1
Federating Identity and Authorization Across Organizations and PlatformsMatthew HurLead Program ManagerMicrosoft [email protected]
Session Code: ARC241
2
Tools
Client Application Model
Avalon Windows Forms
Web & Service Application Model
ASP.NET / Indigo Win FSCompact
FrameworkYukon Mobile PC Optimized
System.HelpSystem.Help
System.DrawingSystem.Drawing
System.NaturalLanguageServicesSystem.NaturalLanguageServices
Data Systems Application Model
Presentation Data
Mobile PC & Devices Application Model
Communication
Command Line
NT Service
DataSetDataSet
MappingMapping
ObjectSpacesObjectSpaces
ObjectSpaceObjectSpace
QueryQuery
SchemaSchema
ItemItem
RelationshipRelationship
MediaMedia
AudioAudio
VideoVideo
ImagesImages
System.MessagingSystem.Messaging System.DiscoverySystem.Discovery
System.DirectoryServicesSystem.DirectoryServices
System.RemotingSystem.Remoting
System.Runtime.RemotingSystem.Runtime.Remoting
ActiveDirectoryActiveDirectory
UddiUddi
System.Web.ServicesSystem.Web.Services
Web.ServiceWeb.Service
DescriptionDescription
DiscoveryDiscovery
ProtocolsProtocols
System.MessageBusSystem.MessageBus
TransportTransport
PortPort
ChannelChannel
ServiceService
QueueQueue
PubSubPubSub
RouterRouter
System.TimersSystem.Timers
System.GlobalizationSystem.Globalization
System.SerializationSystem.Serialization
System.ThreadingSystem.Threading
System.TextSystem.Text
System.DesignSystem.Design
Base & Application Services
Fundamentals
System.ComponentModelSystem.ComponentModel
System.CodeDomSystem.CodeDom
System.ReflectionSystem.Reflection
System.EnterpriseServicesSystem.EnterpriseServices
System.TransactionsSystem.Transactions
Security
System.Windows.TrustManagementSystem.Windows.TrustManagement
System.Web.SecuritySystem.Web.Security
System.MessageBus.SecuritySystem.MessageBus.Security
AccessControlAccessControl
CredentialsCredentials
CryptographyCryptography
System.Web.ConfigurationSystem.Web.Configuration
System.MessageBus.ConfigurationSystem.MessageBus.Configuration
System.ConfigurationSystem.Configuration
System.ResourcesSystem.ResourcesSystem.ManagementSystem.Management
System.DeploymentSystem.Deployment
System.DiagnosticsSystem.Diagnostics
Configuration Deployment/Management
System.WindowsSystem.Windows System.WindowsSystem.WindowsSystem.Windows.FormsSystem.Windows.Forms
System.ConsoleSystem.Console
System.ServiceProcessSystem.ServiceProcess
System.Windows.FormsSystem.Windows.Forms System.WebSystem.Web System.StorageSystem.Storage System.Data.SqlServ
erSystem.Data.SqlServer
AnimationAnimation
ControlsControls
ControlControl
DesignDesign
PanelPanel
ControlsControls
DialogsDialogs
SideBarSideBar
NotificationNotification
System.WindowsSystem.Windows
DocumentsDocuments
Text ElementText Element
ShapesShapes
ShapeShape
InkInk
UI ElementUI Element ExplorerExplorer MediaMedia
System.Windows.FormsSystem.Windows.Forms
FormsForms
ControlControl
Print DialogPrint Dialog
DesignDesign
System.Web.UISystem.Web.UI
PagePage
ControlControl
HtmlControlsHtmlControls
MobileControlsMobileControls
WebControlsWebControls
AdaptorsAdaptors
DesignDesign
PortsPorts
InteropServicesInteropServices
System.RuntimeSystem.Runtime
System.IOSystem.IO
System.CollectionsSystem.Collections
GenericGeneric
System.SearchSystem.Search
AnnotationsAnnotations
MonitoringMonitoring
LoggingLogging
RelevanceRelevance
System.DataSystem.Data
SqlClientSqlClient
SqlTypesSqlTypes
SqlXMLSqlXML
OdbcClientOdbcClient
OleDbClientOleDbClient
OracleClientOracleClient
CoreCore
ContactContact
LocationLocation
MessageMessage
DocumentDocument
EventEvent
System.StorageSystem.Storage
System.WebSystem.Web
PersonalizationPersonalization
CachingCaching
SessionStateSessionState
System.XmlSystem.Xml
SchemaSchema
SerializationSerialization
XpathXpath
QueryQuery
PermissionsPermissions
PolicyPolicy
PrincipalPrincipal
TokenToken
System.SecuritySystem.Security
System.CollaborationSystem.Collaboration
RealTimeEndpointRealTimeEndpoint
TransientDataSessionTransientDataSession
SignalingSessionSignalingSession
MediaMedia
ActivitiesActivities
HttpWebRequestHttpWebRequest
FtpWebListenerFtpWebListener
SslClientStreamSslClientStream
WebClientWebClient
System.NetSystem.Net
NetworkInformationNetworkInformation
SocketsSockets
CacheCache
System.WebSystem.Web
AdministrationAdministration
ManagementManagement
NavigationNavigation
Peer GroupPeer Group
PolicyPolicy
SerializationSerialization
CompilerServicesCompilerServices
RecognitionRecognition
System.SpeechSystem.Speech
SynthesisSynthesis
AuthorizationAuthorization
3
AgendaAgenda
