Three-Tier | ASP.NET | External Zone Flow of Identity
In a three-tier, ASP.NET commerce deployment in the external zone (shopper zone), there are three scenarios for the flow of identity:
An Anonymous or Registered Shopper Using a Web Browser
A Registered Shopper Using a Silverlight Rich Internet Application (RIA)
An Anonymous Shopper Using a Silverlight RIA
For more information about the states of identity (Anonymous, Recognized, and Authenticated), see Understanding User Recognition.
The following diagram shows the flow of these identities and the conceptual configuration of a three-tier, ASP.NET commerce deployment in the external zone.
Note the following conceptual details:
For the Web application authentication, use a forms-based identity to make a request to the Web application or routing service.
Once the Web application or routing service calls the operation service, the Principal Creator ensures that only a ClaimsIdentity is used with the operation service.
A Windows identity, as opposed to a ClaimsIdentity, is always used between the routing service and the operation service.
Any information about a forms-authenticated user is sent in Windows Communication Foundation (WCF) message headers from the routing service to the operation service.
You must configure your application pool, routing service, operation service, and shopper identities as illustrated in the following ASP.NET flow of identity diagram.
.gif "Hh567829.c496a9f5-2fe1-44f9-8e93-0581af7a8f6e(en-us,CS.95).gif")
An Anonymous or Registered Shopper using a Web Browser
Flow one depicts the flow of identity for a registered or anonymous shopper who browses an ASP.NET Web site.
In this scenario, the registered shopper has successfully logged on to the site using forms authentication. The registered shopper has a FormsIdentity with a cookie containing the anonymous user ID, the registered user ID, and the shopper's name.
In the case of the anonymous shopper, the anonymous shopper has not logged on to the site. The anonymous shopper has a FormsIdentity with a cookie containing only an anonymous user ID.
Since the ASP.NET Web application is a trusted sub-system, the ASP.NET Web application, using a Windows identity (App\CsAppUser), acts on behalf of the shopper and sends a request to the operation service. The operation service requires a ClaimsIdentity, so the Principal Creator converts this Windows identity into a ClaimsIdentity and loads its claims from AzMan. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request.
Using the Windows identity Data\CsDataUser, the operation service processes the request and returns the appropriate information from the SQL Server based on the request being processed. The Data\CsDataUser identity has permission in SQL Server to access all data required by the ASP.NET site.
A Registered Shopper Using a Silverlight Rich Internet Application
Flow two depicts the flow of identity for a registered shopper who shops using a Silverlight rich Internet application (RIA).
When a shopper successfully logs in using forms authentication, the shopper is a registered shopper with a FormsIdentity and a cookie containing the anonymous user ID, the registered user ID, and the shopper's name.
The CommerceUserRecognitionModule uses the information contained in the cookie to populate CommerceUserContext.Current. Since CommerceUserContext.Current is populated, the Routing Service adds a WCF header to the request containing the user ID of the registered shopper and forwards the request to the operation service using the Windows identity (App\csRouterUser).
Since the Routing Service has a Windows identity and the operation service requires a claims identity, the Principal Creator reads the WCF header of the request and converts the registered identity of the shopper to a ClaimsIdentity containing claims for the anonymous user ID, the registered user ID, and the shopper's name. This establishes the shopper identity as the security context for the operations performed by the operation service. Now, the registered shopper is authorized to access their basket and profile. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
An Anonymous Shopper using a Silverlight RIA
Flow three depicts the flow of identity for an anonymous shopper using a Silverlight RIA to browse for product information.
Since the anonymous shopper has not logged on to the site using forms authentication, the anonymous shopper has a FormsIdentity with a cookie containing only an anonymous user ID.
The CommerceUserRecognitionModule uses the information contained in the cookie to populate CommerceUserContext.Current. Since CommerceUserContext.Current is populated, the Routing Service adds a WCF header to the request containing the user ID of the anonymous shopper and forwards the request to the operation service using the Windows identity (App\csRouterUser).
Since the Routing Service has a Windows identity and the operation service requires a claims identity, the Principal Creator reads the WCF header of the request and converts the anonymous identity of the shopper to a ClaimsIdentity containing one claim for the anonymous user ID. This establishes the shopper identity as the security context for the operations performed by the operation service. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
See Also
Other Resources
Understanding Claims-Based Identity