SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

Slides:



Advertisements
Similar presentations
Active Directory Federation Services How does it really work?
Advertisements

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MyProxy: A Multi-Purpose Grid Authentication Service
Access Control Chapter 3 Part 3 Pages 209 to 227.
Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
The EC PERMIS Project David Chadwick
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
CertifiedMail Secure Messaging “Enterprise Encrypted Messaging… Hosted or In House Flexibility” Confidential – for authorized and internal distribution.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session 11: Security with ASP.NET
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
1 Web Server Administration Chapter 1 The Basics of Server and Web Server Administration.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
The.NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting
James Akrigg Microsoft Ltd Integrating InfoPath Forms Into Workflow Solutions And Business Processes.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Module 11: Securing a Microsoft ASP.NET Web Application.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Windows Role-Based Access Control Longhorn Update
UMBC’s WebAuth Robert Banz – UMBC
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
Web Services Security Patterns Alex Mackman CM Group Ltd
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Secured Services Best Practices on ArcGIS for Server Patrick Jackson & Thomas Noble.
Identity and Access Management
Secure Connected Infrastructure
Stop Those Prying Eyes Getting to Your Data
Agenda Introduction Security flow for a request Authentication
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Presentation transcript:

SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

SAML August 27, 2001 S2 Agenda  Overview of Microsoft authentication & authorization plans  Problem space  Our understanding of the scenarios  Our current approach  How could we use SAML?  Migration?  Integration?

SAML August 27, 2001 S3 Windows.NET Windows.NET Authentication Architecture  Windows.NET Authorization: Extending the Windows Model  Resource-Based Authorization: ACLs & Groups  Application-Based Authorization: RBAC  Making It All Secure

SAML August 27, 2001 S4.NET Process Scenario MyHS.NET MyNotifications.NET Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority RequestMeetingRequestMeeting

SAML August 27, 2001 S5.NET Process Scenario MyHS.NET MyNotifications.NET Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority Query&RequestQuery&Request

SAML August 27, 2001 S6.NET Process Scenario MyHS.NET MyNotifications.NET Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 33 SOAPMessageSOAPMessage

SAML August 27, 2001 S7.NET Process Scenario MyHS.NET MyNotifications.NET Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 44 AcceptAccept 44

SAML August 27, 2001 S8.NET Process Scenario MyHS.NET MyNotifications.NET Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority Signed Message; Accepted 55

SAML August 27, 2001 S9 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStoreDirectTrustDirectTrust MMSMMS KerberosKerberos Direct Trust (XCerts, XKMS) Direct Trust (XCerts, XKMS) Signed Messages (XMLDSIG, S/MIME, CAPICOM) Signed Messages (XMLDSIG, S/MIME, CAPICOM)

SAML August 27, 2001 S10 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStoreDirectTrustDirectTrust MMSMMS KerberosKerberos Trust Federation (Passport, Identrus) Trust Federation (Passport, Identrus) Passport, Kerberos, Basic SSL, Digest, …

SAML August 27, 2001 S11 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStore RBACPolicy RBACPolicyRBACPolicy Threats from Inside & DMZ Threats from Internet

SAML August 27, 2001 S12 Windows.NET Authentication  Multiple credential types  Passwords, tokens, smartcards  Multifactor: Key + biometric  Multiple Client to Server protocols:  Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, …  Converge on Kerberos & Kerberos/TLS in the future  Message Signing and Signature verification  Single Server to Server protocol: Kerberos w/constrained delegation  IETF standard, interoperable, scalable  Secure: mutual authentication  Extensible credentials support  Passwords, X.509 certificates, tokens,…  Directory independent authentication

SAML August 27, 2001 S13 Front End Application Windows.NET Authentication Verify Policy: Allowed-To-Delegate-To Users KDC Back End Application TicketTicket TicketTicket TrustTrust Passport Basic Digest SSL Signed Messages, S/MIME/SMTP XMLDSIG/HTTP Cert Kerberos

SAML August 27, 2001 S14 Application Classification For Authorization  Resource Managers  Resources are well-defined with persistence  Access is controlled to operations on such objects  E.g. File system, database, Active Directory, …  Gatekeepers: Special form of resource managers  Resources are other applications  Controls access to other applications  E.g. OS itself, Web Server, VPNs, Firewalls, …  Business Processes  Resources aren’t well defined; operations, processes & workflows are  Access is controlled to operations, processes, workflows  E.g. LOB applications, Transaction processing,...

