user starts up and runs for a few weeks and then retires. You set endDate on the table and ILM notices this change on next import. It updates the AD account before that date and keeps a pending action to delete it after 90 days. After 90 days, he deletes the account. Likewise with other accounts.
You can use your HR system instead of a SQL table, but (a) it is usually not in the correct format or maintained in a timely manner, and (b) they often itch about giving you access to their data.
source to share
I am not very familiar with ILM, but I assume it is quite verbose for specific data queries. With WCF, you can hook up your own identity provider by implementing IAuthorizationPolicy
( like this ) and providing your own "master". I suspect it would be fairly easy to write a principal that works against ILM, but that would probably be for fairly broad checks - "I have access to ClientAudit" rather than "Can I access CustomerAudit for clients in the north -east ".
The good thing about using a principal is that you can also use validation methods [PrincipalPermission]
, so you don't need to add advanced security checks to your code (the CLR enforces [PrincipalPermission]
).
source to share