My organisation has several web facing ASP.NET Web Forms Apps. They currently use Windows Authentication with impersonation enabled. The web apps are hosted internally but are exposed publicly via different domains e.g. www.abc.com & www.xyz.org.
A new requirement, is that a single log on page will be provided for all users of these apps to log in via.
Some of the solutions proposed are:
Implement an OpenId Provider backed by Active Directory (DotNetOpenAuth), modify existing apps to become relying parties of this OP.
Implement SSO through MS Forefront Threat Management Gateway.
I don't have experience with either of these. Are the proposed solutions feasible? What are the pros and cons of each? Are there other solutions that might be more appropriate?
OpenId Provider is a fairly good idea. It will be an easier route and there are some good details around the web.
You may also want to look into Active Directory Federation Services.
http://msdn.microsoft.com/en-us/library/bb897402.aspx
It is not uncommon for businesses moving to hosted solutions look to implement federated services and this is something Microsoft anticipated when setting up and creating Azure - to be corporate friendly.
They have put together a comprehensive guide here, which while not directly related to your question, does have extensive details about the technology behind federated services.
http://msdn.microsoft.com/en-us/library/windowsazure/hh127796.aspx
For more thoughts and information on, specifically the pros and cons, take a look at these articles which answer it in more depth:
http://technet.microsoft.com/en-us/magazine/ff721824.aspx
http://windowsitpro.com/active-directory/ease-cloud-security-concerns-federated-identity
http://www.csoonline.com/article/221034/the-truth-about-federated-identity-management
Some DotNetOpenAuth thoughts:
http://www.codeproject.com/Articles/325228/Choosing-technologies-for-NET-project
http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/7a1c4e0c-346c-4008-9e5c-87ba1273b2aa/
Finally, we have personally gone with OpenAuth for one of my teams solutions. The implementation was fairly painless once we took time to really understand the RFCs (which was no easy feet, but worth taking the time to do). There are also a ton of resources on the web to get a hang of the implementation.
Through a lot of sticking my head in the sand, reinventing the wheel and general stubbornness, I've managed to go all this time (years) avoiding learning the built-in ASP.Net support for web application authentication, users and roles. Part of the reason is that rolling my own originally seemed like less work than getting my head around all the different layers of optional abstraction provided by the ASP.Net security framework and as such I came up with a nice library that worked fine for me.
I'm now trying to go back to using as much of the built in functionality of ASP.Net (MVC2/3, not WebForms) as possible, as I've found that the more non-standard functionality you build into an application, the harder it is for other developers to pick up your code and work with it.
The web is thick with half-tutorials, badly explained articles and information that excludes important beneath-the-hood information about the ASP.Net security framework.
Are there any good tutorials that rip the lid off ASP.Net security and show you how to use it and how it all works without trying to push you through wizards and specific provider models without understanding all of the options and their pros and cons?
This is a 18 part series articles from Scott Mitchell.
It's a very deep explanation of all the features that regards Authentication, Authorization and Membership providers in asp.net. I did never found a better source on this from the same author.
MSDN is the best for ripping the lid off: http://msdn.microsoft.com/en-us/library/ff647070.aspx
I need an opinion and advise from experienced ASP.NET people, what way to go.
Assuming that a developer has some practical background with HTML/JavaScript/PHP on one side and some .NET/C#/WPF experience on the other side. No previous hands on experience with ASP.NET - only theory and some read books on the topic.
The task is to build ASP.NET web site with User Managment functionality (user authentication, user account, user buying history, user points and so on) and E-commerce functionality with shopping cart, checkout and all needed for this.
Is it worth, i.e. will it be faster, more reliable and secure in the result to use a ASP.NET CMS system (for example Sitefinity from Telerik as declared developer friendly) to build such first site? In what case the learning curve will be more steep and it will take more time to achieve similar results?
Notes to take into consideration: 1) Price of the CMS matters not very much 2) E-commerce module should be written from scratch in any case (and integrated in case of using CMS) due to very specific requirements
It will be much faster to get an existing system. If you're going to have a shopping cart, then I would suggest you not even consider writing it yourself if this is your first foray into ASP.NET. The security and PCI Requirements alone will take you forever.
