WCF Claims to "Zermatt" Claims Migration Story

Hey – that’s a short post – there is none. thanks. bye…

OK hold on – some background info.

Microsoft introduced their new claims API with .NET 3.0 as part of the System.IdentityModel assembly (with super tight integration into WCF). Needless to say that I really like the claims approach – and I have written quite a lot about it here.

Also since that day we were all waiting for that super secret identity framework that was supposed to extend the claims API and which will finally give us easier support for security token services and Information Card related technologies. Now it is in beta and is called “Zermatt”. Cool. Life is good.

After some experiments and proof of concepts – it turns out life is not so good.

To enable the “Zermatt” model in WCF you basically have to call the ConfigureServiceHost method on the ExtensibleServiceCredentials class (at least that’s how it works with the current bits). As soon as you enable Zermatt the usual places where security happens in WCF don’t work anymore – namely ServiceSecurityContext and AuthorizationContext. Interested readers of my blog know that these classes are the entry point into the claims based world in WCF. Also if you have made any investments already into the claims model, your code relies on these classes. If they are “gone”, your code is broken.

All the claims functionality found in WCF is now replaced by the Zermatt model and there is no connection whatsoever between them. You’ll also find that Zermatt has its own version of a Claim class (and other structural classes too). This basically means that if you have already invested in the WCF claims model but wanna move on to Zermatt, you have to throw away all your code and start from scratch. There is no migration or co-existence story between WCF claims and Zermatt claims.

OK – the next thing I tried is how existing WCF authorization policies work together with Zermatt. The results are quite mixed. First of all external policies only work with certain credential types – and Right.Idenity claims are not supported at all.

Fortunately, there is a forum for Zermatt so I can ask some MSFT people about their take on that. Here’s what I got back (I’d love to provide links to the forum posts – but unfortunately this forum is sooo cool and ajaxy that one of the most important features of the web – called URLs – don’t work):

“Hi Dominick,
Deeper investigation on my part into what I suspected was a bug turned
out to be by design. The scenario you are attempting (upgrading a
legacy app that depends on the WCF claims model) is not supported in

Once you opt into Zermatt’s claims model, the WCF claims API does not
work anymore. The reason for this behavior is the new claims model in
Zermatt is not backwards compatible with the WCF claims API and it is
not feasible to support both the old and new models at the same time
for WCF applications.

As you have called out earlier in a separate discussion, you have to
choose between staying with the WCF API and not use Zermatt, or move
your application to Zermatt. If you do choose to migrate, any code
that depends on the WCF claims API will need to be rewritten.”

Have you also spotted the word “legacy” wrt to WCF??? They must be kidding me!

Here’s my answer:

“I don’t understand the problem – why can’t you take existing authZ
policies and transform them into a ClaimsIdentity – this would be an
easy solution for the migration problem.

Frankly – this sucks.

What do I tell my customers? Sorry for leading you into the
System.IdentityModel direction? Your code will not move forward?

You have a brand new communication framework with a brand new claims
based authZ model – now you are releasing a brand new identity
framework that just disables the technologies used before???? This is
not right.

I don’t ask for a full compatibility story between S.IM and Zermat –
but i don’t want to throw away all my code (or my customers code).”

Am I asking for too much? Is this a non-issue? I filed a bug for that here. If this is also important for you – feel free to vote.


Disclaimer: Don’t get me wrong. I don’t want to bash Microsoft or the Zermatt team, nor the people on the forum which are really helpful. I just think this is a wrong design decision. And I read somewhere that Microsoft is looking for feedback. So here it is.

This entry was posted in IdentityModel. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s