View
224
Download
0
Category
Preview:
Citation preview
.NET ServicesAccess Control Service Drilldown
Justin Smith Sr. Program Manager
Microsoft Corporation
BB28
Azure™ Services PlatformMicrosoft SharePoint Services
Microsoft Dynamics CRM Services
PLACEHOLDER FOR ALL UP IDENTITY SLIDE
Motivation .NET Access Control Service Guided Tour Requesting and Processing Tokens Architecture Futures
Agenda
Note: this is a bit of a trick question, and it has to do with security….
What are the 1st two questions an application has to answer?
Pop Quiz
The 2 questions are hard to answer and virtually everyone has to answer them
Common ISV question: “How do I integrate with existing business assets?”
Customers need to work in a federated world with Live Identity Services, Active Directory, Tivoli, OpenID, Certs, …
What Were You Thinking?
In A Nutshell – Diagram – Update
Your CustomersYour App
Msg WF
.NET
Acc
ess
Cont
rol S
ervi
ce
<Any ID Provider>
Live ID Users
XYZ Domain Users
Data
Who is the caller?
What can they do?
Web
Automates federation for a wide-range of identity providers and technologies
Factors the access control logic from the application into manageable collection of rules
Is an easy-to-use framework that ensures correct token processing
Works for web services and web applications
In A Nutshell – Words
SQL Server Data Services Accepts Username & Password and a token
produced by Access Control Service .NET Service Bus .NET Workflow Service The Portals More to come
Where Is It Currently Used?
NOTE: The Service Bus and the Workflow Service share code for token processing
Portal A UI for creating and managing collections of
access control rules Client API
Provides a programmatic way to manage collections of access control rules
Service (STS) A hosted service that issues tokens Developers interact with the service via the
“Geneva” Framework
Basic Anatomy
Access Control Service Interactions – Update
Your Access Control Service
Account(Managed STS)
Relying Party(Your App)
2. Send Claims4. Send Token
(output claims from 4)
5. Send Messagew/token
0. Cert|Secret exchange; periodically refreshed
Requestor(Your Customer)
1. Define access control rules for a customer
6.Claims checked in
Relying Party
3. Map input claims to output claims based on access control rules
Access Control Service Guided Tour
Justin Smith
Demo
Assigned when you sign up Access Control Service currently has a
credential store Solution Name/Solution Password X509 Certificates CardSpace v1 Self Issued Cards
Access Control Service has no plans to become an Identity Provider
The Access Control Service plan of record is to use Live Identity Services as the credential store in future releases
About the Solution Name And Password
Requesting and Processing Tokens Geneva Framework is the simplest way WCF in .NET 3.5 Any WS-Trust 1.3 stack (Sun Metro, etc.) Service Bus and Workflow Service also have
types in the SDK that request tokens Managing Rules
a simple API for managing rules use the Client API or the REST endpoints You can also use the Access Control
Service Portal Examples in the .NET Services SDK
Developer Surface Area
Intended for any HTTP redirect aware client E.g. Browsers
For the Web Application: Redirect to Access Control Service, process the
returned token, then issue a session cookie .NET Services Portals do this today
Access Control Service can federate with Live Identity Service and “Geneva” Server today More 3rd party WS-Federation support to come 100% commitment from our team
Passive Federation And Access Control Service
Host address + Solution Name + Fed Target Also requires query string parameters
Live ID federation endpoint:https://accesscontrol.windows.net/passivests/
{solutionName}/LiveFederation.aspx General federation endpoint:https://accesscontrol.windows.net/passivests/
{solutionName}/Federation.aspx The two will converge in future versions
Passive Federation Endpoints
Describe scope, reply to address, and address of the identity provider
Example: wa=wsignin1.0&wtrealm={scope}&wreply={replyTo}& whr={identityProvider} Automatically handled by the
“Geneva” Framework
Passive Federation Query String
Intended for smart clients and web services E.g. WPF and WCF apps
For the Requesting application: Send claims to Access Control Service in an RST,
send the RSTR to the relying party Examples in the .NET Services SDK
Interaction is WS-Trust 1.3 Supported by WCF in .NET 3.5 and several
Java stacks
Active Mode And Access Control Service
Endpoints for each type of credential type Also one for tokens from other IPs
Host Name + Solution Name + Cred Type Username / Password:
http://accesscontrol.windows.net/sts/{solutionName}/username_for_certificate
X509 Certificate:http://accesscontrol.windows.net/sts/{solutionName}/certificate
Windows CardSpace:http://accesscontrol.windows.net/sts/{solutionName}/issued_for_certificate
Active Mode Endpoints
The target developer experience for Access Control Service
Defines types that simplify requesting and processing tokens, including Access Control Service tokens Both Active and Passive scenarios
Available as part of the “Geneva” Framework SDK Microsoft.IdentityModel.dll defines most of the types
you will want to use for Access Control Service interactions
NOTE: Access Control Service was built using this assembly
The "Geneva" Framework And The Access Control Service
WS2007FederationHttpBinding implements WS-Trust 1.3 for the WCF stack Active Case Send RST to Access Control
Service, then send Token + Payload to relying party (your app)
When using the credential store in Access Control Service, the RST can contain your solution credentials
Examples in the .NET Services SDK for Solution Name / Password and CardSpace
VS Add Service Reference & svcutil work for CardSpace
WCF In .NET 3.5 And Access Control Service
Requesting And Processing Access Control Service Tokens
Justin Smith
Demo
Consists of 4 services: STS for token issuance, Rule Management
Service, a Rule Processing Engine, and Portal STS and Rule Mgmt service have public API
Access Control Service Architecture
Storage
Data Model
Rule Processing
STSPortal
Rule Mgmt
A View Into the STS
Security Token Service
Custom Handlers, Authenticators, Policies …
IDFX
SOAP Client HTTP Client
Internet
WS-Trust WS-Federation(Passive)
Security Token Service
Custom Handlers, Authenticators, Policies …
IDFX
STSCustom Handlers, Authenticators, Policies …
“Geneva” Framework
WCF Front-End
Access Control Service And Storage
Foo Account Container
Foo Rule Container 1
Scopes
Scope 1 ptrScope 2 ptr
Scope N ptr
Scope 1
Rule 1
Rule 2
Foo Rule Container N
Scope N
.
.
.
.
.
.
Foo Rule Container 2
Scope 2
Acce
ss C
ontr
ol S
ervi
ce C
ontr
olle
d Au
thor
ities
in S
QL
Serv
er D
ata
Serv
ices
REST RST / RSTR support We are working out the details, but this is a
common request to increase reach Support for the Federation Gateway Live ID as the credential store Hosting in Windows Strata Custom policy support
The Crystal Spheroid
.NET Services Sessions Other Identity Sessions
Other Sessions
.NET Services SDK Marketing Portal Dev Center Portal Forums
Resources
Evals & Recordings
Please fill
out your
evaluation for
this session at:
This session will be available as a recording at:
www.microsoftpdc.com
Please use the microphones provided
Q&A
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended