Two-Tier | ASP.NET | External Zone Flow of Identity
In a two-tier, ASP.NET commerce deployment in the external zone (shopper zone), there are three scenarios for the flow of identity:
A Registered Shopper Using a Silverlight Rich Internet Application (RIA)
An Anonymous Shopper Using a Silverlight RIA
An Anonymous or Registered Shopper Using a Web Browser
For more information about the states of identity (Anonymous, Recognized, and Authenticated), see Understanding User Recognition.
The following diagram shows the flow of these identities and the conceptual configuration of a two-tier, ASP.NET commerce deployment in the external zone. Note the following conceptual details:
For the Web application authentication, use a forms-based identity to make a request to the Web application or routing service.
Once the Web application or routing service calls the operation service, the Principal Creator ensures that only a ClaimsIdentity is used with the operation service.
You must configure your routing service, operation service, and shopper identities as illustrated in the following ASP.NET flow of identity diagram.
.gif "Hh567712.44c99120-df47-430f-83c5-211c608aa307(en-us,CS.95).gif")
A Registered Shopper Using a Silverlight Rich Internet Application (RIA)
Flow one depicts the flow of identity for a registered shopper who shops using a Silverlight rich Internet application (RIA).
In this scenario, the shopper successfully logs in using forms authentication. The shopper is a registered shopper with a FormsIdentity and a cookie containing the anonymous user ID, the registered user ID, and the shopper's name.
The registered shopper browses the site, and the Silverlight RIA calls the routing service using a Windows Communication Foundation (WCF) request. The CommerceUserRecognitionModule uses the information contained in the cookie to populate CommerceUserContext.Current. Since CommerceUserContext.Current is populated, the routing service puts WCF headers containing the anonymous user ID, registered user ID, and user name into the request forwarded to the operation service.
Since the routing service uses a delegated security model, the security context of the shopper is used to determine the operations performed by the operation service. Because the incoming identity is not a ClaimsIdentity, the Principal Creator reads the WCF header of the request and converts the registered identity of the shopper to a ClaimsIdentity containing claims for the anonymous user ID, the registered user ID, and the shopper's name. Now, the registered shopper is authorized to access their basket and user profile. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
An Anonymous Shopper using a Silverlight RIA
Flow two depicts the flow of identity for an anonymous shopper using a Silverlight RIA to browse for product information.
Since the anonymous shopper has not logged on to the site using forms authentication, the anonymous shopper has a FormsIdentity with a cookie containing only an anonymous user ID.
The anonymous shopper browses the site, and the Silverlight RIA calls the routing service using a Windows Communication Foundation (WCF) request. The CommerceUserRecognitionModule uses the information contained in the cookie to populate CommerceUserContext.Current. Since CommerceUserContext.Current is populated, the routing service puts a WCF header containing the anonymous user ID into the request forwarded to the operation service.
Since the routing service uses a delegated security model, the security context of the shopper is used to determine the operations performed by the operation service. Because the incoming identity is not a ClaimsIdentity, the Principal Creator reads the WCF header of the request and converts the anonymous identity of the shopper to a ClaimsIdentity containing one claim for the user ID. This establishes the shopper identity as the security context for the operations performed by the operation service. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
An Anonymous or Registered Shopper using a Web Browser
Flow three depicts the flow of identity for a registered or anonymous shopper who browses an ASP.NET Web site.
In the case of the registered shopper, the registered shopper has successfully logged on to the site using forms authentication. The registered shopper has a FormsIdentity with a cookie containing the anonymous user ID, the registered user ID, and the shopper's name.
In the case of the anonymous shopper, the anonymous shopper has not logged on to the site. The anonymous shopper has a FormsIdentity with a cookie containing only an anonymous user ID.
Since the ASP.NET Web application is a trusted sub-system, the ASP.NET Web application, using a Windows identity (App\CsDataUser), acts on behalf of the shopper and sends a request to the operation service. The operation service requires a ClaimsIdentity, so the Principal Creator converts this Windows identity into a ClaimsIdentity and loads its claims from AzMan. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request.
Using the Windows identity Data\CsDataUser, the operation service processes the request and returns the appropriate information from SQL Server based on the request being processed. The Data\CsDataUser identity has permission in SQL Server to access all data required by the ASP.NET site.
See Also
Other Resources
Understanding Claims-Based Identity
Understanding User Recognition