1 Federating Identity and Authorization Across Organizations and Platforms Matthew Hur Lead Program Manager Microsoft Corporation

Slides:



Advertisements
Similar presentations
GT 4 Security Goals & Plans Sam Meder
Advertisements

Active Directory Federation Services How does it really work?
Active Directory Federation Services Architecture Drilldown
Implementing and Administering AD FS
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WS-Security TC Christopher Kaler Kelvin Lawrence.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Understanding Active Directory
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Module 1: Overview of the Microsoft.NET Framework.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
1 Introducing ClickOnce: The New Application Deployment Model for Windows Forms and “Avalon” Jamie Cool Program Manager Microsoft.
Understanding Active Directory
Building Rights Management Enabled Applications For Windows "Longhorn" Steve Bourne Chandramouli Venkatesh Microsoft Corporation Steve Bourne Chandramouli.
Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
1 Programming Windows Help Shane McRoberts Group Program Manager Microsoft Corporation Shane McRoberts Group Program Manager Microsoft.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Plataformas.NET para desenvolvimento de aplicações web José António Silva
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Data Access Design Patterns: Navigating the Data Access Maze Michael Pizzo Software Architect Microsoft Corporation Michael Pizzo Software Architect Microsoft.
1 Using XSD, CLR Types, And Serialization In Web Services Doug Purdy Program Manager Microsoft Corporation Doug Purdy Program Manager.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
1 Keyboard, Speech, and Pen Input in Your Controls Kevin Gjerstad Lead Program Manager Kevin Gjerstad Lead Program Manager
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
“Indigo”: Building Peer-To-Peer Applications Todd R. Manion Program Manager Microsoft Corporation Todd R. Manion Program Manager.
Windows Azure Dave Glover Developer Evangelist Microsoft Australia Tel:
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
1.NET Framework Overview: A Road Map Brad Abrams.NET Framework Team Microsoft Corporation Brad Abrams.NET Framework.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
1 Application Model Fundamentals Chris Anderson Software Architect Microsoft Corporation Chris Anderson Software Architect Microsoft.
Windows Role-Based Access Control Longhorn Update
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
“Avalon”: Using UI Automation to Improve Application Testability Robert Sinclair Group Manager Microsoft Corporation Robert Sinclair.
1 Integrating Real-time Collaboration into your Applications Stephanie Lindsey Program Manager Microsoft Corporation Stephanie.
Web Services Security Patterns Alex Mackman CM Group Ltd
1 Interop Best Practices and Common Pitfalls (That We Learned the Hard Way) Please write your name on a card in the back and place it in the box… Please.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
SQL Server Notifications: Invalidating Cached Results Michael Pizzo Software Architect Microsoft Corporation Michael Pizzo Software.
Extending Workflow With Custom Activities Dennis Pilarinos COM328 Program Manager Microsoft Corporation.
1 Programming ADO.NET in Whidbey Pablo Castro/Brad Rhodes ADO.NET Team Microsoft Corporation Pablo Castro/Brad Rhodes.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Introducing the Microsoft® .NET Framework
Secure Connected Infrastructure
Introduction to Windows Azure AppFabric
Using Audio, Video, and Imaging in your Longhorn Applications
System.Search, aka “Find My Stuff”
Transactional Programming In A Windows World
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Michael Wallent General Manager Windows Client Platform
“Whidbey” CLR Internals
11/17/2018 9:30 PM Session Code: ARC 420
Building Rich, Interactive Controls for Windows “Longhorn”
New User Interface Possibilities in Longhorn
"Avalon": Building Applications With Controls And Dialogs
People And Groups Controls In Windows "Longhorn"
Session Code: CLI391 Windows Forms: Exploiting Windows “Longhorn” Features from Within Your Application Mark Boulter .NET Client Team Microsoft Corporation.
Mark Quirk Head of Technology Developer & Platform Group
Presentation transcript:

1 Federating Identity and Authorization Across Organizations and Platforms Matthew Hur Lead Program Manager Microsoft Corporation Matthew Hur Lead Program Manager Microsoft Corporation Session Code: ARC241