SAML August 27, 2001 S15 Authorization: Role Based Model  Roles-based  LOB, B2B, B2C and workflow applications  Characteristics  No real objects but operations & tasks are well-defined  Authorizations aren’t simply yes/no on operation  Operation data & business rules matter  Typically have a state machine  Where do you ‘hang’ the ACL?  Applications enforce access  Users authenticate to Authentication Authority  Application performs authorization  Application has full access to underlying objects

SAML August 27, 2001 S16 Roles-Based Authorization Manager Windows Authorization API Gatekeeper Applications (Web Server/URL, VPNs, Firewalls,…) Resource Manager Applications (Document Store, Mail Store,…) Business Process Applications (E-Commerce, LOB Applications,…) Windows Authorization API Authorization Administration Manager Common Roles Management UI PolicyStorePolicyStore Active Directory Or XML (Files, SQL)

SAML August 27, 2001 S17 Roles-Based Authorization Manager Windows Authorization API Gatekeeper Applications (Web Server/URL, VPNs, Firewalls,…) Common Roles Management UI URL-Based Authorization Scopes VDirs, URL, PrefixVDirs, URL, PrefixTasks Basic: GET/POSTBasic: GET/POST Dynamic by associating VBscript business rulesDynamic by associating VBscript business rulesGroups StaticStatic ComputedComputed LDAP queryLDAP queryRoles Defined by administrators and applicationsDefined by administrators and applications URL Windows Authorization API Web-Based Application Windows Authorization API IIS

SAML August 27, 2001 S18 SAML/Kerberos – Protocol Overview Web Servers KDC WebAuthServer(s) GetGet (NetscapeMAC) (Web Sphere) AIX (Windows.NET)

SAML August 27, 2001 S19 SAML/Kerberos Protocol Overview Web Servers KDC WebAuthServer(s) Redirect(1)Redirect(1) SSL User Name Password AS-ReqTGS-Reg(2)AS-ReqTGS-Reg(2) Sess-CookieTGT AP-Req(3)AP-Req(3)

SAML August 27, 2001 S20 Web Servers SAML/Kerberos Protocol Overview KDC WebAuthServer(s) GetGet Sess-CookieTGT AP-ReqAP-Req Sess-CookieAP-Req Dat a AP-Req(cached) Subsequent requests: Browser sends AP-REQ in cookie Web Server checks against saved AP-REQ, if OK, returns requested URL

SAML August 27, 2001 S21 Protocol Overview – Initial Request to Second Web Server  Browser does GET to WebSphere  WebSphere redirects to WebAuth  Redirect contains TGT in cookie  WebAuth does TGS-REQ, then proceeds as before

SAML August 27, 2001 S22 SAML/Kerberos – Protocol Overview Web Servers KDC DirectoryDirectory MIT-KDC Apache WebAuthServer(s) GetGet Sess-CookieTGT Affiliate Site

SAML August 27, 2001 S23 SAML/Kerberos Protocol Overview Web Servers KDC DirectoryDirectory KDC WebAuthServer(s) Redirect(1)Redirect(1) SSL Sess-CookieTGT AS-Req(2)AS-Req(2) AP-Req(3)AP-Req(3) Sess-CookieTGT AS-ReqAS-Req Affiliate Site

SAML August 27, 2001 S24 SAML/Kerberos – Protocol Overview Web Servers KDC DirectoryDirectory KDC WebAuthServer(s) GetGet Sess-CookieTGT Affiliate Site AP-ReqAP-Req Sess-CookieAP-Req Dat a

SAML August 27, 2001 S25 Questions?