claims-based security
DESCRIPTION
Claims-based security. with Windows Identity Foundation. Goals. Introduce you to claims-based security. Show that it isn’t that hard anymore, thanks to WIF. And it’s fun!. Some terminology. Two types of federation. WS-Federation: Active Requestor Profile - Based on WS-Trust - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/1.jpg)
Claims-based security
with Windows Identity Foundation
![Page 2: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/2.jpg)
Goals
Introduce you to claims-based security.
Show that it isn’t that hard anymore, thanks to WIF.
And it’s fun!
![Page 3: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/3.jpg)
Some terminology
![Page 4: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/4.jpg)
Two types of federation
WS-Federation: Active Requestor Profile- Based on WS-Trust- For active clients, such as WPF and WinForm applications
WS-Federation: Passive Requestor Profile- Based on WS-Federation- For web clients- "emulating" WS-Trust on top of GET, POST, browser redirects and cookies
![Page 5: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/5.jpg)
Claim
Way too abstract: A statement that is made by one entity about another entity.
Let’s make it a bit more concrete:
A piece of information about a user in a system, issued by a security token service (STS) that a claims-aware application trusts:
NameEmail Identifying claimsPhone Number
NationalityAge Blind claimsHair color
Role, permission
![Page 6: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/6.jpg)
What’s inside a claim?
ClaimType Built-in: name, email, phonenumberCustom: organization number, cost center, member status
…or anything else that makes sense in your system
Usually they have a URI-format, such as:"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”
ClaimValue e.g.: “[email protected]”
Issuer (STS) “CN=the.sts.at.somewhere.com”, the name of the STS that has issued the claim
And a couple of more properties: ClaimValueType, OriginalIssuer, ...
![Page 7: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/7.jpg)
So from a security point of view we can say thata user’s identity is made up by a set of claims
![Page 8: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/8.jpg)
Security token
Claims on the wireI.e., a serialized set of claims - digitally signed by the STS-encrypted (optional but recommended)
Security token formats:SAML - an XML-based standard from OASIS - is the most common format - InteroperableKerberosX.509 certificate
![Page 9: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/9.jpg)
Basic rules of Claims-based authorization
Let go of authentication the users yourself.
Let the STS handle it instead.
Establish a trust relationship with the STS
![Page 10: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/10.jpg)
The driving forces
It enables identity federationIt enables SSOLower user administration costs for organizationsAlways fresh user informationSeamless step-up authenticationSeparation of concernsBetter security
![Page 11: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/11.jpg)
What about role-based access control?
Don’t worry...
It’s backward compatible!
![Page 12: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/12.jpg)
Active client
IP-STS
Application= RP
AD
Trust relationship
RST- Credentials- AppliesTo
RSTR- Security token- Proof key
Claims
Gather claims
Authenticate
Validate AppliesTo
Claims based security – One domain
RP = Relying PartyA.K.A.:- Claims-aware application- Service providerExample: WCF Service
E.g.: WPF, WinForm
A.K.A.:- STSE.g.: ADFS 2.0
RPs
Delivers credentialsE.g.:- Username / Pwd- Windows credentials- Certificate
Response
Msg + token
WCF pipeline
IP = Identity Provider
![Page 13: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/13.jpg)
WPF Client
RP-STS
WCF Servicehttp://domain/service1
trusts
Transformation rules
Federated identitySecurity Domain A Security Domain B
trusts
Send Token
Issue new to
ken
IP-STS
Send message + token
Send response
![Page 14: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/14.jpg)
Active Client
CertificatesSecurity Domain A
IP-STSCertificate Store location Purpose
IP:STS:s private key Local Computer/Personal Sign token
RP.STS:s public key Local Computer/Personal Encrypt token
SSL Certificate Local Computer/Personal Secure the channel
Root atuhority certificate Trusted Root Certificate Auth.
Create SSL certificate
Certificate Store location Purpose
RP:s public key Base64 encoded in app.config
Encrypt message and authenticate RP
IP-STS:s SSL public key Local Computer/Trusted People
Secure the channel
Proof key from RP.STS Sign the message to RP
![Page 15: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/15.jpg)
RP-STS
RP
CertificatesSecurity Domain B
Certificate Store location Purpose
IP:STS:s public key Local Computer/Trusted People
Validate signature
RP STS:s private key Local Computer/Personal Decrypt incoming token and Sign issued token
RP:s public key Local Computer/ Trusted People
Encrypt token
Certificate Store location Purpose
RP:s private key Local computer/Personal Decrypt token
RP.STS:s public key Local Computer/Trusted People
Validate RP-STS:s signature
![Page 16: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/16.jpg)
Certificates
Certificate AuthorityVeriSignSelf-signed test certificates – during developmentmakecert.exe
![Page 17: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/17.jpg)
WIF
A framework for building claims-based applications as well as STS:sAn abstraction layer over the WS-Trust and WS-Federation
It contains- a set of .NET classes inside Microsoft.IdentityModel- Visual Studio project templates for ASP.NET, WCF applications and STS services- ASP.NET controls, e.g. FederatedPassiveSignInControl- FedUtil, a tool that makes it easy to establish trust between the application and the STS
![Page 18: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/18.jpg)
You need this get started:
Visual Studio 2008 /2010WIFWIF SDK, includes guidelines, samples etc.
![Page 19: Claims-based security](https://reader036.vdocuments.us/reader036/viewer/2022062521/568167cb550346895ddd19e3/html5/thumbnails/19.jpg)
Demo