2 Tools Client Application Model AvalonWindows Forms Web & Service Application Model ASP.NET / Indigo Win FS Compact Framework Yukon Mobile PC Optimized System.Help System.Drawing System.NaturalLanguageServices Data Systems Application Model Presentation Data Mobile PC & Devices Application Model Communication Command Line NT Service DataSet Mapping ObjectSpaces ObjectSpace Query Schema Item Relationship Media Audio Video Images System.Messaging System. Discovery System.DirectoryServices System.Remoting System.Runtime.Remoting Active Directory Uddi System.Web.Services Web.Service Description Discovery Protocols System.MessageBus Transport Port Channel Service Queue PubSub Router System.Timers System.Globalization System.Serialization System.Threading System.Text System.Design Base & Application Services Fundamentals System.ComponentModel System.CodeDom System.Reflection System.EnterpriseServices System.Transactions Security System.Windows. TrustManagement System.Web. Security System.Message Bus.Security AccessControl Credentials Cryptography System.Web.Configuration System.MessageBus.Configuration System.Configuration System.Resources System.Management System.Deployment System.Diagnostics ConfigurationDeployment/Management System.Windows System.Windows.Forms System.Console System.ServiceProcess System.Windows.Forms System.Web System.Storage System.Data.SqlServer Animation Controls Control Design Panel Controls Dialogs SideBar Notification System.Windows Documents Text Element Shapes Shape Ink UI Element Explorer Media System.Windows.Forms Forms Control Print Dialog Design System.Web.UI Page Control HtmlControls MobileControls WebControls Adaptors Design Ports InteropServices System.Runtime System.IO System.Collections Generic System.Search Annotations Monitoring Logging Relevance System.Data SqlClient SqlTypes SqlXML OdbcClient OleDbClient OracleClient Core Contact Location Message Document Event System.Storage System.Web Personalization Caching SessionState System.Xml Schema Serialization Xpath Query Permissions Policy Principal Token System.Security System.Collaboration RealTimeEndpoint TransientDataSession SignalingSession Media Activities HttpWebRequest FtpWebListener SslClientStream WebClient System.Net NetworkInformation Sockets Cache System.Web Administration Management Navigation Peer Group Policy Serialization CompilerServices Recognition System.Speech Synthesis Authorization

3 Agenda What problems are we addressing? Federated security requirements Web services and federation TrustBridge and where we’re heading What problems are we addressing? Federated security requirements Web services and federation TrustBridge and where we’re heading

4 Managing Identities is Hard Each organization is an island Must manage Internal identities Must manage External identities Can we create identities that “island-hop”? Fewer identities to manage More meaningful identities Each organization is an island Must manage Internal identities Must manage External identities Can we create identities that “island-hop”? Fewer identities to manage More meaningful identities

5 Federated Security Enable each organizational “island” To act as an authority To make secure statements And build bridges of trust between them Each one picks who they trust Each one controls how much they trust Each one controls their principals and assertions Each one uses its own internal protocols Enable each organizational “island” To act as an authority To make secure statements And build bridges of trust between them Each one picks who they trust Each one controls how much they trust Each one controls their principals and assertions Each one uses its own internal protocols Specifications and technology to enable widely-available, interoperable identification, authentication, and authorization

6 Federated Security Requires Authorities – Issue assertions They authenticate principals They make assertions They support assertion look-up and discovery Principals – The target of assertions The “entities” authorities assert about (e.g., Users, Services, Devices) Some offer services to other principals Some consume assertions to make authorization decisions Trust Relationships – Limit assertions Implicit trust between principals and their authority Explicit trust between authorities Policy controls who trusts who and for what they are trusted Trust Brokers (optional) – Scale Trusts Ease establishing trust between authorities (not transitive trust) They are optional but enable scaling Authorities – Issue assertions They authenticate principals They make assertions They support assertion look-up and discovery Principals – The target of assertions The “entities” authorities assert about (e.g., Users, Services, Devices) Some offer services to other principals Some consume assertions to make authorization decisions Trust Relationships – Limit assertions Implicit trust between principals and their authority Explicit trust between authorities Policy controls who trusts who and for what they are trusted Trust Brokers (optional) – Scale Trusts Ease establishing trust between authorities (not transitive trust) They are optional but enable scaling

7 Build Federation on Web Services Federated Security requires Organizations to contact one another Organizations to share with one another In real-time, across the Internet Web Services enable interoperation Cross platform support and development model Broad, multi-vendor support Based on standards Federated Security requires Organizations to contact one another Organizations to share with one another In real-time, across the Internet Web Services enable interoperation Cross platform support and development model Broad, multi-vendor support Based on standards

