1 / 23

Introduction to Windows Identity Foundation

Introduction to Windows Identity Foundation. Jax ArcSig 3 /22/2011 Keith Tingle. About Me. Keith Tingle http://keith-tingle.com/blog kktingle@gmail.com Lender Processing Services http://www.lpsvcs.com. What is WIF?. Simplifies the programming model of: WS-Trust

vine
Download Presentation

Introduction to Windows Identity Foundation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Windows Identity Foundation JaxArcSig 3/22/2011 Keith Tingle

  2. About Me • Keith Tingle • http://keith-tingle.com/blog • kktingle@gmail.com • Lender Processing Services • http://www.lpsvcs.com

  3. What is WIF? • Simplifies the programming model of: • WS-Trust • Smart Clients a.k.aActive Clients • WS-Federation • Browsers a.k.a. Passive Clients • SAML • Makes it relatively easy to implement • Federated Authentication • Delegation • Single Sign On

  4. What is WIF? (cont’d) • Extends the .NET model of identity to claims • Tooling in Visual Studio • Project templates for claims-aware apps & STS • ‘Add STS Reference’ • FedUtil.exe • ASP.NET controls • Login Status Control • Handles Single Sign Out

  5. Federated Authentication • What does it mean? • Offload responsibility for authentication to the STS • Delete your login.aspx! • Reduces the amount of security code • App is agnostic to authentication method • Based on the concept of Relying Party & Trust • Public Key Infrastructure is the glue that holds everything together! • Relying Party installs the STS certificate and ‘trusts’ it • Metadata is standardized (FederatedMetaData.xml)

  6. Active Directory is Analogous • BUT • Only works in the boundaries of a Domain • Machines must be joined to a domain • What about machines in the DMZ? • What about the Cloud? • Clients must be on the domain • Machines typically run Windows • What about OS X, Linux? • What about iOS, Android?

  7. What is an STS? • Identity STS (‘IdP’) • Authenticates users • Supports * authentication methods • Windows Authentication • User / Name Password • X509 Client Certificates • Issues SAML tokens that contain claims • Signed & possibly encrypted • Options • Roll your own • ADFS 2.0

  8. Federated Authentication Security Token Service Trust 1 SAML Token 2 Relying Party 3

  9. Review of Claims Jargon • ‘Passive’ client versus ‘Active’ client • Passive clients are browsers. • Active clients = Stand alone applications w/ access to a SOAP stack, e.g. a .NET console application. • ‘Relying Party’ or ‘RP’ • An application that trusts the tokens issued by an STS • A ‘Trust’ • A key exchange between an RP and an STS • ‘Identity Provider’ or ‘IdP’ • STS that authenticates a users identity • ADFS 2.0 can serve as an IdP for AD User Stores

  10. Identity in .NET • Representation of identity public interface IIdentity { string AuthenticationType { get; } boolIsAuthenticated { get; } string Name { get; } } FormsIdentity : IIdentity ‘ktingle’ WindowsIdentity : IIdentity ‘NTLM\ktingle’ x509Identity : IIdentity ‘CN=KeithTingle, 54ED5443D…’

  11. Identity in .NET w/ Claims • Extended to claims public interface IClaimsIdentity : IIdentity { ClaimCollection Claims {get;} } public class Claim { // Properties public virtual string ClaimType { get; } public virtual string Issuer { get; } public virtual IClaimsIdentity Subject { get; } public virtual string Value { get; } }

  12. Federated Authentication Demo w/ WIF

  13. WIF Packaging • Two packages • WIF Runtime • Minimum of .NET FX 3.5 • Install the runtime on your servers • Clients do not need WIF Runtime unless you develop a smart client that utilizes the WIF extensions for client apps. • Passive clients • Vanilla WCF 3.5 supports • Most scenarios will have these features used in delegation scenarios • Separate .NET 3.5 & .NET 4.0 downloads • WIF SDK • Visual Studio 2010 Project Templates • FedUtil.exe utility • User Controls • SignIn Status • Do *not* underestimate the value of these controls!

  14. Active Directory Federation Services 2.0 • Requires Windows Server 2008 • Supports HA configurations • Federation farms & proxy • ADFS 1.0 (not 2.0) comes on the Windows Server 2008 installation media. • ADFS 2.0 is complete rewrite of ADFS 1.0 • Built on WIF • Available as a download only (http://bit.ly/ePLV4s) • ADFS 1.0 will serve as IdP for Active Directory Lightweight Directory Services (a.k.a. ADAM) • ADFS 2.0 will only serve as an IdP for Active Directory

  15. SharePoint 2010 • Rewritten security model on top of WIF • All intra-farm security is claims based • Supports • Federated Authentication • Trusted Identity Provider • Must use Powershell to create a provider • IClaimsIdentity available to custom

  16. Quick SharePoint 2010 Demo

  17. When to consider Claims? • When do we consider using claims? • Single Sign On Scenarios • Heterogeneous user stores • Corporate AD • AD Lightweight Directory Services • External Systems • SQL, XML • Heterogeneous authentication methods • Username / Password • Kerberos / NTLM • X509 Certificates • Delegation

  18. Claims-based Identity Gotchas • Distinguish between application claims and enterprise claims • Name, E-Mail, Age • Uploader, Editor

  19. Getting Started StarterSTS & Starter RP • http://startersts.codeplex.com • Deployed as an ASP.NET web site • Uses ‘standard’ ASP.NET membership & role providers • WIF templates for a custom STS are very basic • Creating an STS from scratch is a major undertaking, consider out the box alternatives

  20. Additional Resources • A Guide to Claims-based Identity and Access Control • http://tinyurl.com/claimsguide • Exploring Claims-based Identity • http://msdn.microsoft.com/en-us/magazine/cc163366.aspx

  21. The End

  22. STS User Store RST Request for Security Token Security Token Service RSTR Request for Security Token Response Trust WS-Trust Enabled Web Service Client SAML Token Relying Party Endpoint

  23. The Public Key Infrastructure • The PKI is the foundation for trust and establishing identity on the Internet • Built on top of asymmetrical encryption algorithms • Symmetric Encryption Algorithms – Both the sender and recipient of the message share a secret key. • Asymmetric Encryption Algorithms – The sender and the receiver create asymmetrical key pairs, and exchange the public keys with one another. • A key pair – the two keys are related mathematically but it essentially impossible to derive one key from the other. • Public Key – Distributed anywhere • Private Key – A compromised private key should result in a ‘revocation’ of the corresponding certificate. • Revocation is formal concept • There are protocols (CRLs, OCSP)

More Related