What problems are we addressing?Federated security requirementsWeb services and federationTrustBridge and where we’re heading
What problems are we addressing?Federated security requirementsWeb services and federationTrustBridge and where we’re heading
4
Managing Identities is HardManaging Identities is Hard
Each organization is an islandMust manage Internal identitiesMust manage External identities
Can we create identities that “island-hop”?Fewer identities to manageMore meaningful identities
Each organization is an islandMust manage Internal identitiesMust manage External identities
Can we create identities that “island-hop”?Fewer identities to manageMore meaningful identities
5
Federated SecurityFederated Security
Enable each organizational “island”To act as an authorityTo make secure statements
And build bridges of trust between themEach one picks who they trustEach one controls how much they trustEach one controls their principals and assertionsEach one uses its own internal protocols
Enable each organizational “island”To act as an authorityTo make secure statements
And build bridges of trust between themEach one picks who they trustEach one controls how much they trustEach one controls their principals and assertionsEach one uses its own internal protocols
Specifications and technology to enableSpecifications and technology to enablewidely-available, interoperablewidely-available, interoperable
identification, authentication, and authorizationidentification, authentication, and authorization
6
Federated Security RequiresFederated Security Requires
Authorities – Issue assertionsThey authenticate principalsThey make assertionsThey support assertion look-up and discovery
Principals – The target of assertionsThe “entities” authorities assert about (e.g., Users, Services, Devices)Some offer services to other principalsSome consume assertions to make authorization decisions
Trust Relationships – Limit assertionsImplicit trust between principals and their authorityExplicit trust between authoritiesPolicy controls who trusts who and for what they are trusted
Trust Brokers (optional) – Scale TrustsEase establishing trust between authorities (not transitive trust)They are optional but enable scaling
Authorities – Issue assertionsThey authenticate principalsThey make assertionsThey support assertion look-up and discovery
Principals – The target of assertionsThe “entities” authorities assert about (e.g., Users, Services, Devices)Some offer services to other principalsSome consume assertions to make authorization decisions
Trust Relationships – Limit assertionsImplicit trust between principals and their authorityExplicit trust between authoritiesPolicy controls who trusts who and for what they are trusted
Trust Brokers (optional) – Scale TrustsEase establishing trust between authorities (not transitive trust)They are optional but enable scaling
7
Build Federation on Web ServicesBuild Federation on Web Services
Federated Security requiresOrganizations to contact one anotherOrganizations to share with one anotherIn real-time, across the Internet
Web Services enable interoperationCross platform support and development modelBroad, multi-vendor supportBased on standards
Federated Security requiresOrganizations to contact one anotherOrganizations to share with one anotherIn real-time, across the Internet
Web Services enable interoperationCross platform support and development modelBroad, multi-vendor supportBased on standards
8
Web Services Need SecurityWeb Services Need Security
Types of RequirementsEnable message-level securityEstablish and use trustExpress security policy
WS security standards provide the security
First specification already at OasisMore coming
Types of RequirementsEnable message-level securityEstablish and use trustExpress security policy
WS security standards provide the security
First specification already at OasisMore coming
9
Web Service SpecificationsWeb Service Specifications
Internet TransportsInternet Transports
SOAP and XMLSOAP and XML
Dis
cove
ryD
isco
very
Sec
uri
tyS
ecu
rity
Tra
nsa
ctio
ns
Tra
nsa
ctio
ns
Po
licy
Po
licy
Man
agem
ent
Man
agem
ent
Web
W
eb
Ser
vice
sS
ervi
ces
Mes
sag
ing
Mes
sag
ing
10
Security Tokens & ClaimsSecurity Tokens & Claims
SignedSigned
……X.509X.509 KerberosKerberos
XrMLXrML
Secret KeySecret Key
PasswordPassword
Proof ofProof ofPossessionPossession
Messages have security tokens that assert claims
Claim – A statement that a client makes (e.g. name, identity, key, group, privilege, capability, etc).
