I just hit my first big milestone in the security curriculum for Pluralsight. All three base identity & access control courses are done and online now. They cover what used to be called WIF and is now part of .NET 4.5:
- Introduction to Identity & Access Control in .NET 4.5
- Identity & Access Control in ASP.NET 4.5
- Identity & Access Control in WCF 4.5
I think I need a little break now from recording and finalize IdentityServer (amongst some other things that ‘need to be done’).
Next year I’ll be back with an in-depth course covering the security of (ASP.NET) Web API based architectures, so stay tuned!
leastprivilege.com 
Thanks a lot for your great work! So excited to know that there will be a IdentityServer Session which i am quite. interested in, looking forward to that. Have a nice holiday!
Well don’t expect too much ;)
I use IdentityServer for the demos – but the focus is more on ASP.NET and WCF.
Your help/insights on something would be greatly appreciated.
– I am trying to have a central identity site/repository for authentication/authorization & user information to use for multiple sites. As outlined in the PluralSight lessons, IdentityServer helps provide the separation from the app and business logic, which is great.
– The identify verification part of things is very nice and I understand that.
– Where things get fuzzy then is the actual “identity (user) management” meaning the actual information about the user. When someone gets authenticated and the claims get transformed – how can the information be stored in IdentityServer for a user so that can the claims transformation can use the stored user information? I’d like to do all user information management from IdentityServer. The \Configuration\profile.config file contains info on WebPage and TwitterName but it is not used anywhere; in fact I don’t see a way of editing any user information at all in IdentityServer.
What would your recommendation be for the following setup:
* I want to be able to use IdentityServer as a true Identity Management repository – not just a auth processor. It would then entail
1) Use IdentityServer as a repository for identity clearinghouse
2) Use IdentityServer to store “all” of the user information
3) Store the user-application and user-role relationship (which provides user-application-role since role is application specific)
What is missing in IdentityServer to make this happen? Would the claims transformer have to populate “all” of the information from the IdentityServer user store (apps for that user, roles for that user) and then filter that to do authorization? Or is it possible from the app to pass IdentityServer its own application id and filter the lookup in IdentityServer with that id.
There just seems to be a big hole to fill still in the actual management of that identity. Also looking to store the FacebookID, GoogleID, YahooID, etc. associated with that user so no matter which method they use, they are associated with the same user info.
It seems that if this can work out, then all the relying app needs to have is a userid or username to work against in their own app.
Does what I said make sense? What do I need to clarify?
Thanks – just trying to make my apps simple and offload any and all user management issues.
Could you please ask the same question here:
https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues?state=open
so other can benefit from the answer.
Interesting, just saw you post: https://leastprivilege.com/2012/06/28/managing-asp-net-membership-and-roles-without-visual-studio/
where you state “I made a conscious decision to not include any user management features in IdentityServer.”
That is a bummer because the token service auth part is great but for true separate you still need to user management stuff also separated.
Any way you can direct me? If I can’t separate out the user mgt also then IdentityServer just isn’t all that useful.
Please use the gitgub issue tracker for identity server topics.
But have you actually had a look at v2? Basic user/role management is included. This is also covered in this video:
This is all you can expect for v2 – but if you want to build something more fancy and want to contribute back – let us know.