Upload
nuno-godinho
View
2.035
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
WIF e Silverlight 4 – Claims Aware, Federação de Identidade (Passiva e Activa)Nuno Godinho – Independent Consultant
Nuno Filipe GodinhoIndependent Consultant
Mail: [email protected]@sapo.pt
MSN: [email protected]
Blogs: http://pontonetpt.com/blogs/nunogodinhohttp://xamlpt.com/blogs/nunogodinhohttp://weblogs.asp.net/nunogodinhohttp://msmvps.org/blogs/nunogodinho
Twitter: NunoGodinho
About Me
Agenda
• Introduction to Claims-Based Identity• WIF – Windows Identity Foundation– Introduction– Building Claims-Aware Silverlight Applications
• Identity Federation in Silverlight– Passive Federation– Active Federation
• Summary
Agenda
Introduction to Claims-based Identity
• Your Applications are prisioners of Identity Silos
Introduction to Claims-Based Identity
Login.aspx Page1.aspx
CredentialTypes / APIs
CredentialStores
User AttributesStores
• Identification in Real Life Works Pretty Well…How Do We Do That?
Introduction to Claims-Based Identity
ExternalizesAuthentication
Gets user info from a document
• Claims Can Set Your Application Free
Introduction to Claims-Based Identity
Identity Provider
STS
Security Token
Claims Relying Party
Active Directory Federation Services 2.0
WIF – Windows Identity Foundation
• Programming Model– Essential claims programming model• Claims Object Model integrated with the .NET identity API• Single programming model for ASP.NET & WCF• Single programming model for on-premises & cloud• Configuration driven
– Tools for metadata-driven automatic application configuration• WS-Federation, WS-Trust
– Framework for custom STS development– And more…
WIF – Windows Identity Foundation
• Object Model
IClaimsPrincipalIClaimsIdentity
Delegate
Claims
ClaimClaim
IIdentity AuthenticationType IsAuthenticated Name
IPrincipal IsInRole
Identity
IClaimsIdentityIClaimsIdentity
Claim
Subject
Issuer
Value
ClaimType
ValueType
OriginalIssuer
Identity
WIF – Windows Identity Foundation
void Page_Load(object sender, EventArgs e) { IClaimsPrincipal icp = (IClaimsPrincipal) Thread.CurrentPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
ageClaimValue = (from c in claimsIdentity.Claims where c.ClaimType == "http://MyNS/AgeClaim" select c.Value ).Single(); }
• How it works– HTTPModule(s) in the ASP.NET pipeline of the application
• They take care of exposing policy, manage protocol redirects, establish sessions…
– WSFederationAuthenticationModule• Implements the WS-Federation redirects protocol
– SessionAuthenticationModule• Takes care of handling sessions (regardless of the sign-in protocol)
– ClaimsPrincipalHttpModule• Provides a hook for injecting claims in the current principal
WIF – Windows Identity Foundation
• WIF ASP.NET Processing Pipeline
WIF – Windows Identity Foundation
WSFAM
SecurityTokenHandler
ClaimsAuthenticationManager
SessionAuthenticationModule
ClaimsAuthorizationManager
• Bindings– UserNameWSTrustBinding– CertificateWSTrustBinding– WindowsWSTrustBinding– KerberosWSTrustBinding– IssuedTokenWSTrustBinding
WIF – Windows Identity Foundation
Identity Federation In Silverlight
• What is Identity Federation?“A user's authentication process across multiple IT systems or even organizations” – via Wikipedia
• What Is the Goal of Identity Federation?“The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration” – via Wikipediahttp://en.wikipedia.org/wiki/Federated_identity
Identity Federation in Silverlight
• What is Passive Federation?
Identity Federation in Silverlight
Identity Provider
Relying Party
Client
Trust Relationship
1. End-user browses to the RP
2. RP Redirects the User to the IdP
3. End-user
logs in
5. IdP issues a Security Token
6. IdP Security Token is presented to the RP
4. Authenticated
End-User
Authenticated
DEMO:Identity Federation in Silverlight (Passive)
Trust Relationship
2. Authenticated
• What is Active Federation?
Identity Federation in Silverlight
Identity Provider
w/ STS
Relying Party
Requestor
1. End-User Requests Security Token
3. IdP issues a Security Token
4. IdP Security Token is presented to the RP
End-User
Authenticated
DEMO:Identity Federation in Silverlight (Active)
Summary
• Claims-based Identity allows us to Free our Applications from Identity Silos
• WIF is allow us to easily implement Claims-based Identity on our Applications
• Identity Federation allows us to authenticate Users accross IT systems and Organizations
Summary
• Two Types of Identity Federation– Passive – Redirection Based– Active - Actively Authenticated against the IdP’s STS
Summary
Free your applications…
Nuno Godinho Partner @ [email protected]