We recently got a new shopping cart for our web site and decided to purchase, and we're an experienced team. Our company used the AspDotNetStorefront, and we're pretty happy with it. You can use it for content management as well, and the price is good, but there are plenty of good alternatives out there.
I am working in a company with huge DotNet team. We currently have MOSS 2007 license which I assume is a costly one and just one administrator working/maintaining all Sharepoint stuff.
I felt that Sharepoint is not being utilized to its potential. Being interested in Sharepoint Development for past 1 year (I am a .NET Developer with 6 years of exp) I offered my help to our Director, his first question was
"Why do I need a Sharepoint Developer?"
Now I need help in selling a "Sharepoint Developer" to my director.
I would be glad to provide any more information you need about the company or current utilization.
EDIT: Just want to elaborate more on my company's scenario. We have sharepoint being used mostly for Internal use like Raising Service Tickets, Maintaining Networking Stuff ( Servers, Sites, clients details), Document Sharing with Clients.
If you want the official “value proposition” of SharePoint, it goes something like this; the product already has a lot of common application behaviours built into it (doc management, access control, search, etc) therefore it streamlines development by being able to build directly on top of these features rather than building them from scratch. It’s a .NET based environment so your current developers can leverage existing skills.
However, it’s not all that simple. There’s a very solid learning curve, you need to develop directly on a Windows Server and the lifecycle and deployment of apps if very different to ASP.NET. Have a read of What are your biggest complaints about Sharepoint? and also The hidden costs of building on enterprise software platforms.
Ask him how much time your team spends coding/planning/worrying with:
Authentication
Security
Document Management
Versioning / Change History
Records Management (on a very light sense)
Backup / Restore support
Load balance
Multi domain support
Separated Content Databases
Content Collaboration and user-created structures
Theme support
Syndication
Outlook integration
??
And how much time you ACTUALLY worry/code/plan implementing your BUSINESS RULES
SharePoint is far from perfect, but in a .NET world it is a hell of a good start to get things done without reinventing the wheel.
Why do you think you need a sharepoint developer? What can more/better sharepoint development offer from a business perspective? Does it do thinks either faster, cheaper or better than you currently do them? You need to be able to verbalize this for management to buy-in.
Does the existing administrator have a technical background? Perhaps as a developer? If not, then yes, there is value in having a "Sharepoint Developer" handy as soon as you want to do anything even remotely outside the box in SharePoint.
Want to extend the functionality of your lists/libraries? You'll need to know how to create a CustomAction in .NET, or know how to combine JavaScript/JQuery with ASP.NET webservices to do so.
Want to create some custom rollups for reporting? Do you folks track tasks/project information in SharePoint? You'll need to understand ASP.NET server control fundamentals, and possibly XSL so that you can whip something together using SharePoint designer.
Maybe you want to standardize your content (calendars, tasks, etc.) through custom content types. You'll need a development background to understand how to provision this using SharePoint's solution/feature mechanisms.
Or perhaps your director would be interested in reporting? If you pick up a third-party reporting tool such as Dundas Charts, good luck making anything remotely complex without having a development background.
These are just some things off the top of my head..
Point out the business benefits that your company would IMMEDIATELY derive by doing / going Sharepoint. In your spare time at the office, create a proof of concept perhaps that you could parody with your director in able to get his/her nod.
As someone who once was a sharepoint developer, it is hard to add value to that product. It will mostly be cosmetic changes or something you find to be really cool, but at the end of the day SP already provides the functionality. Also if you do something amazing with it M$ will eat your lunch.
I worked on MS CMS (which preceded MOSS) and the people who stuck with MOSS are earning good money - but proving business benefits to the skeptical is very difficult.
To sell yourself to your director you need to demonstrate that MOSS will either save the company money or help generate extra cash. From your brief company description I would reckon that cost focus is the way forward.
So ask your boss what are the three biggest cost savings that your company wants to make in the next year (there is always a focus) and (if you think it is worth asking) the three areas where the company is looking to expand.
Then go away and work out how MOSS (or any enterprise level CMS for that matter) can support and possibly improve the chance of meeting these objectives. If you can do that and present the director with some focused, manageable projects then you may be on the way.
