I still remember sitting down with my brand new copy of Writing Secure Code by Michael Howard and David LeBlanc. Having moved beyond writing relatively simple intranet web reports, (before the term "BI" came to embody what at the time we thought was an incredibly innovative way to display call center metrics for managing credit card operations) I found myself in a development lead position responsible for building a web portal for managing the collections process for JP Morgan Chase's auto and home business. The portal interfaced with a number of internal assets, such as SQL Server, Oracle, and IBM Mainframes via Terminal 3270 emulation, as well as external partners, such as Experian and Equifax.

In addition to the learning curve of moving from Classic Active Server pages to production-worthy .NET Framework 1.1 and ASP.NET Web Services, we were just beginning to dramatically disrupt the enterprise as a way to minimize the friction between systems while increasing the reusability of these integration investments. As a fledgling new lead, building the portal to stop world hunger and to cure cancer (as all the intranet portals promised to do in those days), I was keenly aware that the solution had to be secure, because after all, "All Input Is Evil", and working in the financial services industry, no security breach or personal information leak goes unpunished, no matter how trivial.

For weeks I skimmed through the 600 page volume, incrementally building confidence that I was doing my due diligence in implementing a trusted subsystem, identifying and authenticating my users, applying the least privilege, and preventing the SQL injection attacks.

Things were significantly simpler in 2003. All of my users were in Active Directory, and as long as I didn't need them to do multiple hops, NTLM was just fine, thank you very much. I put a lot of thought into the roles and proudly remember showing my manager how the new users would automatically have access to the portal as soon as their account was created (provided IT assigned them to the right group! ).

Well, it turns out this "Web Services" thing was real, and what they did for the enterprise a decade ago pales in comparison to how service orientation has transformed the way users expect to be able to interact with software today. The proliferation of modern web applications and mobility demand a completely new perspective when designing modern applications. Whether you are building Web, desktop, or mobile solutions that reside on-premise, on the cloud, or are a hybrid thereof, identity and access control have never been more important.

Whether in the enterprise or consumer space, today's users demand access to your application from anywhere and at any time. And, for your applications to compete in the market and provide real value, they must compose a variety of assets, that is public and private, each of which carry their own requirements for authentication and authorization. In short, modern applications must be claims-aware.

While the options for federating identity and access control across the public and corporate assets are both varied and daunting, they also present the tremendous opportunities for unlocking the potential of your applications in taking advantage of the existing investments at a global scale. To enable this new breed of applications, Microsoft provides the Windows Identity Framework (WIF) , which aims to simplify working with claims-based security by providing standardized APIs, templates, and tools that make the process of accessing, interpreting, and mapping claims tenable.

Initially provided as a standalone framework (previously known as Geneva), WIF is now included as a part of .NET 4.5, which is in beta at the time of writing this book. The inclusion of WIF in .NET is not merely a packaging decision, but a clear reflection of the commitment that Microsoft has made to this powerful security framework.

As such, Sandeep's book couldn't come at a better time.

Careful to begin with easy-to-grasp fundamentals of claims-based security, Sandeep progresses through the common WIF programming tasks using examples in ASP.NET and WCF familiar to the most .NET developers, while covering bleeding-edge scenarios including new features exposed in Windows 8 and securing Windows Metro applications.

This book offers a combination of simple, intermediate, and advanced scenarios, covering AD FS 2.0 and incorporating web identity providers such as Windows Live ID, Google, Yahoo!, and Facebook with Azure Service Bus Access Control Service. Also covered are the real-world scenarios that you are likely to encounter for securing Microsoft SharePoint, SalesForce.com, and Microsoft Dynamics CRM.

In addition to providing a hands-on pragmatic reference that will be immediately valuable to your next project, this book is a reflection of Sandeep's real-world experience, successfully applying these concepts and techniques in the field, the value of which is worth the price of this book alone.

If you are serious about building claims/identity-aware services and the applications on .NET Framework, and want to get started today, this book belongs in your library.

Rick G. Garibay

General Manager, CSD Practice Neudesic

Microsoft MVP, Connected Systems Developer