create a uniform login experience with a centralized cloud authentication system, roy cornelissen...

Welcome!

How to create a uniform login experience using Federated Identity

Roy CornelissenIT Architect,Info Support

Marcel de VriesTechnology Manager

@marcelv

XamarinEvolve2013

Roy CornelissenIT Architect

@roycornelissen

Your app Demo’s

Problem Solutions

Problem statement

You want to secure your back end

Your app needs to authenticate before it can access services in your backend

How are you going to identify the user at the backend?Roll your own username/password

That’s so 1996….

You already have cloud identities on Facebook, Google, Microsoft, Yahoo!Why not leverage on those?

So what are our options to integrate with these identity providers?

Enterprise IdP’s

Microsoft Active Directory &

Active Directory Federation Services(ADFS)

Social IdP’s

Identity Providers (IdP)

What does an IdP do?

Authenticate against something you know or haveE.g. a password, a smart card, Biometric information

It hands out tokensTokens contain claims

E.g. your name, email address, age or role

We can “chain” IdP’sEach IdP can augment the claim set and with that provide additional claims to the party that uses the token

What does your app need to do?It needs to do something with the claims provided by the IdP

E.g. do a lookup on “nameidentifier” claim and selectively provide access to application resources

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

So an IdP provides an authenticated identity and some claims about that identity

Your app needs to do smart things to authorizethe user based on those claims

Possible solutions

Integrate your app with all different providers out thereRequires trust relationship with each (cloud) identity provider

Requires you to implement the integration with each provider, using their selected protocol

E.g. OAuth, WS Federation, SAML/P, OpenID, etc.

Every time you want to support a new provider, you need to add that integration to your app

Use Windows Azure Active DirectoryUse the Access Control Service (ACS)

You can add any WS-Federation or Open ID compliant IdP such as a corporate ADFS

Access Control Service (ACS)

You integrate with ACS

ACS handles integration with others:Facebook, Yahoo, Windows ID, Google ID, …

ACS Terminology

STSSecurity Token ServiceAny party that can issue an authentication token

Identity Provider (IdP)Party that maintains the user identity, e.g. Windows Live, Google, Yahoo, etc.

Relying PartyThis is the party relying on some IdP to hand over a set of claims about who that identity is, i.e. your app

Windows live -> Unique idGoogle -> Email Address

SAML & Cookie based authentication versus Simple Web Tokens and HTTP header based authentication

SAML or SWT?

You can use SAML or SWT

What are the tradeoffs?

It depends on your services

Call a service with SWTWhen using rest service, you can simply add a custom header to your request (HttpClient, WebClient)

When using WCF & SOAP, you need to add a custom header to the request

string headerValue = string.Format("WRAP access_token=\"{0}\"", token);client.Headers.Add("Authorization", headerValue);

using (var ctx = new OperationContextScope(proxy.InnerChannel)){HttpRequestMessageProperty httpRequestProperty = new HttpRequestMessageProperty();httpRequestProperty.Headers[HttpRequestHeader.Authorization] =

String.Format("WRAP access_token=\"{0}\"", token);OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] =

httpRequestProperty;}

Call a service with SAML Token(cookie based)

When using rest service, you need to add the cookie to the cookie collection in the header of request

For SOAP using WCF stack simply use CookieContainer

CookieCollection coll = App.AuthenticationCookieContainer;WebClient webrequest = new WebClient();String cookiestring ="" ;foreach (Cookie cookie in coll){ if (count++ > 0){cookiestring += "; ";}

cookiestring += cookie.Name + "=" + cookie.Value;}webrequest.Headers[HttpRequestHeader.Cookie] = cookiestring;

EventsServices.EventsDomainServicesoapClient proxy = newEventsServices.EventsDomainServicesoapClient(); proxy.CookieContainer = App.AuthenticationCookieContainer;

Your (web) services (RP)

Identity Providers (IdP)

redirect

ACS (STS)

Authenticate

Get IdP list

Access the service

redirect

Get token/cookie

WIF

< soap/> { json }

Conceptual model

.aspx

Cookie

ISKE Events App

Mobile App ACS

GetIdentityProviders()

Identity Provider

Request to login page

Map claims

Realm page

ACS Token

Cookie (containingACS token)

Request (with cookie)

IDP Token

Login

Your Service

Depending on ACS config for SWT or SAML you get a header or a cookie

Authentication flow

SignInWebViewDelegate

SignInViewController

SignInController ACSJSON

IdentityProviderDiscoveryClient

Relying Party

ACS namespaceRealmHttpCookieContainer

Identity Provider

LoginView

WebView

WebBrowser

AccessControlServiceSignIn control

ACSJSON

IdentityProviderDiscoveryClient

Relying Party

ACS namespaceRealmHttpCookieContainer

Identity Provider

SignInActivity

SignInWebView

IdentityProviderListActivity

SignInController ACSJSON

IdentityProviderDiscoveryClient

Relying Party

[navigate]

ACS namespaceRealmHttpCookieContainer

Identity Provider

I want that! NOW!

We’ll publish the code on CodePlex

And depending on demand:

Nuget package and Xamarin Store

Wait, what about

Windows Azure Toolkit?

It’s deprecated

Replacement does not provide the

same experience

Our code is a fork of the original

AND works on multiple platforms!

@roycornelissenroycornelissen.wordpress.com

Thank you!@marcelvblogs.infosupport.com/marcelv

Come see us again,

tomorrow at 1.30 PM