{"id":443,"date":"2009-06-16T14:36:00","date_gmt":"2009-06-16T23:36:00","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/2009\/06\/16\/announcing-fabrikamshipping-in-depth-semi-realistic-sample-for-geneva-framework\/"},"modified":"2009-06-16T14:36:00","modified_gmt":"2009-06-16T23:36:00","slug":"announcing-fabrikamshipping-in-depth-semi-realistic-sample-for-geneva-framework","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2009\/06\/16\/announcing-fabrikamshipping-in-depth-semi-realistic-sample-for-geneva-framework\/","title":{"rendered":"Announcing FabrikamShipping, in-depth semi-realistic sample for Geneva Framework"},"content":{"rendered":"
digg_url = “http:\/\/blogs.msdn.com\/vbertocci\/archive\/2009\/06\/16\/announcing-fabrikamshipping-in-depth-semi-realistic-sample-for-geneva-framework.aspx”;digg_title = “Announcing FabrikamShipping, in-depth semi-realistic sample for Geneva Framework”;digg_bgcolor = “#FFFFFF”;digg_skin = “normal”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;<\/div>\n

Do you remember the PDC session<\/a> in which Kim announced all the new wave of identity products, including Geneva?<\/p>\n

During that session I showed a pretty comprehensive demo, where  all the products & services worked together for enabling a fairly realistic end-to-end scenario. You have seen demos based on the same scenario at TechEd EU, TechDays and in many presentations from my colleagues in the various subsidiaries; finally, if you came at the Geneva booth at RSA chances are that you got an detailed walkthrough of it. Since people liked it so much, we thought it would have been nice to extract just the main web application from that scenario, and make it available to everyone in form of an in-depth example. You can find the code in a handy self-installing file on code gallery, at http:\/\/code.msdn.microsoft.com\/FabrikamShipping<\/a> (direct link here<\/a>).<\/p>\n

The idea is that we bridge the gap between pure technical learning content (the training kit<\/a>) and high level presentation (take your pick), by providing you with a demo that on one side you can use for explaining to non-technical people what\u2019s the point of claims-based identity, on the other side you can take the code apart and see what makes the application tick. You will see that we do little more than applying the solutions described in the identity developer training kit to the challenges that a real application requires: we comment the code here and there so you\u2019ll always know what is going on, if you want to go deeper we recommend you look up the specific solution you are focusing on in the SDK<\/a> documentation and in the training kit<\/a>.<\/p>\n

Below I am pasting the \u201creadme\u201d you will find in the package. We really appreciate your feedback! let us know what you like and what you don\u2019t like, what topics you\u2019d like covered in more depth, etc etc and as usual we\u2019ll do our best to make you happy.<\/p>\n

Overview<\/h1>\n

FabrikamShipping is a semi-realistic sample web application that demonstrates how to use the Geneva Framework for authentication, authorization and identity driven customization for a web frontend and a services backend. Its main goal is to show how to implement common tasks and features in web applications, combining the techniques presented separately in other technology learning material such as the Geneva Framework SDK and the Identity Developer Training Kit. <\/p>\n

Note that while all efforts have been made for following best practices whenever possible, FabrikamShipping is NOT a reference implementation since it is designed for readability and for making as clear as possible for the reader to understand what is happening, as opposed to efficiency and maintainability. You should NOT use FabrikamShipping code in production.<\/p>\n

The FabrikamShipping Scenario<\/h1>\n

\"d4c2ae9e-ac50-43c0-a574-fe5250968485\"<\/a> <\/p>\n

Figure 1<\/b>
FabrikamShipping\u2019s main actors<\/i><\/p>\n

The FabrikamShipping scenario has been originally designed as part of an end-to-end demo for PDC 2008 (video recording available at http:\/\/channel9.msdn.com\/pdc2008\/BB11\/<\/a>, from 31\u201d on). While the general narrative remains largely unchanged, this example has been adapted to be a standalone web solution that you can install and examine on your machine without the need for virtual machines, services subscription or even internet connectivity.<\/p>\n

Fabrikam is an ISV that sells S+S solutions to business customers. FabrikamShipping is one of such solutions: it is a web application that allows users to ship packages. Shipments are created by entering details about sender and intended recipient. Once a shipment has been created, it will go through a workflow which represents the various shipment phases (pickup, package, transit, delivery); every phase will allow the user to perform specific actions, such as cancelling the shipment or rerouting to a different address.<\/p>\n

Adatum Corporation is a customer of Fabrikam, and subscribed to the FabrikamShipping application. John and Mary work for Adatum, and routinely use FabrikamShipping. John handles logistic in Manufacturing, while Mary is a manager: their different positions in the company translate in different privileges when using the application.<\/p>\n

A Brief Walkthrough<\/h4>\n

Let\u2019s take a quick look at how to use the application, without worrying about how it works for now: we will take care of the implementation details in the next section.<\/p>\n

Pretend that you are John, and that you have a package to send. Open a browser and navigate to FabrikamShippings\u2019 URI: https:\/\/www.fabrikamshipping.com:8082\/FabrikamShipping\/<\/a>. <\/p>\n

Since you are not authenticated yet, FabrikamShipping redirects you to the Adatum STS:<\/p>\n

\"ee9c6176-05ae-4eec-adc4-8302e2dd4afa\"<\/a> <\/p>\n

Figure 2<\/b>
Adatum\u2019s STS UI<\/i><\/p>\n

Use the suggested credentials for John and hit Submit. You\u2019ll land on FabrikamShipping\u2019s main page:<\/p>\n