We need to develop quite a powerful web application for an investment bank. The bank IT would like us to build it on top of the SharePoint platform, but we would prefer to do pure ASP.NET programming.
The web-app should have the following characteristics.
1) It will be a site for bank's clients that will allow them to view their stock portfolios, get miscellaneous reports with graphs and charts, etc.
2) The web-app will also allow clients to send orders to the bank to buy stocks and perform other financial operations.
3) The number of users will be approximately 3 000 000 (total) and 20 000 at any one time.
We have never made any SharePoint programming, but as far as I know, SharePoint is primarily designed to create intranet sites for colleagues to communicate with each other and work more efficiently, to maintain a document library, etc.
However, the bank IT told us that SharePoint has in fact lots of other features that will help us make the project more efficiently - for example, it seems that SharePoint has some built-in scalability and high availability technologies.
I heard saying that SharePoint development is very tedious, that the platform cannot be very easily customized, etc.
The question is: is it better to create our web-app on pure ASP.NET and deal with scalability and other issues ourselves, or base it on SharePoint - taking into account that the web-app we need to create is non-standard and complex?
Thank you,
Mikhail.
UPDATE
In the answers, someone suggested using ASP.NET MVC. My another question is: should we use "classic" ASP.NET or ASP.NET MVC for such project (if we leave out the SharePoint option)?
Do you need document management? Do you need version management? Do you need to create "sites"? Do you need audience filtering? Do you need ECM (fancy word for CMS), Do you need collaboration stuff on your site? If your answer is no then SharePoint is not for you.
You said "We have never made any SharePoint programming" and for that reason alone I think you should not use SharePoint. You also say that your app is going to be "non-standard" and complex, another reason not to use SharePoint.
Sounds like you know ASP.NET so I would advice to stick with ASP.NET or ASP.NET MVC.
Hope this helps
The answer is simple, you should go with what you know. If you prefer to do it in ASP.NET then, that is what you should go with. Trying to learn a new technology on that size of a project will almost certainty cause you severe problems when trying to develop it. Can sharepoint scale to that number of users, probably, but you don't know how to make it do that. That is the real key.
They are correct SharePoint does have a lot of functionality out of the box, but that doesn't mean that it will make you more efficient, because you don't know all of the APIs etc. to access.
Actually, if you want to know the way to cheat. If they force you into using it, you can run ASP.NET applications under SharePoint (well kind of). You can tell SharePoint to essentially ignore a path in the site and use regular ASP.NET as a web application just like any other site does. Really, this isn't using SharePoint, but it can get you out of a bind, in the "Needs to use SharePoint to make them happy scenario".
Mayo suggested contacting MS. I have a feeling they already have a relationship with the bank and have provided some insight about the project. I would contact: http://www.mindsharp.com/ and see if they can help you out. They are a training company, but I bet that the owners would be willing to help consult, and I haven't found anyone with more knowledge on SharePoint than Todd Bleeker.
I'll not go into the merits of sharepoint, but suffice it to say that I have been developing in sharepoint since it was known as "digital dashboard" - it was just a javascript-encrusted today page for outlook. With respect to its .NET incarnations, it has taken me about 3 years to become what some might call "expert" on SharePoint 2007/MOSS.
First up, let me give you some warnings concerning the politics of these kind of jobs. As a contractor, ALL of my jobs over the last 6 years - covering shaerpoint 2003 and 2007 - WITHOUT fail, have been getting about me on site with a client who has demanded sharepoint, and a development shop with decent ASP.NET developers who have become hopelessly lost and more than likely have blown 95% of the budget on the last 5% of the project because they have embarked on writing custom extensions to the platform without fully understanding the product.
If clients, and the shops who service them, spent more time understand the product and studied it to see how they could change/streamline their business processes & requirements slightly to suit sharepoint instead of being rigid in their specs (that were ALWAYS written with next to zero real experience of the platform) and deciding to get custom development done, then more sharepoint projects would be delivered on time and on budget. Sadly, this is not the case.
So, number one: SharePoint 2007 is an excellent product, but please, for the love of jeebus, find yourselves some top gun sharepoint developers who really understands the product before you embark on this journey. If you don't, you will all go down in flames.