SAMLSAML
UnsignedUnsigned
……UsernameUsername
11
PoliciesPolicies
PolicyPolicy
Web services have policies that describe required claims
??Does the request havethe correct security tokens?
• Policies can also describe where to get claims
12
Security Token ServiceSecurity Token Service
PolicyPolicy
WebWebServiceService
PolicyPolicy
SecuritySecurityTokenTokenServiceService
A security token service issues security tokens
• It is just a web service • A solution may require
multiple token services
13
Federated Identity:Getting ThereFederated Identity:Getting There
Key Architectural PrinciplesMultiple “authorities” in a “trust network”
Each owns their customers and employeesEach owns their infrastructureEach issues their own credentialsEach can decide whether to accept credentials from other authorities
Key Architectural PrinciplesMultiple “authorities” in a “trust network”
Each owns their customers and employeesEach owns their infrastructureEach issues their own credentialsEach can decide whether to accept credentials from other authorities
14
TrustBridgeTrustBridge
TrustBridge is a project with two primary goals
Provide core security infrastructure within .Net Framework in Longhorn (supporting Indigo)
the System.Security.Authorization namespace
Enable federated trust scenariosWeb servicesWeb-based applications
TrustBridge is a project with two primary goals
Provide core security infrastructure within .Net Framework in Longhorn (supporting Indigo)
the System.Security.Authorization namespace
Enable federated trust scenariosWeb servicesWeb-based applications
15
System.Security.AuthorizationSystem.Security.Authorization
Provide core security componentsIn the .NET FrameworkIn Longhorn
Somewhat analogous to CAPI and SSPI
Provide core security componentsIn the .NET FrameworkIn Longhorn
Somewhat analogous to CAPI and SSPI
Indigo
Application
Sys.Sec.Authorizationnamespace
16
System.Security.AuthorizationSystem.Security.Authorization
TrustTrustPolicyPolicy
AuthzAuthzPolicyPolicy
Token ProcessingAuthorizationToken IssuancePolicy StorageExtensibility
Token ProcessingAuthorizationToken IssuancePolicy StorageExtensibility
ApplicationLogic
Sys.Sec.Authz
TrustTrustPolicyPolicy
AuthzAuthzPolicyPolicy
SOAP
SOAP
Security Tokens
Authenticate
Create Tokens
AuthorizeSecurity Tokens
Policy Lookup
17
System.Security.AuthorizationSystem.Security.AuthorizationToken Processing
Authentication, claim filtering and extractionCreates a SecurityContext.Supports multiple security token types
(XrML, SAML, X.509v3, Kerberos, Custom)
AuthorizationProvides framework for authorization processingRoles-based access control interfaces and administrationMakes authorization decisions using the claims in the SecurityContext and an AuthorizationContext (the stored policy, and other disparate pieces of policy such as XrML)
Token ProcessingAuthentication, claim filtering and extractionCreates a SecurityContext.Supports multiple security token types
(XrML, SAML, X.509v3, Kerberos, Custom)
AuthorizationProvides framework for authorization processingRoles-based access control interfaces and administrationMakes authorization decisions using the claims in the SecurityContext and an AuthorizationContext (the stored policy, and other disparate pieces of policy such as XrML)
18
System.Security.AuthorizationSystem.Security.AuthorizationToken Issuance
Claim TransformationGenerate the following token types
XrMLSAML
Policy StorageMechanism for storing trust partner policy, claim filtering policy, transformation policy, and RBAC authorization policyProvides an administration object model for all of the above polices.
