Microsoft Security

I just got a subscription to MSDN magazine from Microsoft. This is a good magazine to read if you program using Microsoft technologies. The latest issue had a lot of Microsoft specific security articles. Today I want to tell you about what I read. The topics were SAML, CAS, and STS. How is that for a list of acronyms?

SAML stands for Security Assertion Markup Language. It is based on XML. You can tell from the name. SAML is used for authentication between domains. For practical purposes, it helps implement single sign on. You type in your user name and password once. Then you can go everywhere and be automatically authenticated. You do not have to retype in your credentials.

CAS stands for Code Access Security. It is part of the .NET framework. CAS prevents untrusted code from executing privileged instructions. An administrator sets up the security policy for your machine. The .NET common language run time (CLR) then maps programs to code groups. These code groups have permissions set. The CLR then either allows or disallows the instructions to execute.

STS is the Security Token Service. A client wants to access a web service. The client first gets a token from an STS server. Then the client passes the token to the web service. The web service validates the token against the STS. Finally the web service honors the client request if the token checks out with the STS.