Claims-based security with Windows Identity Foundation Goals

Зарегистрируйтесь, чтобы просмотреть полный документ!

РЕГИСТРАЦИЯ

Claims-based security with Windows Identity Foundation

Goals Introduce you to claims-based security. Show that it isn’t that hard anymore, thanks to WIF. And it’s fun!

Some terminology

Two types of federation WS-Federation: Active Requestor Profile - Based on WS-Trust - For active clients, such as WPF and Win. Form applications WS-Federation: Passive Requestor Profile - Based on WS-Federation - For web clients - "emulating" WS-Trust on top of GET, POST, browser redirects and cookies

Claim Way too abstract: A statement that is made by one entity about another entity. Let’s make it a bit more concrete: A piece of information about a user in a system, issued by a security token service (STS) that a claims-aware application trusts: Name Email Phone Number Identifying claims Nationality Age Hair color Blind claims Role, permission

What’s inside a claim? Claim. Type Built-in: name, email, phonenumber Custom: organization number, cost center, member status …or anything else that makes sense in your system Usually they have a URI-format, such as: "http: //schemas. xmlsoap. org/ws/2005/05/identity/claims/givenname” Claim. Value e. g. : “john. doe@somewhere. com” Issuer (STS) “CN=the. sts. at. somewhere. com”, the name of the STS that has issued the claim And a couple of more properties: Claim. Value. Type, Original. Issuer, . . .

So from a security point of view we can say that a user’s identity is made up by a set of claims

Security token Claims on the wire I. e. , a serialized set of claims - digitally signed by the STS -encrypted (optional but recommended) Security token formats: SAML - an XML-based standard from OASIS - is the most common format - Interoperable Kerberos X. 509 certificate

Basic rules of Claims-based authorization Let go of authentication the users yourself. Let the STS handle it instead. Establish a trust relationship with the STS

The driving forces It enables identity federation It enables SSO Lower user administration costs for organizations Always fresh user information Seamless step-up authentication Separation of concerns Better security

What about role-based access control? Don’t worry. . . It’s backward compatible!

Claims based security – One domain Authenticate IP = Identity Provider AD Validate Applies. To RPs IP-STS A. K. A. : - STS E. g. : ADFS 2. 0 Gather claims Claims Trust relationship WCF pipeline RST - Credentials - Applies. To RSTR - Security token - Proof key Msg + token Active client Delivers credentials E. g. : - Username / Pwd - Windows credentials - Certificate Response E. g. : WPF, Win. Form T l o i d k a e t n i o V n a A c c e s s n t r o l Application = RP C o RP = Relying Party A. K. A. : - Claims-aware application - Service provider Example: WCF Service

Federated identity Security Domain A Security Domain B trusts IP-STS Issue token Authenticate n Se ue Iss w ne en ok d. T n e ok t Send message + token WPF Client RP-STS Send response trusts WCF Service http: //domain/service 1 Transformation rules

Certificates Security Domain A Certificate IP: STS: s private key Local Computer/Personal Sign token Local Computer/Personal Encrypt token SSL Certificate Local Computer/Personal Secure the channel Root atuhority certificate Trusted Root Certificate Auth. Create SSL certificate Certificate Active Client Purpose RP. STS: s public key IP-STS Store location Purpose RP: s public key Base 64 encoded in app. config Encrypt message and authenticate RP IP-STS: s SSL public key Local Computer/Trusted People Secure the channel Proof key from RP. STS Sign the message to RP

Certificates Security Domain B Certificate IP: STS: s public key Local Computer/Trusted People Validate signature Local Computer/Personal Decrypt incoming token and Sign issued token RP: s public key Local Computer/ Trusted People Encrypt token Certificate RP Purpose RP STS: s private key RP-STS Store location Purpose RP: s private key Local computer/Personal Decrypt token RP. STS: s public key Local Computer/Trusted People Validate RP-STS: s signature

Certificates Certificate Authority Veri. Sign Self-signed test certificates – during development makecert. exe

WIF A framework for building claims-based applications as well as STS: s An abstraction layer over the WS-Trust and WS-Federation It contains - a set of. NET classes inside Microsoft. Identity. Model - Visual Studio project templates for ASP. NET, WCF applications and STS services - ASP. NET controls, e. g. Federated. Passive. Sign. In. Control - Fed. Util, a tool that makes it easy to establish trust between the application and the STS

You need this get started: Visual Studio 2008 /2010 WIF SDK, includes guidelines, samples etc.

Demo

Скачать презентацию Claims-based security with Windows Identity Foundation Goals

3cf116a4081408f0126081cbab8f526f.ppt

Количество слайдов: 19