90 likes | 330 Views
Whiteboard discussion of WS-Fed and WS-Trust. WS-* Metasystem Protocol. Client Application. Identity Selector. Relying Party. Identity Provider. WS-MEX GetMetadata Request. Policy. 1. WS-MEX GetMetadata Response. WS-Security Policy. 2. GetToken (RP Policy). 3.
E N D
Whiteboard discussion of WS-Fed and WS-Trust
WS-* Metasystem Protocol ClientApplication Identity Selector Relying Party Identity Provider WS-MEX GetMetadata Request Policy 1 WS-MEX GetMetadata Response WS-Security Policy 2 GetToken(RP Policy) 3 Select Identity 4 WS-MEX GetMetadata Request Identity needs credentials 5 WS-MEX GetMetadata Response 6 WS-Trust RST Request (user credentials) 7 WS-Trust RSTR Response (security token) 8 Token Returnsecuritytoken 9 Access Resourcewithsecurity token (WS-Security) 10
Browser Metasystem Protocol ClientBrowser Identity Selector Relying Party Identity Provider HTTP/GET to protected page 1a HTTP/redirect to login page 1b HTTPS/GET to login page 2a HTTPS login page 2c Policy 2b Click GetBrowserToken(RP Policy) 3 HTML information card tag Select Identity 4 WS-MEX GetMetadata Request 5 Identity needs credentials WS-MEX GetMetadata Response 6 WS-Trust RST Request (user credentials) 7 WS-Trust RSTR Response (security token) 8 Returnsecuritytoken Token 9 HTTPS/POSTwithsecurity token 10 HTTP/redirect with session cookie 11
Token Encrypted to RP May have established a relationship out-of-band CardSpace Express desire to conveyRP’s identity to the IP Identity Provider Relying Party Include RP’s identityin the request Decrypt <tokenParameters> <xmlElement> <wsp:Policy> <ic:RequireAppliesTo /> </wsp:Policy> </xmlElement> …</tokenParameters> RP’s key is knownto IP Generate a message Response security token IP encrypts the token with RP’s key app.config Generate a response message Encryptto the client
Token not Encrypted to RP CardSpace Token requirements Identity Provider Relying Party Request security token Decrypt RP’s key is not knownto IP Encrypt token with RP’s key Response security token Token is not encrypted Generate message Generate a response message Encryptto the client
Proof Token: Symmetric Key Relying Party CardSpace verify signature token requirementskeyType: SymmetrickeySize: 128 tokenType: SAML1.1 Request for security token Identity Provider Decrypt Send the message to RP Generate a message Generate a key Response with security token Generate a token include key in the token include key as part of proof tokenin the message Sign with the proofkey Generate a response message encryptto the client
Proof Token: Asymmetric Key Relying Party CardSpace verify signature token requirementskeyType: AsymmetrickeySize: 2048 tokenType: SAML1.1 Request for security token Identity Provider Generate key-pair Decrypt include the key in the request Send the message to RP Generate a message include key in the token Generate a token (SAML) Response with security token Sign with the other key Generate a response message Encryptto the client
ADFS WS-Fed GETappURL 302fs-rURL?wa=…&wreply=AppURL&wctx=appURL Detect user’s home realm 302 fs-aURL?wa=...&wtrealm=fs-rURI&wctx=AppURL/appURL Authenticate User 200<FORM ACTION=fs-rURLMETHOD=POST <INPUT…NAME=wresult VALUE=[fs-a token]>…> 200<FORM ACTION=AppURL METHOD=POST <INPUT…NAME=wresult VALUE=[fs-r token]>…> 302 appURL [HttpResponseHeader=SetCookie] Browser Client FS-A STS Web Server FS-R STS
Requestor Client Identity ProviderSTS Target Service Relying PartySTS HTTPS GET HTTPS 302 – Redirect to RP STS HTTPS GET Home Realm Discovery Page HTTPS 200 (CardSpace Icon) CardSpace Selection WS-Trust RST WS-Fed WS-Trust RSTR Authenticate token. extract claims, create, encrypt and sign new token HTTPS POST Security Token HTTP 200 (javascript to send token to Target Service) HTTPS POST Security Token