session 3c the sf saas framework

SaaS Security UsingFederated Identity ManagementAzure AppFabric Access Control Service (ACS)Windows Identity Foundation (WIF)

• Favor proven security frameworks and industry standards over custom security code

• Single sign on (SSO) between tenants• Preferably not own or manage sensitive data• Avoid account management in the app such as lost password, etc.

What Were The Requirements?

• Leverage popular web identity providers such as Google, Yahoo.• Leverage Azure ACS as an aggregator of these providers• Leverage WIF for integration with ACS and claims management

Our Solution: Federated Identity Management

Concept Diagram

Google

Yahoo

Identity Providers SAMLFederation Provider

ACS

ClaimClaim

OpenID

Claim

Relying Party (RP)

STS

IIS

WIF*

DemoSetup Azure AppFabric Access Control Service (ACS)

Demo – Preview Portal

Demo – Portal

Demo – Create Namespace

Demo – Manage Access Control

Demo – Identity Provider

Demo – Relying Party Application Settings

Demo – RP – Authentication Settings

Demo – Edit Rule Group

Demo – Generate Rules To Create Claims

Demo – WS-Federation Metadata

DemoSetup Windows Identity Foundation (WIF)

Demo – Add STS Reference

Demo – Application URI

Demo – STS Location

Demo – Add Project Reference

ASP.NET Request Validation

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

Workaround For Testing:

Solution For Production:

Error Message:

Authentication Flow Diagram

MVC Website

WIF

Browser

1

Access Control Service (ACS)

STS

1. Request login returns 302 redirect to ACS2. Request IP selection form from ACS3. Request login form from IP

Identity Providers(IP)

Google Yahoo

2

3

4

5

4. Post credentials, returns token with 302 redirect to ACS

5. Validate and transform token to SAML claims.

6. Post SAML to MVC website callback. WIF processes and sets cookie.

6

DemoClaims Authentication And Authorization

Demo - Claims

• Your user identities are tied to your ACS namespace - challenging if you ever wanted to migrate away from your ACS namespace

• Additional cost – you pay for each token issued• Reliance on external service for authentication• WIF is not well integrated into the .NET framework (but that improves in

4.5) – WIF is also not very DI friendly

Disadvantages

• Low barrier to entry for using existing social identities in your app• ACS and WIF encapsulate the complexity• Users don’t need to remember another username and password• Developers get to save time implementing and maintaining account

management features

Summary