View
57
Download
0
Category
Preview:
DESCRIPTION
Claims-based security. with Windows Identity Foundation. Goals. Introduce you to claims-based security. Show that it isn’t that hard anymore, thanks to WIF. And it’s fun!. Some terminology. Two types of federation. WS-Federation: Active Requestor Profile - Based on WS-Trust - PowerPoint PPT Presentation
Citation preview
Claims-based security
with Windows Identity Foundation
Goals
Introduce you to claims-based security.
Show that it isn’t that hard anymore, thanks to WIF.
And it’s fun!
Some terminology
Two types of federation
WS-Federation: Active Requestor Profile- Based on WS-Trust- For active clients, such as WPF and WinForm applications
WS-Federation: Passive Requestor Profile- Based on WS-Federation- For web clients- "emulating" WS-Trust on top of GET, POST, browser redirects and cookies
Claim
Way too abstract: A statement that is made by one entity about another entity.
Let’s make it a bit more concrete:
A piece of information about a user in a system, issued by a security token service (STS) that a claims-aware application trusts:
NameEmail Identifying claimsPhone Number
NationalityAge Blind claimsHair color
Role, permission
What’s inside a claim?
ClaimType Built-in: name, email, phonenumberCustom: organization number, cost center, member status
…or anything else that makes sense in your system
Usually they have a URI-format, such as:"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”
ClaimValue e.g.: “john.doe@somewhere.com”
Issuer (STS) “CN=the.sts.at.somewhere.com”, the name of the STS that has issued the claim
And a couple of more properties: ClaimValueType, OriginalIssuer, ...
So from a security point of view we can say thata user’s identity is made up by a set of claims
Security token
Claims on the wireI.e., a serialized set of claims - digitally signed by the STS-encrypted (optional but recommended)
Security token formats:SAML - an XML-based standard from OASIS - is the most common format - InteroperableKerberosX.509 certificate
Basic rules of Claims-based authorization
Let go of authentication the users yourself.
Let the STS handle it instead.
Establish a trust relationship with the STS
The driving forces
It enables identity federationIt enables SSOLower user administration costs for organizationsAlways fresh user informationSeamless step-up authenticationSeparation of concernsBetter security
What about role-based access control?
Don’t worry...
It’s backward compatible!
Active client
IP-STS
Application= RP
AD
Trust relationship
RST- Credentials- AppliesTo
RSTR- Security token- Proof key
Claims
Gather claims
Authenticate
Validate AppliesTo
Claims based security – One domain
RP = Relying PartyA.K.A.:- Claims-aware application- Service providerExample: WCF Service
E.g.: WPF, WinForm
A.K.A.:- STSE.g.: ADFS 2.0
RPs
Delivers credentialsE.g.:- Username / Pwd- Windows credentials- Certificate
Response
Msg + token
WCF pipeline
IP = Identity Provider
WPF Client
RP-STS
WCF Servicehttp://domain/service1
trusts
Transformation rules
Federated identitySecurity Domain A Security Domain B
trusts
Send Token
Issue new to
ken
IP-STS
Send message + token
Send response
Active Client
CertificatesSecurity Domain A
IP-STSCertificate Store location Purpose
IP:STS:s private key Local Computer/Personal Sign token
RP.STS:s public key Local Computer/Personal Encrypt token
SSL Certificate Local Computer/Personal Secure the channel
Root atuhority certificate Trusted Root Certificate Auth.
Create SSL certificate
Certificate Store location Purpose
RP:s public key Base64 encoded in app.config
Encrypt message and authenticate RP
IP-STS:s SSL public key Local Computer/Trusted People
Secure the channel
Proof key from RP.STS Sign the message to RP
RP-STS
RP
CertificatesSecurity Domain B
Certificate Store location Purpose
IP:STS:s public key Local Computer/Trusted People
Validate signature
RP STS:s private key Local Computer/Personal Decrypt incoming token and Sign issued token
RP:s public key Local Computer/ Trusted People
Encrypt token
Certificate Store location Purpose
RP:s private key Local computer/Personal Decrypt token
RP.STS:s public key Local Computer/Trusted People
Validate RP-STS:s signature
Certificates
Certificate AuthorityVeriSignSelf-signed test certificates – during developmentmakecert.exe
WIF
A framework for building claims-based applications as well as STS:sAn abstraction layer over the WS-Trust and WS-Federation
It contains- a set of .NET classes inside Microsoft.IdentityModel- Visual Studio project templates for ASP.NET, WCF applications and STS services- ASP.NET controls, e.g. FederatedPassiveSignInControl- FedUtil, a tool that makes it easy to establish trust between the application and the STS
You need this get started:
Visual Studio 2008 /2010WIFWIF SDK, includes guidelines, samples etc.
Demo
Recommended