Post on 14-Jan-2015
description
transcript
Federation, SSO,Claims
Volkan Uzun
About MeSoftware Dev Staff Engineer @ Dell @ RD
Working on Identity Management Applications
Blog: http://volkanuzun.com/blog
Twitter: @volkanuzun
Email: volkan.uzun@gmail.com
Authentication/Authorization
Why Identity Federation?• Decouple authentication mechanism from
applications and services• Go claims-based• Reduce IT pain and risk related to
provisioning and de-provisioning users • Extend trust to users across domain,
corporate and Internet boundaries• Support Single Sign-On (SSO)
Decouple Authentication• Windows/Kerberos• Forms authentication• HTTP basic authentication• SSL Certificates• WS-Fed• WS-Trust• SAML• OAuth (authorization , people use it wrong!)• OpenID (authentication)
ClaimsAny information about a subject from a
provider.
Identity providers typically issue claims based on the user’s identity
Authenticate
Claims:Name=volkan uzun
Email=volkan.uzun@gmail.com
IsOver21=true
Role=Admin
Role=User
Credentials:
UserName=volkanuzun
Password =*******
ClaimsApplications may transform identity claims into
application-specific claims
Transform
Application Specific Claims:
LicenseKey=ABC12345
Permission=Create
Permission=Read
Permission=Update
Permission=Delete
Identity Provider
Claims:Name=Volkan Uzun
Email=volkan.uzun@gmail.com
IsOver21=true
Role=Admin
Role=User
Token• Contains the claims• The signature• Information about the issuer• May be encrypted• In XML format• Has an expiration date• SAML 1.1/2.0, Simple Web Token, JSON
Web Token
Token Types• SAML
XML based, encryption and signature with asymmetric or symmetric, processing power
• Simple Web Token (SWT)URL/Form encoded, symmetric signature only
• JSON Web Token (JWT)The new cool guy, symmetric or asymmetric, JSON encoded
Claims-based Identity ProsBefore Claims-based:• App authenticated the user or relies on 3rd
party to authenticate such as AD• App gets simple information from user, such
user name.
After Claims-based:• Authentication is outsourced to STS• App gets any information it needs
STS• Security Token Service• Claims are issued by a provider (STS)• A security token service (STS) is the
service component that builds, signs, and issues security tokens
• Client applications trust STS• The basic flow is: Client requests token,
issuer issues token, resource consumes the token
Passive Federation
IdP DomainRP Domain
2SignIn
Web Site
(RP)
Authorize
Access 7
Quest STS
(IdP)
5Authenticate / Issue Token
Browser
(requestor)
Login
Page
POST
Credentials
341
POST
SignIn
Response
6
User
(subject)
Active Federation
RP DomainIdP Domain
Rich
Client
Identity
Provider
(IdP)
Application
(Relying Party, RP)
1 3 4
2Authenticate
/ Issue
5Authorize
Credentials Security
Token / Claims
Certificate• Token is signed with certificate• Same cert maybe used for encrypting the
message• Same cert maybe used for cookie
encryption• Cert Type
.NET help me please
RBAC
(Since 2002)
IIdentity
IPrincipal
IIdentity: IsAuthenticated; AuthenticationType; Name
IPrincipal: IIdentity; IsInRole(string roleName);
Thread.CurrentPrincipal
DEMOOld style
First Attempt: WIFWindows Identity Foundation
• Hooks into ASP.NET pipeline• Not a new solution: Claims• Embedded into the .NET 4.5
ClaimsIdentity, ClaimsPrincipal
ClaimsIdentity:IIdentity {IEnumerable<Claim>Claims}
ClaimsPrincipal:IPrincipal {ReadOnlyCollection<ClaimsIdentity>Identities}
DEMOVisual Studio 2010 Demo with WIF
Visual Studio 2012 Demo with .NET 4.5
SSO• Client applications are responsible for
authorization (cookie)• STS is responsible for user authentication.
(cookie)• STS can generate the session token from
the cookie • STS can reissue the session token from the
cookie
Log Out• More difficult than login• STS has to delete its own cookie• Each client application must be notified for a
logout
Partner Federation• Your STS acts as a client application for
another STS• When your STS doesn’t have the user
identity• Client application still trusts only your STS• Your STS does claims transformation
Home Realm Redirection
IdP DomainApplication Domain
Browser
1 23
11
Sign-In
Request5
4
POST
Credentials
Set
Cookie 7IdP
SAML
9
Web Site
Authorize
Access10
Quest
STS
8
IdP
STS6Authenticate /
Issue Token
Login
Page
Sign-In
Request
Gather Attributes/ Issue
Assertion
Keystone Assertion w/ Session Token
Warnings• Caching SessionSecurityToken• Cookie size may be an issue (even with
chunking)• Infinite loops (cookie issue)• Load balancer issue (cookie issue)• Use SSL• QueryString length may be an issue