230 likes | 459 Views
Introduction to Windows Identity Foundation. Jax ArcSig 3 /22/2011 Keith Tingle. About Me. Keith Tingle http://keith-tingle.com/blog kktingle@gmail.com Lender Processing Services http://www.lpsvcs.com. What is WIF?. Simplifies the programming model of: WS-Trust
E N D
Introduction to Windows Identity Foundation JaxArcSig 3/22/2011 Keith Tingle
About Me • Keith Tingle • http://keith-tingle.com/blog • kktingle@gmail.com • Lender Processing Services • http://www.lpsvcs.com
What is WIF? • Simplifies the programming model of: • WS-Trust • Smart Clients a.k.aActive Clients • WS-Federation • Browsers a.k.a. Passive Clients • SAML • Makes it relatively easy to implement • Federated Authentication • Delegation • Single Sign On
What is WIF? (cont’d) • Extends the .NET model of identity to claims • Tooling in Visual Studio • Project templates for claims-aware apps & STS • ‘Add STS Reference’ • FedUtil.exe • ASP.NET controls • Login Status Control • Handles Single Sign Out
Federated Authentication • What does it mean? • Offload responsibility for authentication to the STS • Delete your login.aspx! • Reduces the amount of security code • App is agnostic to authentication method • Based on the concept of Relying Party & Trust • Public Key Infrastructure is the glue that holds everything together! • Relying Party installs the STS certificate and ‘trusts’ it • Metadata is standardized (FederatedMetaData.xml)
Active Directory is Analogous • BUT • Only works in the boundaries of a Domain • Machines must be joined to a domain • What about machines in the DMZ? • What about the Cloud? • Clients must be on the domain • Machines typically run Windows • What about OS X, Linux? • What about iOS, Android?
What is an STS? • Identity STS (‘IdP’) • Authenticates users • Supports * authentication methods • Windows Authentication • User / Name Password • X509 Client Certificates • Issues SAML tokens that contain claims • Signed & possibly encrypted • Options • Roll your own • ADFS 2.0
Federated Authentication Security Token Service Trust 1 SAML Token 2 Relying Party 3
Review of Claims Jargon • ‘Passive’ client versus ‘Active’ client • Passive clients are browsers. • Active clients = Stand alone applications w/ access to a SOAP stack, e.g. a .NET console application. • ‘Relying Party’ or ‘RP’ • An application that trusts the tokens issued by an STS • A ‘Trust’ • A key exchange between an RP and an STS • ‘Identity Provider’ or ‘IdP’ • STS that authenticates a users identity • ADFS 2.0 can serve as an IdP for AD User Stores
Identity in .NET • Representation of identity public interface IIdentity { string AuthenticationType { get; } boolIsAuthenticated { get; } string Name { get; } } FormsIdentity : IIdentity ‘ktingle’ WindowsIdentity : IIdentity ‘NTLM\ktingle’ x509Identity : IIdentity ‘CN=KeithTingle, 54ED5443D…’
Identity in .NET w/ Claims • Extended to claims public interface IClaimsIdentity : IIdentity { ClaimCollection Claims {get;} } public class Claim { // Properties public virtual string ClaimType { get; } public virtual string Issuer { get; } public virtual IClaimsIdentity Subject { get; } public virtual string Value { get; } }
WIF Packaging • Two packages • WIF Runtime • Minimum of .NET FX 3.5 • Install the runtime on your servers • Clients do not need WIF Runtime unless you develop a smart client that utilizes the WIF extensions for client apps. • Passive clients • Vanilla WCF 3.5 supports • Most scenarios will have these features used in delegation scenarios • Separate .NET 3.5 & .NET 4.0 downloads • WIF SDK • Visual Studio 2010 Project Templates • FedUtil.exe utility • User Controls • SignIn Status • Do *not* underestimate the value of these controls!
Active Directory Federation Services 2.0 • Requires Windows Server 2008 • Supports HA configurations • Federation farms & proxy • ADFS 1.0 (not 2.0) comes on the Windows Server 2008 installation media. • ADFS 2.0 is complete rewrite of ADFS 1.0 • Built on WIF • Available as a download only (http://bit.ly/ePLV4s) • ADFS 1.0 will serve as IdP for Active Directory Lightweight Directory Services (a.k.a. ADAM) • ADFS 2.0 will only serve as an IdP for Active Directory
SharePoint 2010 • Rewritten security model on top of WIF • All intra-farm security is claims based • Supports • Federated Authentication • Trusted Identity Provider • Must use Powershell to create a provider • IClaimsIdentity available to custom
When to consider Claims? • When do we consider using claims? • Single Sign On Scenarios • Heterogeneous user stores • Corporate AD • AD Lightweight Directory Services • External Systems • SQL, XML • Heterogeneous authentication methods • Username / Password • Kerberos / NTLM • X509 Certificates • Delegation
Claims-based Identity Gotchas • Distinguish between application claims and enterprise claims • Name, E-Mail, Age • Uploader, Editor
Getting Started StarterSTS & Starter RP • http://startersts.codeplex.com • Deployed as an ASP.NET web site • Uses ‘standard’ ASP.NET membership & role providers • WIF templates for a custom STS are very basic • Creating an STS from scratch is a major undertaking, consider out the box alternatives
Additional Resources • A Guide to Claims-based Identity and Access Control • http://tinyurl.com/claimsguide • Exploring Claims-based Identity • http://msdn.microsoft.com/en-us/magazine/cc163366.aspx
STS User Store RST Request for Security Token Security Token Service RSTR Request for Security Token Response Trust WS-Trust Enabled Web Service Client SAML Token Relying Party Endpoint
The Public Key Infrastructure • The PKI is the foundation for trust and establishing identity on the Internet • Built on top of asymmetrical encryption algorithms • Symmetric Encryption Algorithms – Both the sender and recipient of the message share a secret key. • Asymmetric Encryption Algorithms – The sender and the receiver create asymmetrical key pairs, and exchange the public keys with one another. • A key pair – the two keys are related mathematically but it essentially impossible to derive one key from the other. • Public Key – Distributed anywhere • Private Key – A compromised private key should result in a ‘revocation’ of the corresponding certificate. • Revocation is formal concept • There are protocols (CRLs, OCSP)