1 / 27

Get a WIF of this!

Get a WIF of this!. An introduction to Identity with WIF & AD FS 2.0. About Todd Anderson. Email me: Todd@CAthreads.NET. About Zoiner Tejada. Email me: ZoinerTejada@TejadaNET.com. Windows Identity Foundation. This presentation will focus on how WIF :

niloufer
Download Presentation

Get a WIF of this!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Get a WIF of this! An introduction to Identity with WIF & AD FS 2.0

  2. About Todd Anderson • Email me: Todd@CAthreads.NET

  3. About Zoiner Tejada Email me: ZoinerTejada@TejadaNET.com

  4. Windows Identity Foundation • This presentation will focus on how WIF: • Can be used with websites as well as web services. • Makes life much easier for the developer. • Opens up possibilities that normally have been prohibitively complex. • Now to introduce the participants of this presentation:

  5. The Ultimate Surfboard...The WIFboard • WIF(Windows Identity Foundation)– • It’s not just about Federation, it’s about outsourcing security decisions • Designed to integrate with ASP.NET and WCF applications.

  6. The Surf SpotRelying Party (RP) • Replying parties are your applications: • Web Sites • WIF is used with a passive client, the browser. • Web Services • WIF is used in an Active manner.

  7. The KahunaSTS / Identity Provider • Kahuna is the Hawaiian term for Authority • The same goes for a Security Token Service. • A Security Token Service is an authority on providing identity for the relying party. • An STS is generally a web service. • The Surf Spot expects to know how to talk with the Kahuna. • Various standards at play to achieve this.

  8. The ShakaSecurity Tokens • Security Tokens contain claims. • These claims are information the RP needs to know about the user. For permission to surf at the spot, the surfer must go to that spot’s Kahuna and ask for a shaka, then present this shaka to the surf spot.

  9. The Surfer(user) • In order to have authorization to surf at a surf spot (RP), the surfer must get shakas from the Kahuna (STS) and present them. • Some surf spots require a closer look at the shakas (security token claims) from the Kahuna. This surfer’s claim indicates he’s ridden ten foot barrels! He can surf here.

  10. The Surf Mobile FedUtil.exe • FedUtil.exe is a configuration wizard that’s run against your application (RP) • It tells the surf spot to trust the Kahuna • To use FedUtil.exe in Visual Studio • Right-click your website or web service • select "Add STS Reference...“ • Provide information about • The location of your RP • What STS to use • Certificate settings

  11. Demo • Create a claims enabled web site that utilizes a simple STS • Create a claims enabled web service that utilizes a simple STS

  12. All you need to go surf • A standards compliant Kahuna (STS) • A surf spot (RP) • The Surf Mobile (FedUtil.exe) • A trusty WIFboard

  13. Passive Federation • WSFAM - WSFederationAuthenticationModule • Enables passive authentication • SAM - SessionAuthenticationModule • Handles sessions. • CAM - ClaimsAuthorizationModule (CAM) • You configure your claims-based authorization here.

  14. DEMO • Converting a membership/role provider based website to a claims based one

  15. Federating identity • How would a surf spot trust the authority of Kahunas from other islands? • When your RP wants to authorize users from multiple IP-STSs, you use an FP-STS as an intermediary between the IP-STSs and your RP.

  16. Federation Provider • A Federation Provider is also an STS, but it passes thru or transforms claims • The FP-STS accepts the tokens from the IP-STSs and if necessary, can transform the claims in these tokens before providing them to the RP.

  17. Where is my KahunaHome Realm Discovery (HRD) • When there is more than one Kahuna for a user to authenticate at.. • Upon arriving at the RP, you need to be redirected to the correct IP-STS for authentication. • Two approaches • Indicate which Kahuna via URL • Have user pick from list

  18. Delegation • Without WIF, it is similar to needing a different surfboard for each condition you may encounter. • Trusted Subsystem is a security risk • When Johnny Utah logs into the web application, he is actually using Brodiliah’s admin account to be able to access the backend data. • With some clever tricks, Johnny could be able to gain access to information he’s not supposed to be able to reach. • The solution? Keep passing the original users credentials with delegation, tacking on other claims as needed downstream.

  19. Federating Non-Claims Aware Apps • Claims to Windows Token Service (C2WTS) • C2WTS enables use of legacy or 3rd party systems that rely on Windows Integrated Authorization and cannot be migrated to using claims. • Claims presented are converted to an impersonated Windows identity on the local box and the target application works as before. • e.g., SQL Server

  20. A Real-Life Big Kahuna let’s look at AD FS 2.0...

  21. What is AD FS 2.0? Other Claims Providers AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web CA IBM AD FS 2.0 Major Components SUN Federation Server Federation Server Proxy Attribute Stores WIF Claims Engine Active Directory Website Management Snap-in Web Service Other STS LDAP Windows Server 2003, 2008 SP2, 2008 R2Windows 7, Vista SP2 MS SQL WIF Windows Internal DB Relying Parties Browser Apps .NET 3.5 SP1 IIS 6/7 Smart Clients Web Services

  22. ADFS 2.0 Benefits • Benefits of SSO • reduce administrative overhead • reduce security vulnerabilities as a result of lost or stolen passwords • improve user productivity • Intra-Enterprise: • provide SSO for all your web sites and applications • Pan-Enterprise: • provide SSO experiences for your users to access apps in other organizations • provide SSO experience for users from external organizations to access your apps • Easily externalize authentication & authorization • Rich claims rules processing engine • Management & Configuration Tools

  23. Why even consider AD FS 2.0? • Building a production-ready STS is hard. • The Visual Studio STS templates are just starters for trivial dev scenarios. • Lot's of config to manage, UI's to present in real world STS!

  24. Moving to ADFS

  25. DEMO • Migrating from a development STS to AD FS 2.0

  26. Other Scenarios

  27. Useful Links • Blog: http://TheWorkflowElement.com • WIF Dev Center - http://msdn.microsoft.com/en-us/security/aa570351.aspx • For WIF SDK LABS link to Online STS (AD FS 2) • https://ip-sts-01.federatedidentity.net/federationmetadata/2007-06/federationmetadata.xml • There's a few links floating around that are wrong...this is the correct one. • C2WTS - http://msdn.microsoft.com/en-us/library/ee517278.aspx • ADFS How to Guides - http://technet.microsoft.com/en-us/library/dd727938(WS.10).aspx (  ) • Self-STS - http://code.msdn.microsoft.com/SelfSTS

More Related