Two-Tier | ASP.NET| Internal Zone Flow of Identity
In a two-tier, ASP.NETcommerce deployment in the internal zone (business user zone), there are two scenarios for the flow of identity:
A Business User Using a Silverlight Rich Internet Application (RIA), such as the Commerce Server Business Administration Ribbon
A Business User Using a Web Browser
For more information about the states of identity (Anonymous, Recognized, and Authenticated), see Understanding User Recognition.
The following diagram shows the flow of these identities and the conceptual configuration of a two-tier, ASP.NET commerce deployment in the internal zone. Note the following conceptual details:
For the Web application authentication, use a Windows-based identity to make a request to the Web application or Routing Service.
Once the Web application or Routing Service calls the operation service, the Principal Creator ensures that only a ClaimsIdentity is used with the operation service.
You must configure your Routing Service, operation service, and corporate business user identities as illustrated in the following ASP.NET flow of identity diagram.
.gif "Hh567830.fd4e7209-7047-4e85-94e2-40a76b40ecee(en-us,CS.95).gif")
A Business User using a Silverlight Rich Internet Application (RIA)
Flow one depicts the flow of identity for an authenticated business user using a Silverlight rich Internet application (RIA).
In this scenario, the business user browses the site using his or her Windows identity (Corp\BizUser).The Silverlight RIA calls the Routing Service using a Windows Communication Foundation (WCF) request. The Routing Service is configured to impersonate all callers, so the Routing Service forwards the request of the business user to the operation service using the identity of the business user (Corp\BizUser).
The operation service requires a ClaimsIdentity, so the Principal Creator converts this Windows identity into a ClaimsIdentity and loads its claims from Authorization Manager. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. The business user can only perform operations for which he or she has authorization. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
A Business User using a Web Browser
Flow two depicts the flow of identity for an authenticated business user who browses the ASP.NET Web application using a browser.
In this scenario, the business user browses the site using his or her Windows identity (Corp\BizUser). Since the ASP.NET Web application is a trusted sub-system, the ASP.NET Web application, using a Windows identity (App\CsDataUser), acts on behalf of the business user and sends a request to the operation service. The operation service requires a ClaimsIdentity, so the Principal Creator converts this Windows identity into a ClaimsIdentity and loads its claims from Authorization Manager (AzMan). This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. Using the Windows identity Data\CsDataUser, the operation service processes the request and returns the appropriate information from SQL Server based on the request being processed. This identity has permission in SQL Server to access all data required by the ASP.NET site.
See Also
Other Resources
Understanding Claims-Based Identity