Extensibility pointsCustom token typesCustom authorization enginesCustom claim types
Token IssuanceClaim TransformationGenerate the following token types
XrMLSAML
Policy StorageMechanism for storing trust partner policy, claim filtering policy, transformation policy, and RBAC authorization policyProvides an administration object model for all of the above polices.
Extensibility pointsCustom token typesCustom authorization enginesCustom claim types
19
TrustBridge Federation Goals/ScenariosTrustBridge Federation Goals/Scenarios
Web-based applicationsWeb servicesInterop with PassportInterop with other WS-* compliant vendors
Web-based applicationsWeb servicesInterop with PassportInterop with other WS-* compliant vendors
20
How to Manage TrustHow to Manage Trust
FederationBorder
FederationBorder
MESH
Manage at the Manage at the edge throughedge throughtrust gatewaystrust gateways
21
Org #1Org #1
PrivatePrivateNamespaceNamespace
Org #2Org #2
PrivatePrivateNamespaceNamespace
Business Level AgreementBusiness Level Agreement
Defines a Common NamespaceDefines a Common Namespace• Terms, Keys, LimitsTerms, Keys, Limits• Auditing requirementsAuditing requirements• Etc.Etc.
The Federation Model
22
Org #2Org #2
PrivatePrivateNamespaceNamespace
Org #1Org #1
PrivatePrivateNamespaceNamespace
The Federation ModelThe Federation Model
FederationFederationServerServer
FederationFederationServerServer
Federation NamespaceFederation Namespace
Federation ServersFederation ServersBroker trust betweenBroker trust between
organizationsorganizations
23
Web Services Single Sign-OnWeb Services Single Sign-On
ExchangeExchange Web ServiceWeb Service
CollaborationCollaboration
Intranet Intranet ApplicationsApplications
ActiveActiveDirectoryDirectory
Security TokenSecurity Token(eg Kerberos Ticket)(eg Kerberos Ticket)
Security TokenSecurity Token
User Account/CredentialsUser Account/Credentials
WS Security WS Security ApplicationApplication
WS SecurityWS SecurityApplicationApplication
Wants XrMLWants XrML Wants SAMLWants SAML
1.1. User requests access to Supplier AUser requests access to Supplier A2.2. STS creates XrML tokenSTS creates XrML token3.3. Signs it with company’s private keySigns it with company’s private key4.4. Sends token back to userSends token back to user5.5. Access Supplier A with XrML tokenAccess Supplier A with XrML token
1.1. User requests access to Supplier BUser requests access to Supplier B2.2. STS creates SAML tokenSTS creates SAML token3.3. Signs it with company’s private keySigns it with company’s private key4.4. Sends token back to userSends token back to user5.5. Accesses Supplier B with SAML token Accesses Supplier B with SAML token
Supplier ASupplier A Supplier BSupplier B
Federation STSFederation STS
24
Web-based Single Sign-OnWeb-based Single Sign-On
1.1. User accesses A. Datum portal to Trey Research order processing applicationUser accesses A. Datum portal to Trey Research order processing application
Trey Research Inc.Trey Research Inc.A.Datum Corp.A.Datum Corp.
2.2. User authenticates to A.Datum STS using Active Directory integrated User authenticates to A.Datum STS using Active Directory integrated authentication – passes SIDs as input claimsauthentication – passes SIDs as input claims
3.3. User obtains federation SAML token from A.Datum STS – Federation claims per User obtains federation SAML token from A.Datum STS – Federation claims per business level agreement between A.Datum and Trey Researchbusiness level agreement between A.Datum and Trey Research
4.4. User obtains security token from Trey Research STS – Claims specific to Trey User obtains security token from Trey Research STS – Claims specific to Trey ResearchResearch
5.5. User accesses Trey Research order processing applicationUser accesses Trey Research order processing application
ActiveActiveDirectoryDirectory
FederationFederationSTSSTS
FederationFederationSTSSTS
SIDsSIDs
FederationFederationClaimsClaims
ApplicationApplicationClaimsClaims
Order Entry ApplicationOrder Entry Application
Order EntryOrder EntryPortalPortal
25
WS-Federation Passive Requestor Profile
26
TrustBridge and Distributed AuthorizationTrustBridge and Distributed Authorization
Resource DomainResource DomainAccount DomainAccount Domain
ActiveActiveDirectoryDirectory
SIDsSIDs
Federation DomainFederation Domain
FederationFederationClaimsClaims
FederationFederationSTSSTS
ApplicationApplicationClaimsClaims
FederationFederationSTSSTS
ApplicationApplication
AzManAzMan
27
Deployment
Design
RBAC ManagementRBAC Management
Policy StoreStorage in AD, XML, SQL
RolePermissions needed to do a job
TaskWork units that make senseto administrators
OperationApplication action thatdeveloper writes dedicatedcode for.
