1 / 19

Claims-based security

Claims-based security. with Windows Identity Foundation. Goals. Introduce you to claims-based security. Show that it isn’t that hard anymore, thanks to WIF. And it’s fun!. Some terminology. Two types of federation. WS-Federation: Active Requestor Profile - Based on WS-Trust

abiola
Download Presentation

Claims-based security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Claims-based security with Windows Identity Foundation

  2. Goals Introduce you to claims-based security. Show that it isn’t that hard anymore, thanks to WIF. And it’s fun!

  3. Some terminology

  4. Two types of federation WS-Federation: Active Requestor Profile - Based on WS-Trust - For active clients, such as WPF and WinForm applications WS-Federation: Passive Requestor Profile - Based on WS-Federation - For web clients - "emulating" WS-Trust on top of GET, POST, browser redirects and cookies

  5. Claim Way too abstract: A statement that is made by one entity about another entity. Let’s make it a bit more concrete: A piece of information about a user in a system, issued by a security token service (STS) that a claims-aware application trusts: Name Email Identifying claims Phone Number Nationality Age Blind claims Hair color Role, permission

  6. What’s inside a claim? ClaimType Built-in: name, email, phonenumber Custom: organization number, cost center, member status …or anything else that makes sense in your system Usually they have a URI-format, such as:"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” ClaimValue e.g.: “john.doe@somewhere.com” Issuer (STS) “CN=the.sts.at.somewhere.com”, the name of the STS that has issued the claim And a couple of more properties: ClaimValueType, OriginalIssuer, ...

  7. So from a security point of view we can say that auser’s identity is made up by a set of claims

  8. Security token Claims on the wire I.e., a serialized set of claims - digitally signed by the STS -encrypted (optional but recommended) Security token formats: SAML - an XML-based standard from OASIS - is the most common format - Interoperable Kerberos X.509 certificate

  9. Basic rules of Claims-based authorization Let go of authentication the users yourself. Let the STS handle it instead. Establish a trust relationship with the STS

  10. The driving forces It enables identity federation It enables SSO Lower user administration costs for organizations Always fresh user information Seamless step-up authentication Separation of concerns Better security

  11. What about role-based access control? Don’t worry... It’s backward compatible!

  12. Claims based security – One domain Authenticate IP = Identity Provider IP-STS AD Validate AppliesTo RPs Trust relationship A.K.A.: - STS E.g.: ADFS 2.0 Gather claims Claims WCF pipeline RSTR - Security token - Proof key RST - Credentials - AppliesTo Application = RP Access Control Token Validation Msg + token Active client Delivers credentials E.g.: - Username / Pwd - Windows credentials - Certificate RP = Relying Party A.K.A.: - Claims-aware application - Service provider Example: WCF Service Response E.g.: WPF, WinForm

  13. Federated identity Security Domain A Security Domain B RP-STS IP-STS trusts Transformation rules Send Token Issue token Authenticate trusts Issue new token WCF Service http://domain/service1 Send message + token WPF Client Send response

  14. Certificates Security Domain A IP-STS Active Client

  15. Certificates Security Domain B RP-STS RP

  16. Certificates Certificate Authority VeriSign Self-signed test certificates – during development makecert.exe

  17. WIF A framework for building claims-based applications as well as STS:s An abstraction layer over the WS-Trust and WS-Federation It contains - a set of .NET classes inside Microsoft.IdentityModel - Visual Studio project templates for ASP.NET, WCF applications and STS services - ASP.NET controls, e.g. FederatedPassiveSignInControl - FedUtil, a tool that makes it easy to establish trust between the application and the STS

  18. You need this get started: Visual Studio 2008 /2010 WIF WIF SDK, includes guidelines, samples etc.

  19. Demo

More Related