Implementing authentication and authorization mechanisms for applications is something we do over and over. However designing the identity architecture to be adopted across an enterprise is a more challenging task. Based on my experience, reusability ends up happening at the application level as opposed to the enterprise level. So, designing this architecture requires think about: different trust boundaries, complex access checks and centralized management.
The solution that I’ve been using lately with good results is Security Token Service. Today, standards like WS-Trust and SAML among others are mature enough and technology stacks like WCF or Sun Metro fully support them, making it easier to have an interoperable and strategic infrastructure in place. The Security Token Service provided me with a generic and customizable architecture component that became part of my architecture toolbox.
However, the concepts behind Security Token Services are not trivial to understand, and the value they provide is sometimes hidden under its complexity. The good news is that Microsoft has started to invest on a high-level identity framework that will work on top of CardSpace, WCF and ASP.NET. The new kid on the block is codenamed “Zermatt” and will help approaching the separation of concerns on authentication and authorization; the federated security scenario; tackling real claim-based authorization on both presentation and service layer; and potentially integrate with “cloud” infrastructure like the Internet Service Bus.
Extrapolating the scenario I wrote about in March 2007 we might be able to create something like the following diagram with much less code: