1

Federating Identity and Authorization Across Organizations and PlatformsMatthew HurLead Program ManagerMicrosoft Corporationmatthur@microsoft.com

Session Code: ARC241

2

Tools

Client Application Model

Avalon Windows Forms

Web & Service Application Model

ASP.NET / Indigo Win FSCompact

FrameworkYukon Mobile PC Optimized

System.HelpSystem.Help

System.DrawingSystem.Drawing

System.NaturalLanguageServicesSystem.NaturalLanguageServices

Data Systems Application Model

Presentation Data

Mobile PC & Devices Application Model

Communication

Command Line

NT Service

DataSetDataSet

MappingMapping

ObjectSpacesObjectSpaces

ObjectSpaceObjectSpace

QueryQuery

SchemaSchema

ItemItem

RelationshipRelationship

MediaMedia

AudioAudio

VideoVideo

ImagesImages

System.MessagingSystem.Messaging System.DiscoverySystem.Discovery

System.DirectoryServicesSystem.DirectoryServices

System.RemotingSystem.Remoting

System.Runtime.RemotingSystem.Runtime.Remoting

ActiveDirectoryActiveDirectory

UddiUddi

System.Web.ServicesSystem.Web.Services

Web.ServiceWeb.Service

DescriptionDescription

DiscoveryDiscovery

ProtocolsProtocols

System.MessageBusSystem.MessageBus

TransportTransport

PortPort

ChannelChannel

ServiceService

QueueQueue

PubSubPubSub

RouterRouter

System.TimersSystem.Timers

System.GlobalizationSystem.Globalization

System.SerializationSystem.Serialization

System.ThreadingSystem.Threading

System.TextSystem.Text

System.DesignSystem.Design

Base & Application Services

Fundamentals

System.ComponentModelSystem.ComponentModel

System.CodeDomSystem.CodeDom

System.ReflectionSystem.Reflection

System.EnterpriseServicesSystem.EnterpriseServices

System.TransactionsSystem.Transactions

Security

System.Windows.TrustManagementSystem.Windows.TrustManagement

System.Web.SecuritySystem.Web.Security

System.MessageBus.SecuritySystem.MessageBus.Security

AccessControlAccessControl

CredentialsCredentials

CryptographyCryptography

System.Web.ConfigurationSystem.Web.Configuration

System.MessageBus.ConfigurationSystem.MessageBus.Configuration

System.ConfigurationSystem.Configuration

System.ResourcesSystem.ResourcesSystem.ManagementSystem.Management

System.DeploymentSystem.Deployment

System.DiagnosticsSystem.Diagnostics

Configuration Deployment/Management

System.WindowsSystem.Windows System.WindowsSystem.WindowsSystem.Windows.FormsSystem.Windows.Forms

System.ConsoleSystem.Console

System.ServiceProcessSystem.ServiceProcess

System.Windows.FormsSystem.Windows.Forms System.WebSystem.Web System.StorageSystem.Storage System.Data.SqlServ

erSystem.Data.SqlServer

AnimationAnimation

ControlsControls

ControlControl

DesignDesign

PanelPanel

ControlsControls

DialogsDialogs

SideBarSideBar

NotificationNotification

System.WindowsSystem.Windows

DocumentsDocuments

Text ElementText Element

ShapesShapes

ShapeShape

InkInk

UI ElementUI Element ExplorerExplorer MediaMedia

System.Windows.FormsSystem.Windows.Forms

FormsForms

ControlControl

Print DialogPrint Dialog

DesignDesign

System.Web.UISystem.Web.UI

PagePage

ControlControl

HtmlControlsHtmlControls

MobileControlsMobileControls

WebControlsWebControls

AdaptorsAdaptors

DesignDesign

PortsPorts

InteropServicesInteropServices

System.RuntimeSystem.Runtime

System.IOSystem.IO

System.CollectionsSystem.Collections

GenericGeneric

System.SearchSystem.Search

AnnotationsAnnotations

MonitoringMonitoring

LoggingLogging

RelevanceRelevance

System.DataSystem.Data

SqlClientSqlClient

SqlTypesSqlTypes

SqlXMLSqlXML

OdbcClientOdbcClient

OleDbClientOleDbClient

OracleClientOracleClient

CoreCore

ContactContact

LocationLocation

MessageMessage

DocumentDocument

EventEvent

System.StorageSystem.Storage

System.WebSystem.Web

PersonalizationPersonalization

CachingCaching

SessionStateSessionState

System.XmlSystem.Xml

SchemaSchema

SerializationSerialization

XpathXpath

QueryQuery

PermissionsPermissions

PolicyPolicy

PrincipalPrincipal

TokenToken

System.SecuritySystem.Security

System.CollaborationSystem.Collaboration

RealTimeEndpointRealTimeEndpoint

TransientDataSessionTransientDataSession

SignalingSessionSignalingSession

MediaMedia

ActivitiesActivities

HttpWebRequestHttpWebRequest

FtpWebListenerFtpWebListener

SslClientStreamSslClientStream

WebClientWebClient

System.NetSystem.Net

NetworkInformationNetworkInformation

SocketsSockets

CacheCache

System.WebSystem.Web

AdministrationAdministration

ManagementManagement

NavigationNavigation

Peer GroupPeer Group

PolicyPolicy

SerializationSerialization

CompilerServicesCompilerServices

RecognitionRecognition

System.SpeechSystem.Speech

SynthesisSynthesis

AuthorizationAuthorization

3

AgendaAgenda

What problems are we addressing?Federated security requirementsWeb services and federationTrustBridge and where we’re heading

What problems are we addressing?Federated security requirementsWeb services and federationTrustBridge and where we’re heading

4

Managing Identities is HardManaging Identities is Hard

Each organization is an islandMust manage Internal identitiesMust manage External identities

Can we create identities that “island-hop”?Fewer identities to manageMore meaningful identities

Each organization is an islandMust manage Internal identitiesMust manage External identities

Can we create identities that “island-hop”?Fewer identities to manageMore meaningful identities

5

Federated SecurityFederated Security

Enable each organizational “island”To act as an authorityTo make secure statements

And build bridges of trust between themEach one picks who they trustEach one controls how much they trustEach one controls their principals and assertionsEach one uses its own internal protocols

Enable each organizational “island”To act as an authorityTo make secure statements

And build bridges of trust between themEach one picks who they trustEach one controls how much they trustEach one controls their principals and assertionsEach one uses its own internal protocols

Specifications and technology to enableSpecifications and technology to enablewidely-available, interoperablewidely-available, interoperable

identification, authentication, and authorizationidentification, authentication, and authorization

6

Federated Security RequiresFederated Security Requires

Authorities – Issue assertionsThey authenticate principalsThey make assertionsThey support assertion look-up and discovery

Principals – The target of assertionsThe “entities” authorities assert about (e.g., Users, Services, Devices)Some offer services to other principalsSome consume assertions to make authorization decisions

Trust Relationships – Limit assertionsImplicit trust between principals and their authorityExplicit trust between authoritiesPolicy controls who trusts who and for what they are trusted

Trust Brokers (optional) – Scale TrustsEase establishing trust between authorities (not transitive trust)They are optional but enable scaling

Authorities – Issue assertionsThey authenticate principalsThey make assertionsThey support assertion look-up and discovery

Principals – The target of assertionsThe “entities” authorities assert about (e.g., Users, Services, Devices)Some offer services to other principalsSome consume assertions to make authorization decisions

Trust Relationships – Limit assertionsImplicit trust between principals and their authorityExplicit trust between authoritiesPolicy controls who trusts who and for what they are trusted

Trust Brokers (optional) – Scale TrustsEase establishing trust between authorities (not transitive trust)They are optional but enable scaling

7

Build Federation on Web ServicesBuild Federation on Web Services

Federated Security requiresOrganizations to contact one anotherOrganizations to share with one anotherIn real-time, across the Internet

Web Services enable interoperationCross platform support and development modelBroad, multi-vendor supportBased on standards

Federated Security requiresOrganizations to contact one anotherOrganizations to share with one anotherIn real-time, across the Internet

Web Services enable interoperationCross platform support and development modelBroad, multi-vendor supportBased on standards

8

Web Services Need SecurityWeb Services Need Security

Types of RequirementsEnable message-level securityEstablish and use trustExpress security policy

WS security standards provide the security

First specification already at OasisMore coming

Types of RequirementsEnable message-level securityEstablish and use trustExpress security policy

WS security standards provide the security

First specification already at OasisMore coming

9

Web Service SpecificationsWeb Service Specifications

Internet TransportsInternet Transports

SOAP and XMLSOAP and XML

Dis

cove

ryD

isco

very

Sec

uri

tyS

ecu

rity

Tra

nsa

ctio

ns

Tra

nsa

ctio

ns

Po

licy

Po

licy

Man

agem

ent

Man

agem

ent

Web

W

eb

Ser

vice

sS

ervi

ces

Mes

sag

ing

Mes

sag

ing

10

Security Tokens & ClaimsSecurity Tokens & Claims

SignedSigned

……X.509X.509 KerberosKerberos

XrMLXrML

Secret KeySecret Key

PasswordPassword

Proof ofProof ofPossessionPossession

Messages have security tokens that assert claims

Claim – A statement that a client makes (e.g. name, identity, key, group, privilege, capability, etc).

SAMLSAML

UnsignedUnsigned

……UsernameUsername

11

PoliciesPolicies

PolicyPolicy

Web services have policies that describe required claims

??Does the request havethe correct security tokens?

• Policies can also describe where to get claims

12

Security Token ServiceSecurity Token Service

PolicyPolicy

WebWebServiceService

PolicyPolicy

SecuritySecurityTokenTokenServiceService

A security token service issues security tokens

• It is just a web service • A solution may require

multiple token services

13

Federated Identity:Getting ThereFederated Identity:Getting There

Key Architectural PrinciplesMultiple “authorities” in a “trust network”

Each owns their customers and employeesEach owns their infrastructureEach issues their own credentialsEach can decide whether to accept credentials from other authorities

Key Architectural PrinciplesMultiple “authorities” in a “trust network”

Each owns their customers and employeesEach owns their infrastructureEach issues their own credentialsEach can decide whether to accept credentials from other authorities

14

TrustBridgeTrustBridge

TrustBridge is a project with two primary goals

Provide core security infrastructure within .Net Framework in Longhorn (supporting Indigo)

the System.Security.Authorization namespace

Enable federated trust scenariosWeb servicesWeb-based applications

TrustBridge is a project with two primary goals

Provide core security infrastructure within .Net Framework in Longhorn (supporting Indigo)

the System.Security.Authorization namespace

Enable federated trust scenariosWeb servicesWeb-based applications

15

System.Security.AuthorizationSystem.Security.Authorization

Provide core security componentsIn the .NET FrameworkIn Longhorn

Somewhat analogous to CAPI and SSPI

Provide core security componentsIn the .NET FrameworkIn Longhorn

Somewhat analogous to CAPI and SSPI

Indigo

Application

Sys.Sec.Authorizationnamespace

16

System.Security.AuthorizationSystem.Security.Authorization

TrustTrustPolicyPolicy

AuthzAuthzPolicyPolicy

Token ProcessingAuthorizationToken IssuancePolicy StorageExtensibility

Token ProcessingAuthorizationToken IssuancePolicy StorageExtensibility

ApplicationLogic

Sys.Sec.Authz

TrustTrustPolicyPolicy

AuthzAuthzPolicyPolicy

SOAP

SOAP

Security Tokens

Authenticate

Create Tokens

AuthorizeSecurity Tokens

Policy Lookup

17

System.Security.AuthorizationSystem.Security.AuthorizationToken Processing

Authentication, claim filtering and extractionCreates a SecurityContext.Supports multiple security token types

(XrML, SAML, X.509v3, Kerberos, Custom)

AuthorizationProvides framework for authorization processingRoles-based access control interfaces and administrationMakes authorization decisions using the claims in the SecurityContext and an AuthorizationContext (the stored policy, and other disparate pieces of policy such as XrML)

Token ProcessingAuthentication, claim filtering and extractionCreates a SecurityContext.Supports multiple security token types

(XrML, SAML, X.509v3, Kerberos, Custom)

AuthorizationProvides framework for authorization processingRoles-based access control interfaces and administrationMakes authorization decisions using the claims in the SecurityContext and an AuthorizationContext (the stored policy, and other disparate pieces of policy such as XrML)

18

System.Security.AuthorizationSystem.Security.AuthorizationToken Issuance

Claim TransformationGenerate the following token types

XrMLSAML

Policy StorageMechanism for storing trust partner policy, claim filtering policy, transformation policy, and RBAC authorization policyProvides an administration object model for all of the above polices.

Extensibility pointsCustom token typesCustom authorization enginesCustom claim types

Token IssuanceClaim TransformationGenerate the following token types

XrMLSAML

Policy StorageMechanism for storing trust partner policy, claim filtering policy, transformation policy, and RBAC authorization policyProvides an administration object model for all of the above polices.

Extensibility pointsCustom token typesCustom authorization enginesCustom claim types

19

TrustBridge Federation Goals/ScenariosTrustBridge Federation Goals/Scenarios

Web-based applicationsWeb servicesInterop with PassportInterop with other WS-* compliant vendors

Web-based applicationsWeb servicesInterop with PassportInterop with other WS-* compliant vendors

20

How to Manage TrustHow to Manage Trust

FederationBorder

FederationBorder

MESH

Manage at the Manage at the edge throughedge throughtrust gatewaystrust gateways

21

Org #1Org #1

PrivatePrivateNamespaceNamespace

Org #2Org #2

PrivatePrivateNamespaceNamespace

Business Level AgreementBusiness Level Agreement

Defines a Common NamespaceDefines a Common Namespace• Terms, Keys, LimitsTerms, Keys, Limits• Auditing requirementsAuditing requirements• Etc.Etc.

The Federation Model

22

Org #2Org #2

PrivatePrivateNamespaceNamespace

Org #1Org #1

PrivatePrivateNamespaceNamespace

The Federation ModelThe Federation Model

FederationFederationServerServer

FederationFederationServerServer

Federation NamespaceFederation Namespace

Federation ServersFederation ServersBroker trust betweenBroker trust between

organizationsorganizations

23

Web Services Single Sign-OnWeb Services Single Sign-On

ExchangeExchange Web ServiceWeb Service

CollaborationCollaboration

Intranet Intranet ApplicationsApplications

ActiveActiveDirectoryDirectory

Security TokenSecurity Token(eg Kerberos Ticket)(eg Kerberos Ticket)

Security TokenSecurity Token

User Account/CredentialsUser Account/Credentials

WS Security WS Security ApplicationApplication

WS SecurityWS SecurityApplicationApplication

Wants XrMLWants XrML Wants SAMLWants SAML

1.1. User requests access to Supplier AUser requests access to Supplier A2.2. STS creates XrML tokenSTS creates XrML token3.3. Signs it with company’s private keySigns it with company’s private key4.4. Sends token back to userSends token back to user5.5. Access Supplier A with XrML tokenAccess Supplier A with XrML token

1.1. User requests access to Supplier BUser requests access to Supplier B2.2. STS creates SAML tokenSTS creates SAML token3.3. Signs it with company’s private keySigns it with company’s private key4.4. Sends token back to userSends token back to user5.5. Accesses Supplier B with SAML token Accesses Supplier B with SAML token

Supplier ASupplier A Supplier BSupplier B

Federation STSFederation STS

24

Web-based Single Sign-OnWeb-based Single Sign-On

1.1. User accesses A. Datum portal to Trey Research order processing applicationUser accesses A. Datum portal to Trey Research order processing application

Trey Research Inc.Trey Research Inc.A.Datum Corp.A.Datum Corp.

2.2. User authenticates to A.Datum STS using Active Directory integrated User authenticates to A.Datum STS using Active Directory integrated authentication – passes SIDs as input claimsauthentication – passes SIDs as input claims

3.3. User obtains federation SAML token from A.Datum STS – Federation claims per User obtains federation SAML token from A.Datum STS – Federation claims per business level agreement between A.Datum and Trey Researchbusiness level agreement between A.Datum and Trey Research

4.4. User obtains security token from Trey Research STS – Claims specific to Trey User obtains security token from Trey Research STS – Claims specific to Trey ResearchResearch

5.5. User accesses Trey Research order processing applicationUser accesses Trey Research order processing application

ActiveActiveDirectoryDirectory

FederationFederationSTSSTS

FederationFederationSTSSTS

SIDsSIDs

FederationFederationClaimsClaims

ApplicationApplicationClaimsClaims

Order Entry ApplicationOrder Entry Application

Order EntryOrder EntryPortalPortal

25

WS-Federation Passive Requestor Profile

26

TrustBridge and Distributed AuthorizationTrustBridge and Distributed Authorization

Resource DomainResource DomainAccount DomainAccount Domain

ActiveActiveDirectoryDirectory

SIDsSIDs

Federation DomainFederation Domain

FederationFederationClaimsClaims

FederationFederationSTSSTS

ApplicationApplicationClaimsClaims

FederationFederationSTSSTS

ApplicationApplication

AzManAzMan

27

Deployment

Design

RBAC ManagementRBAC Management

Policy StoreStorage in AD, XML, SQL

RolePermissions needed to do a job

TaskWork units that make senseto administrators

OperationApplication action thatdeveloper writes dedicatedcode for.

Policy StoreStorage in AD, XML, SQL

RolePermissions needed to do a job

TaskWork units that make senseto administrators

OperationApplication action thatdeveloper writes dedicatedcode for.

DatabaseOperation

WebOperation

DirectoryOperation

PaymentSystem

Operation

AuditorAcct RepBuyer

ChangeApprover

ApproveDeny

Payment

ApproveReject Report

SubmitReport

CancelReport

CheckStatus

XML SQL

Policy Store

28

Role AssignmentBuyer: email = *@ADatum.com

Role AssignmentsRole Assignments

Buyer Auditor

Role AssignmentAcct Rep: Group = Dept01Manager

Role AssignmentAuditor: (Group = TreyAuditor) && (Status = Active)

Role DefinitionsRole DefinitionsWeb Ordering

Application

Acct Rep

29

Integrated RBAC ModelIntegrated RBAC Model

Natural fit with System.Security.Authorization and FederationManaged Code

Integrated into the .Net FrameworkWrite custom business rules in managed code.

Administrative FlexibilityNested scopes model authorization in hierarchyDefine membership based on claim valuesUse Principals stored in SQL / ADAM / Etc.Store RBAC policy in AD, SQL, XML

Natural fit with System.Security.Authorization and FederationManaged Code

Integrated into the .Net FrameworkWrite custom business rules in managed code.

Administrative FlexibilityNested scopes model authorization in hierarchyDefine membership based on claim valuesUse Principals stored in SQL / ADAM / Etc.Store RBAC policy in AD, SQL, XML

30

SummarySummary

System.Security.AuthorizationCore security infrastructure in .Net Framework and Longhorn

Distributed authorizationAzMan in Windows Server 2003 evolves and provides RBAC

Federation for web services and web applications

System.Security.AuthorizationCore security infrastructure in .Net Framework and Longhorn

Distributed authorizationAzMan in Windows Server 2003 evolves and provides RBAC

Federation for web services and web applications

31

TrustBridge Federation SummaryTrustBridge Federation Summary

Non-propriety cross-platform supportSupport multiple security tokens (Kerberos, PKI, SAML, XrML)Integrate with AD, Authorization Manager, any LDAP server, PassportWeb Single SignonWindows extends naturally into federated scenarios

Non-propriety cross-platform supportSupport multiple security tokens (Kerberos, PKI, SAML, XrML)Integrate with AD, Authorization Manager, any LDAP server, PassportWeb Single SignonWindows extends naturally into federated scenarios

32

Community ResourcesGet Your Questions Answered!Community ResourcesGet Your Questions Answered!

Client Lounge: middle of the Exhibit Hall

connect with Microsoft client product teams, and PDC 2003 Speakers

Ask The Experts: Tuesday 7 pm – 9 pm in Hall G,H

Web Sites:http://pdcbloggers.nethttp://msdn.microsoft.com/pdc/ http://msdn.microsoft.com/webserviceshttp://www.oasis-open.orghttp://www.ws-i.org

Client Lounge: middle of the Exhibit Hall

connect with Microsoft client product teams, and PDC 2003 Speakers

Ask The Experts: Tuesday 7 pm – 9 pm in Hall G,H

Web Sites:http://pdcbloggers.nethttp://msdn.microsoft.com/pdc/ http://msdn.microsoft.com/webserviceshttp://www.oasis-open.orghttp://www.ws-i.org

33

Community ResourcesGet Your Questions Answered!Community ResourcesGet Your Questions Answered!

Come to the booth at the PDC PavilionOther Talks:

WSV304 “Indigo: Building Secure Distributed Applications with Web Services”WSV404 “"Indigo": The Web Services Protocols and Architecture”ARC343 “Introducing the Longhorn Identity System”

Come to the booth at the PDC PavilionOther Talks:

WSV304 “Indigo: Building Secure Distributed Applications with Web Services”WSV404 “"Indigo": The Web Services Protocols and Architecture”ARC343 “Introducing the Longhorn Identity System”

34© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.