\"fe753d28-5b97-44f7-a3a1-dc3610f012e3\"<\/a> <\/p>\n

Figure 3<\/b>
The main page of FabrikamShipping<\/i><\/p>\n

Click on the New Shipment icon.<\/p>\n

\"84d9ef41-3a18-499e-af69-77f08e4d1b09\"<\/a> <\/p>\n

Figure 4<\/b>
The new shipment screen<\/i><\/p>\n

As you can see, the Sender area is already populated with John\u2019s data: this is thanks to the claims received directly from Adatum with the sign in token. For filling the Recipient form, click on \u201cSearch in CRM\u201d; you will get a small dialog, from where you can pick a customer (here I\u2019ll pick Dan Park).<\/p>\n

Click the green Submit button.<\/p>\n

\"029a8878-1e29-4596-a842-ac988fdc7e2b\"<\/a> <\/p>\n

Figure 5<\/b>
The new shipment confirmation screen<\/i><\/p>\n

Everything seems in order: click the Ship It! button.<\/p>\n

\"b6cd586e-6f47-4b6c-bb3c-1d04446c12cc\"<\/a> <\/p>\n

Figure 6<\/b>
The shipping label printing screen<\/i><\/p>\n

Our new shipment has been created! Here there is the label that, once printed, will have to be attached to the package we want to send.<\/p>\n

Let\u2019s take a look at what happens when we want to modify our shipment. Click the Go to Home button.<\/p>\n

\"4e1eb2bd-e9ee-4452-9b1d-b46f5822e88e\"<\/a> <\/p>\n

Figure 7<\/b>
The main screen now shows our new shipment for Dan<\/i><\/p>\n

The list of shipments now includes the new entry we just created. Let\u2019s say that we want to reroute this shipment: click directly on the Dan Park entry.<\/p>\n

\"8e4c164a-5f6a-49a6-abe2-c08fe29afa1e\"<\/a> <\/p>\n

Figure 8<\/b>
The shipping workflow<\/i><\/p>\n

This page shows the shipment workflow: we are currently in the Pickup state.<\/p>\n

Note: FabrikamShipping does not really provide any meaningful backend workflow logic, since the point of this sample is demonstrating identity capabilities rather than how to handle business processes. If for demo purposes you want to advance the state of the shipment, you can do so \u201cmanually\u201d by clicking on a hidden button. If you hover the mouse pointer under the state label of the current stage (in this case the label \u201cRunning\u201d) you\u2019ll see that it changes into a hand: if you click, the workflow will advance one step.<\/p>\n

Click the Reroute Shipment button, change something and click on the Reroute button:<\/p>\n

\"75c40a33-9089-49ae-a78a-aade23944566\"<\/a> <\/p>\n

Figure 9<\/b>
John cannot reroute existing shipments<\/i><\/p>\n

You will get an error: John does not have enough privileges for modifying existing shipments.<\/p>\n

Try to start over, this time using Mary\u2019s credentials. Remember to use a different browser instance, otherwise the Adatum STS will recognize you as John and will issue you a token without even presenting you the credentials gathering UI.<\/p>\n

If you try to reroute a shipment, you will discover that you can do it without issues: this is because Mary belongs to the Managers group, and the system takes that into account when assigning privileges.<\/p>\n

In the next section we will see some details about what happens behind the scenes for making this possible.<\/p>\n

Implementation Details<\/h1>\n

\"f2391689-6cba-44d9-88bd-1255622939ec\"<\/a> <\/p>\n

Figure 10<\/b>
FabrikamShipping\u2019s Architecture<\/i><\/p>\n

FabrikamShipping is a classic web application, which authenticates its users via passive federation. <\/p>\n

The example includes a mock identity provider, www.adatumcorporation.com<\/a>, which is a light customization of the default development STS template project provided with the beta 2 of the Geneva Framework. Since the solution is designed to be able to run from a single machine, we make the STS available via HTTPS on a custom IIS binding (on port 8081) and we provide opportune entry on the local HOST file.<\/p>\n

The main application, https:\/\/www.fabrikamshipping.com:8082\/FabrikamShipping\/<\/a>, is configured in a similar way and it is set to accept tokens directly from Adatum.<\/p>\n

Note:In a more realistic scenario, Fabrikam would have a resource STS that would be used to maintain the relationship with Adatum and all the other federated partners, and where any claims transformation that may be need would take place. Every Fabrikam applications, including FabrikamShipping, would then trust the resource STS instead of having to handle the relationship with the federated partner directly.
In this sample we did not feature a resource STS at this level mainly because we wanted to keep thing simple and maintain smooth demo flow: there is a single application, that may even be running a hoster; there is a single federated partner in the picture; and for this application there is no need for claims transformation at the presentation layer. Unless you fall exactly in this category, there is a very high probability that your scenarios will indeed benefit from trusting your own resource STS rather than the partner directly.<\/p>\n

All FabrikamShipping business logic lives in a set of WCF services. The presentation layer invokes the services using a delegation mechanism: the access privileges are decided for every service call on the basis of the current web application\u2019s user, as opposed to relying on trusted subsystem or full website impersonation approaches. The services are configured to accept tokens from an internal STS with ActAs capabilities: the STS is in turn invoked by the presentation layer\u2019s code-behind with the token of the original user.<\/p>\n

The Visual Studio Solution: What to Look For<\/h2>\n

\"39d8bb90-c131-40ea-9ddf-650cf6effcde\"<\/a> <\/p>\n

Figure 11<\/b>
FabrikamShipping solution structure<\/i><\/p>\n

The Visual Studio solution is pretty simple, and has been organized in a way that surfaces the main entities in the architecture and their component. At a glance, those are the projects and what to look from the identity management point of view:<\/p>\n