520 likes | 666 Views
ARC303. Pedro Félix. CCISEL pedrofelix@cc.isel.ipl.pt. Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation. try {. Motivation The claims based model Windows Identity Foundation Identity and claims representation Consumption pipeline
E N D
ARC303 Pedro Félix CCISEL pedrofelix@cc.isel.ipl.pt Aspectos essenciais no desenvolvimento de aplicações com o Windows IdentityFoundation
try { • Motivation • The claims based model • Windows Identity Foundation • Identity and claims representation • Consumption pipeline • ASP.NET and WCF Integration • Issuance pipeline
Motivation CloudTrack . View/manage issues Create/view issues
Identity and Authorization creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView
Centralized Solution webapp (IssueTracker) creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Membership Provider Role Provider IPrincipal.IsInRole(...)
Decentralized Authority webapp (IssueTracker) creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Contoso Authority
The Claims Model Claims Contoso webapp Contoso:: LeadDev Alice creds Contoso:: Alice webapp:: IssueMgr webapp:: IssueView Security Token Identity Provider (Issuer) Accepts Identity Consumer (Relying Party) Issues
The Claims Model Provider Consumer/ Provider Issue Use Issue Identity {Claims} About Security Tokens Use Subject Consumer
Demo Memb. Prov. Role Prov. Identity Transformer ASP.NET Identity Provider Demo.MIP ADFS Identity Consumer WIF ASP.NET Demo.RP username+password WIF
Not only for Federation AD webapp 1 smart card or username+password webapp 2 windows authn
Not only for Federation AD external app/service IdP Partner webapp 1 smart card or username+password webapp 2 windows authn
Protocols Web applications passive protocol – WS-Federation Services active protocol – WS-Trust IdP IdP WIF WIF 2 3 4 1 2 tk WIF tk WIF 1 2 Browser webapp Active Client service tk 4 3 3 2 1 WIF WIF
SAML Tokens Certificate configuration • Secure Assertion Markup Language • Signed by provider (issuer) • (Optionally) Encrypted to consumer • Subject confirmation • Bearer (passive protocols) • Holder-of-Key (active protocols) • Audience restrictions (avoid reusage) • Statements (claims) • Authentication, Authorization and Attributes
Federation Metadata • Purpose: automatic configuration • Published by both consumers and providers • Signed XML documents containing • Endpoint addresses • Claims and token types required and offered • Certificates • …
Windows Identity Foundation Unified model for both ASP.NET and WCF • Contents • .NET Class Library (Microsoft.IdentityModel.dll) • Visual Studio AddIns • Purpose • Identity Consumers • Identity Providers • Client helpers – client channels for WCF
WIF Essentials • Class model for identity representation • Claims consumption pipeline • Token validation • Identity transformation • Authorization decisions • Claims issuance pipeline
WIF Consumer Pipeline HostAdaptationLayer Host (e.g. ASP.NET, WCF)
WIF Consumer Pipeline Token Resolver Token ref Token TokenHandler Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)
WIF Consumer Pipeline <microsoft.identityModel> <service> <securityTokenHandlers> <remove type=“…” /> <addtype=“…” /> </securityTokenHandlers> </service> </microsoft.identityModel> Token Resolver Token ref Token TokenHandler Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)
WIF Consumer Pipeline Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)
WIF Consumer Pipeline <issuerNameRegistry type=“…ConfigurationBasedIssuerNameRegistry…"> <trustedIssuers> <addname="gaviao" thumbprint="a1…74"/> <addname="gaviao.adfs" thumbprint="72…8e"/> </trustedIssuers> </issuerNameRegistry> Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)
WIF Consumer Pipeline Token Resolver IssuerName Registry publicoverrideIClaimsPrincipalAuthenticate( stringendpointUri, IClaimsPrincipalincomingPrincipal) { if (incomingPrincipal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("LeadDeveloper@http://gaviao/demo.mip/issue.aspx"))) { incomingPrincipal.Identities[0].Claims.Add( newClaim(ClaimTypes.Role, "IssueMgr)); } returnincomingPrincipal; } Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Principal Claims Principal Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)
WIF Consumer Pipeline publicoverrideboolCheckAccess(AuthorizationContext context) { var resource = newUri(context.Resource.First().Value); if(resource.AbsolutePath.Equals("/demo.rp/issues.aspx")) { returncontext.Principal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("IssueMgr")); } returntrue; } Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager [ClaimsPrincipalPermission( SecurityAction.Demand, Operation = "Get", Resource = "ViewIssues")] privatevoidViewIssues(){ … } Claims Principal Claims Principal Authorization Context Serialized Token Claims Identities boolean HostAdaptationLayer Host (e.g. ASP.NET, WCF)
WIF Consumer Pipeline Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal Serialized Token Claims Identities boolean HostAdaptationLayer Host (e.g. ASP.NET, WCF)
WIF Consumer Pipeline (ASP.NET) <federatedAuthentication> <cookieHandlerrequireSsl=“true" /> <wsFederationissuer="https://gaviao/adfs/ls/" realm="http://gaviao/Demo.RP/default.aspx" requireHttps=“true" /> </federatedAuthentication> Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal Serialized Token Claims Identities boolean WSFederationPassive AuthenticationModule ClaimsPrincipal HttpModule ClaimsAuthorization Module HostAdaptationLayer SessionAuthentication Module ASP.NET
ASP.NET Integration AuthenticateRequest Post AuthenticateRequest AuthorizeRequest EndRequest Any Authentication Module ClaimsPrincipal HttpModule ClaimsAuthorization Module Any Authentication Module SessionAuthentication Module • Using a legacy authentication mechanism • e.g. Forms authentication