-Oisin
What a load of CRAP that sharepoint isn't cut out for what the op wants to use it for. Especially the "Do not get yourself wrapped up in SharePoint" comment from ChaosPandion. Maybe he thought it to difficult and gave up...
Sure SharePoint development takes some getting used to, but it is able to what is wanted by the op most definately. SharePoint is built using ASP.NET so anything you do in ASP.NET can be used / ported to SharePoint. It is not a standalone product, but a DEVELOPMENT PLATFORM. It will scale to serve that many users, using multiple WFE's (Web Front Ends) and a SQL Cluster as backend.
The question here is: is sharepoint the most suited platform for building this site? Then I would have to answer, probably not, seeing as the wanted functionality is almost all custom development. If you plan on doing web content management as well, then yes, SharePoint is definately worth looking into. Also, SharePoint takes away all (or at least most :-D) authorisation and authentication wories. It is Department of Defense certified. And if the offered out of the box security is not enough, just write an authentication provider (seeing as SharePoint uses ASP.NET's provider model).
To answer your questions:
The bank IT told us that SharePoint has in fact lots of other features that will help us make the project more efficiently - for example, it seems that SharePoint has some built-in scalability and high availability technologies.
SharePoint is farm based, to which you can add machines, having each machine perform a different task, which means either app server, index server, WFE, document conversion services., WFE's can be behind a load balancer to distribute requests. Also I want to mention the web content management again.
I heard saying that SharePoint development is very tedious, that the platform cannot be very easily customized, etc.
Like I said, SharePoint is based on ASP.NET, so it is as much customizable as ASP.NET is. You could even create an ASP.NET web site, put all UI in Controls and then use those is SharePoint, maybe even have the controls use it's own database. As for it being tedious, not really. It's just DIFFERENT and deployment / testing is not like normal deployment / testing. SharePoint uses so called solution files (.wsp files), to package up functionality and deploy it to the server. This IMHO makes it possible to deploy functionality in a very modular way. Furthermore, there are loads of cool open source projects out there that make sharepoint development much easier and also provide cool extensions to "pimp" your site and make it more fun and easy to use for end-users.
Nuff said....
SharePoint development can be tedious but I'd hardly say the platform cannot be easily customized. I recently began developing with it full time and so far, I impressed at it's flexibility and suitability for my application but my needs are quite different from what you've described.
I understand 2007 is a vast improvement over 2003 so perhaps your information is only outdated. I hear 2010 is going to again be a significant improvement.
It's your job to deliver the functionality that the customer desires. If they desire a SharePoint solution, unless there's some particular reason why SharePoint really is a weaker model, that's what you should be able to deliver. In the event that SharePoint isn't a good fit, you need to be able to explain why to the bank's satisfaction. I'm not convinced "We don't know SharePoint" is an acceptable response in this situation: the bank's inclination should, at that point, be to find someone who knows both technologies well enough to deliver a product in SharePoint or better explain why SharePoint isn't actually what they want.
UPDATE: After looking at this more I would add that I do not believe that SharePoint is for you. As I mention below SharePoint is for collaboration. If the users that come to the site require an isolated experience then SharePoint is more overhead than you need.
SharePoint is built on top of ASP.NET so you have everything that you want to do with ASP.NET in addition to what SharePoint provides. Anyone who says that it is difficult is trying to make it that way. You can deploy stand alone custom pages with 100% of your own code and it will run under sharepoint, or you can create new application pages that also contain any code you want to write, or you can simply add your own webparts that can be added to any page you choose with 100% of your own code.
Here is just one example.
Creating an Application Page in Windows SharePoint Services 3.0
What SharePoint offers on top of that is a whole different paradigm on collaboration tools. If you wish to leverage it (if not the cost on return is somewhat limited) you can build amazingly complex and integrated solutions that is build around the aggregation of data from across an enterprise.
That being said, do not go into it lightly. If deployed wrong or with a half understanding of where SharePoint excels and where it does not will result in a diaster. Unless you have the time to understand the core concepts of SharePoint I would warn against it but your client is right. If you do build it in SharePoint you get a great deal more flexibility. One right off the bat is the ability to mix authentication modes. I designed a solution that mixed custom forms authentication with an LDAP backend with Windows Authentication. Anyone could visit the same pages but your authenticated account could come from two different locations.
