Date post: | 13-May-2015 |
Category: |
Technology |
Upload: | code-mastery |
View: | 625 times |
Download: | 2 times |
SaaS Security UsingFederated Identity ManagementAzure AppFabric Access Control Service (ACS)Windows Identity Foundation (WIF)
• Favor proven security frameworks and industry standards over custom security code
• Single sign on (SSO) between tenants• Preferably not own or manage sensitive data• Avoid account management in the app such as lost password, etc.
What Were The Requirements?
• Leverage popular web identity providers such as Google, Yahoo.• Leverage Azure ACS as an aggregator of these providers• Leverage WIF for integration with ACS and claims management
Our Solution: Federated Identity Management
Concept Diagram
Yahoo
Identity Providers SAMLFederation Provider
ACS
ClaimClaim
OpenID
Claim
Relying Party (RP)
STS
IIS
WIF*
DemoSetup Azure AppFabric Access Control Service (ACS)
Demo – Preview Portal
Demo – Portal
Demo – Create Namespace
Demo – Manage Access Control
Demo – Identity Provider
Demo – Relying Party Application Settings
Demo – RP – Authentication Settings
Demo – Edit Rule Group
Demo – Generate Rules To Create Claims
Demo – WS-Federation Metadata
DemoSetup Windows Identity Foundation (WIF)
Demo – Add STS Reference
Demo – Application URI
Demo – STS Location
Demo – Add Project Reference
ASP.NET Request Validation
System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
Workaround For Testing:
Solution For Production:
Error Message:
Authentication Flow Diagram
MVC Website
WIF
Browser
1
Access Control Service (ACS)
STS
1. Request login returns 302 redirect to ACS2. Request IP selection form from ACS3. Request login form from IP
Identity Providers(IP)
Google Yahoo
2
3
4
5
4. Post credentials, returns token with 302 redirect to ACS
5. Validate and transform token to SAML claims.
6. Post SAML to MVC website callback. WIF processes and sets cookie.
6
DemoClaims Authentication And Authorization
Demo - Claims
• Your user identities are tied to your ACS namespace - challenging if you ever wanted to migrate away from your ACS namespace
• Additional cost – you pay for each token issued• Reliance on external service for authentication• WIF is not well integrated into the .NET framework (but that improves in
4.5) – WIF is also not very DI friendly
Disadvantages
• Low barrier to entry for using existing social identities in your app• ACS and WIF encapsulate the complexity• Users don’t need to remember another username and password• Developers get to save time implementing and maintaining account
management features
Summary