ASP.NET Integration AuthenticateRequest Post AuthenticateRequest AuthorizeRequest EndRequest WSFedAuthentication Module WSFedAuthentication Module ClaimsAuthorization Module WSFedAuthentication Module SessionAuthentication Module SessionAuthentication Module • Using federated authentication • WS-Federation
WS-Federation Authn Module (FAM) RP HTTP request ? Authorize HTTP redirect with fed. request message FAM EndRequest HTTP request with fed. request message IdP ? Authenticate HTTP redirect with fed. response message Security Token RP HTTP request with fed. response message FAM Authenticate ? Authorize Handler Security Token
Module Pipeline Events • WSFederationAuthenticationModule • OnAuthorizationFailed • RedirectingToIdentityProvider • SecurityTokenReceived • SecurityTokenValidated • … • SessionAuthenticationModule • SessionSecurityTokenCreated • SessionSecurityTokenReceived • …
Controls FederatedPassiveSignIn FederatedPassiveSignInStatus
WCF Integration • WCF already supported federation and claims • System.IdentityModel.dll • e.g. WS2007FederationHttpBinding binding, Claims class • WIF • Builds upon this previous support • Changes the token processing model • WCF and ASP.NET uniform model • Adds client-side features (e.g. explicit token requests)
WCF Integration <extensions> <behaviorExtensions> <addname="federatedServiceHostConfiguration" type=“…ConfigureServiceHostBehaviorExtensionElement, …"/> </behaviorExtensions> </extensions> <behaviorname="Demo.RP.statusBehavior"> <federatedServiceHostConfiguration/> </behavior> • FederatedServiceCredentials • Derives from ServiceCredentials • Static method ConfigureServiceHost(ServiceHostBase) “installs” WIF (the Host Adaptation Layer) • Overrides WCF behavior, namely • Configuration (e.g. username validation) • Authorization policies • Authentication manager
WIF Consumer Pipeline (WCF) Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal Serialized Token Claims Identities boolean SecurityTokenAuthenticator ServiceAuthorization Manager HostAdaptationLayer WCF
Producer Model – issue pipeline • GetScope • Creates the Scope • Scope • Signing and encrypting creds. • reply to address • GetOutputClaimsIdentity • Creates the issued claims identity • Defines the issued claims • Other non-mandatory extensibility points • ValidateRequest, …
Producer Model – ASP.NET protectedvoidPage_Load(object sender, EventArgs e) { FederatedPassiveSecurityTokenServiceOperations.ProcessRequest( Page.Request, Page.User, newSimpleSecurityTokenService( newSimpleSecurityTokenServiceConfiguration()), Page.Response); }
Producer Model - WCF <bindingname="MessageIssueBinding"> <security> <messageclientCredentialType="UserName" …/> </security> </binding> <services> <servicebehaviorConfiguration=“…" name="Microsoft.IdentityModel….WSTrustServiceContract"> <endpointaddress=“” … bindingConfiguration="MessageIssueBinding" contract="Microsoft.IdentityModel….IWSTrust13SyncContract" /> … </services> <%@ ServiceHostLanguage="C#" Debug="true" Factory = "Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory,…" Service= "Demo.MIP.SimpleSecurityTokenServiceConfiguration" %>
} finally { • Identity and Access Control Management • Claims Model Relevance • WIF • Class library for both identity providers and consumers • Multiple hosts: ASP.NET and WCF
ASP.NET integration • ClaimsPrincipalHttpModule • Hooks on the PostAuthenticateRequestevent • Translate, into the claims-model, the authentication performed by another module • ClaimsAuthorizationModule • Hooks on the AuthorizeRequest event • If current user is authenticated, then calls the authorization manager • Action = HTTP method, Resource = raw URL • If authorization is denied, complete request with a 401 status code
ASP.NET integration • WSFederationAuthenticationModule • Hooks on the AuthenticateRequest • If request is a sign-in federation message, process it • Hooks on the PostAuthenticateRequest • Behavior similar to the ClaimsAuthorizationModule • Hooks on the EndRequest • If response status code is 401 and request is not authenticated, then redirect to identity provider with a sign-in request message
ASP.NET integration • SessionAuthenticationModule • Hooks on the AuthenticateRequest event • Try to read and validate session token from a cookie • If successful, then sets the current principal with the session token info • Uses a CookieHandler to read and write from cookies
Authorization Model - Enforcement • Called automatically in the pipeline • ASP.NET – In a HTTP Module (ClaimsAuthorizationModule) • WCF – In the service dispatcher • Called explicitly via permission demand • Similar to PrincipalPermission and PrincipalPermissionAttribute • ClaimsPrincipalPermissionandClaimsPrincipalPermissionAttribute
WIF consumer pipeline Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal Serialized Token Claims Identities boolean HostAdaptationLayer Host (e.g. ASP.NET, WCF)
A taxonomy of claims • Primordial vs. Substantive claims • Primordial – proof (e.g. shared secret) presentable by only one subject • Substantive – produced by claims providers • Claim types • Static – properties of the subject • National Identifier Number; Date-of-Birth • Derived – derived from other claims • Portuguese Citizen; Over-18 • Membership – role or group membership, relation with other subject • Administrator; Lead Developer; Purchase Officer • Capability – authorization to something • Can-emit-purchase-order; Can-admin-CI-server • Contextual – information about the context • Authentication method, location and time