This is a matter of what kind of concerns you want to have in the application:
Building it to look and function your way, go with sharepoint.
Building it to have infrastructure for authentication, permissions, http/web security, scalability, backup, database maintenance PLUS getting it to look and function your way (but now way more under your control), go with a more pure .NET approach.
I would pick the one I am best at, as Kevin said above.
Edit
More about Kevins post: you can also have your application under sharepoint but with full access to the API, in my projects we do it as a normal ASP.NET application, with own masterpages and everything, but we still use the authentication, lists and doc libraries for uploads, roleassignments for permissions etc. Its a very viable hybrid.
You said,
I heard saying that SharePoint
development is very tedious, that the
platform cannot be very easily
customized, etc.
You have been misinformed about SharePoint. All SharePoint pages are ASP.NET pages. You can customize any of them, either directly, or by using Microsoft Office SharePoint Designer, which is free.
Get started at http://msdn.microsoft.com/en-us/sharepoint/default.aspx.
SharePoint is a lot of work and with that amount of users I personally (and being a SharePoint developer) wouldn't bother.
I would go down the ASP.MVC route in all honesty and not because it's new and the latest buzz technology. I would use it because it's hands down faster. This site for example is written in ASP.NET MVC and it handles all these requests per day on I think 3 servers. 2 front end and 1 database. Correct my if I'm wrong with that.
The problem with asking whether Sharepoint is easy to customize is that there's a wide range of levels of customization people are experienced with. And for some reason, most people also seem to think that whatever level they customized Sharepoint to is the extent to which anyone else would also try to customize Sharepoint.
It's hard to talk about degrees of customization in concrete terms. What is "customization" to me is wrangling with the core DAL, fighting with bugs in the CAML to SQL query optimizers, overriding the SPListItem hydration pipeline, etc. To others, "customization" might mean building some web part widgets and deploying them in a WSP. If you find that there is some impedance mismatch between your logical model and Sharepoint's working model, you will have a really hard time reconciling the two.
Welcome to the dark land of politics.
It's worth making sure that your team properly evaluate and understand any compromises that SharePoint will have you make. Asking here is a good start. Things I'd look at include:
What's the whole solution going to include? Often the administration of a site can involve as much or more development work as the front end. While the 3M+ user front end is the glamorous part it may not be the bulk of the work.
Are there reference sites for 20K+ simultaneous user SharePoint sites? Honestly? What kind of hardware did that require? Is that available?
Get a small group of experienced contractors in for a few weeks to properly estimate the work, both on ASP.NET MVC and SharePoint. Make sure they've worked on large sites. (There's plenty of contractors around at the moment!)
Also, anticipate failure. Have a fall-back option:
If the MVC technologists win out, expect heat from senior management, and possibly even a skunk-works we'll-do-it-properly-anyway project that duplicates your efforts.
If you do end up with SharePoint, listen very carefully to users throughout the development process and be prepared to create Web parts, MVC pages or whathaveyou to address problem points.
I've been in a similar situation where it turned out that there was heavy vendor influence at a very senior level. The senior team had bought into SharePoint and required it to be used for all internal systems; the OCTO (Office of the Chief Technologist) had mandated open-source technologies. It was fun to watch the fur fly in the middle.
(Our option in the end was to use a service-based architecture based on REST, which effectively booted the current version of SharePoint out of the system altogether.)
I would build this on SharePoint. It is quite suitable for big sites and many sites have already been built on it: topsharepoint.com
SharePoint (like all complex applications) does require sufficient knowledge that you do not seem to have at the moment which is a big risk in my mind. Don't listen to the nay-sayers though.. lack of knowledge is a common problem for devs dealing with SharePoint but it doesn't mean you can't make it do whatever you want.
Regardless, what other options do you have? I think the days of building completely custom CMS's have passed just as building completely custom Intranets are not cost effective anymore. There are many competitors to what they want to do with SharePoint (Umbraco, Sitecore, Sitefinity, etc) and most of them seem better than 100% custom.
So the answer might be neither ASP.NET or Sharepoint..