Policy StoreStorage in AD, XML, SQL
RolePermissions needed to do a job
TaskWork units that make senseto administrators
OperationApplication action thatdeveloper writes dedicatedcode for.
DatabaseOperation
WebOperation
DirectoryOperation
PaymentSystem
Operation
AuditorAcct RepBuyer
ChangeApprover
ApproveDeny
Payment
ApproveReject Report
SubmitReport
CancelReport
CheckStatus
XML SQL
Policy Store
28
Role AssignmentBuyer: email = *@ADatum.com
Role AssignmentsRole Assignments
Buyer Auditor
Role AssignmentAcct Rep: Group = Dept01Manager
Role AssignmentAuditor: (Group = TreyAuditor) && (Status = Active)
Role DefinitionsRole DefinitionsWeb Ordering
Application
Acct Rep
29
Integrated RBAC ModelIntegrated RBAC Model
Natural fit with System.Security.Authorization and FederationManaged Code
Integrated into the .Net FrameworkWrite custom business rules in managed code.
Administrative FlexibilityNested scopes model authorization in hierarchyDefine membership based on claim valuesUse Principals stored in SQL / ADAM / Etc.Store RBAC policy in AD, SQL, XML
Natural fit with System.Security.Authorization and FederationManaged Code
Integrated into the .Net FrameworkWrite custom business rules in managed code.
Administrative FlexibilityNested scopes model authorization in hierarchyDefine membership based on claim valuesUse Principals stored in SQL / ADAM / Etc.Store RBAC policy in AD, SQL, XML
30
SummarySummary
System.Security.AuthorizationCore security infrastructure in .Net Framework and Longhorn
Distributed authorizationAzMan in Windows Server 2003 evolves and provides RBAC
Federation for web services and web applications
System.Security.AuthorizationCore security infrastructure in .Net Framework and Longhorn
Distributed authorizationAzMan in Windows Server 2003 evolves and provides RBAC
Federation for web services and web applications
31
TrustBridge Federation SummaryTrustBridge Federation Summary
Non-propriety cross-platform supportSupport multiple security tokens (Kerberos, PKI, SAML, XrML)Integrate with AD, Authorization Manager, any LDAP server, PassportWeb Single SignonWindows extends naturally into federated scenarios
Non-propriety cross-platform supportSupport multiple security tokens (Kerberos, PKI, SAML, XrML)Integrate with AD, Authorization Manager, any LDAP server, PassportWeb Single SignonWindows extends naturally into federated scenarios
32
Community ResourcesGet Your Questions Answered!Community ResourcesGet Your Questions Answered!
Client Lounge: middle of the Exhibit Hall
connect with Microsoft client product teams, and PDC 2003 Speakers
Ask The Experts: Tuesday 7 pm – 9 pm in Hall G,H
Web Sites:http://pdcbloggers.nethttp://msdn.microsoft.com/pdc/ http://msdn.microsoft.com/webserviceshttp://www.oasis-open.orghttp://www.ws-i.org
Client Lounge: middle of the Exhibit Hall
connect with Microsoft client product teams, and PDC 2003 Speakers
Ask The Experts: Tuesday 7 pm – 9 pm in Hall G,H
Web Sites:http://pdcbloggers.nethttp://msdn.microsoft.com/pdc/ http://msdn.microsoft.com/webserviceshttp://www.oasis-open.orghttp://www.ws-i.org
33
Community ResourcesGet Your Questions Answered!Community ResourcesGet Your Questions Answered!
Come to the booth at the PDC PavilionOther Talks:
WSV304 “Indigo: Building Secure Distributed Applications with Web Services”WSV404 “"Indigo": The Web Services Protocols and Architecture”ARC343 “Introducing the Longhorn Identity System”
Come to the booth at the PDC PavilionOther Talks:
WSV304 “Indigo: Building Secure Distributed Applications with Web Services”WSV404 “"Indigo": The Web Services Protocols and Architecture”ARC343 “Introducing the Longhorn Identity System”
34© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.