8 Web Services Need Security Types of Requirements Enable message-level security Establish and use trust Express security policy WS security standards provide the security First specification already at Oasis More coming Types of Requirements Enable message-level security Establish and use trust Express security policy WS security standards provide the security First specification already at Oasis More coming

9 Web Service Specifications Internet Transports SOAP and XML Discovery Security Transactions Policy Management WebServices Messaging

10 Security Tokens & Claims Signed … X.509 Kerberos XrML Secret Key Password Proof of Possession Messages have security tokens that assert claims Claim – A statement that a client makes (e.g. name, identity, key, group, privilege, capability, etc). SAML Unsigned … Username

11 Policies Policy Web services have policies that describe required claims ? Does the request have the correct security tokens? Policies can also describe where to get claims

12 Security Token Service Policy WebService Policy SecurityTokenService A security token service issues security tokens It is just a web service A solution may require multiple token services

13 Federated Identity: Getting There Key Architectural Principles Multiple “authorities” in a “trust network” Each owns their customers and employees Each owns their infrastructure Each issues their own credentials Each can decide whether to accept credentials from other authorities Key Architectural Principles Multiple “authorities” in a “trust network” Each owns their customers and employees Each owns their infrastructure Each issues their own credentials Each can decide whether to accept credentials from other authorities

14 TrustBridge TrustBridge is a project with two primary goals Provide core security infrastructure within.Net Framework in Longhorn (supporting Indigo) the System.Security.Authorization namespace Enable federated trust scenarios Web services Web-based applications TrustBridge is a project with two primary goals Provide core security infrastructure within.Net Framework in Longhorn (supporting Indigo) the System.Security.Authorization namespace Enable federated trust scenarios Web services Web-based applications

15 System.Security.Authorization Provide core security components In the.NET Framework In Longhorn Somewhat analogous to CAPI and SSPI Provide core security components In the.NET Framework In Longhorn Somewhat analogous to CAPI and SSPI Indigo Application Sys.Sec.Authorization namespace

16 System.Security.Authorization TrustPolicy AuthzPolicy Token Processing Authorization Token Issuance Policy Storage Extensibility Token Processing Authorization Token Issuance Policy Storage Extensibility Application Logic Sys.Sec.Authz TrustPolicy AuthzPolicy SOAP Security Tokens Authenticate Create Tokens Authorize Security Tokens Policy Lookup

17 System.Security.Authorization Token Processing Authentication, claim filtering and extraction Creates a SecurityContext. Supports multiple security token types (XrML, SAML, X.509v3, Kerberos, Custom) Authorization Provides framework for authorization processing Roles-based access control interfaces and administration Makes authorization decisions using the claims in the SecurityContext and an AuthorizationContext (the stored policy, and other disparate pieces of policy such as XrML) Token Processing Authentication, claim filtering and extraction Creates a SecurityContext. Supports multiple security token types (XrML, SAML, X.509v3, Kerberos, Custom) Authorization Provides framework for authorization processing Roles-based access control interfaces and administration Makes authorization decisions using the claims in the SecurityContext and an AuthorizationContext (the stored policy, and other disparate pieces of policy such as XrML)

18 System.Security.Authorization Token Issuance Claim Transformation Generate the following token types XrML SAML Policy Storage Mechanism for storing trust partner policy, claim filtering policy, transformation policy, and RBAC authorization policy Provides an administration object model for all of the above polices. Extensibility points Custom token types Custom authorization engines Custom claim types Token Issuance Claim Transformation Generate the following token types XrML SAML Policy Storage Mechanism for storing trust partner policy, claim filtering policy, transformation policy, and RBAC authorization policy Provides an administration object model for all of the above polices. Extensibility points Custom token types Custom authorization engines Custom claim types

19 TrustBridge Federation Goals/Scenarios Web-based applications Web services Interop with Passport Interop with other WS-* compliant vendors Web-based applications Web services Interop with Passport Interop with other WS-* compliant vendors

20 How to Manage Trust Federation Border Federation Border MESH Manage at the edge through trust gateways

21 Org #1 PrivateNamespace Org #2 PrivateNamespace Business Level Agreement Defines a Common Namespace Terms, Keys, Limits Terms, Keys, Limits Auditing requirements Auditing requirements Etc. Etc. The Federation Model

22 Org #2 PrivateNamespace Org #1 PrivateNamespace The Federation Model FederationServer FederationServer Federation Namespace Federation Servers Broker trust between organizations

23 Web Services Single Sign-On Exchange Web Service Collaboration IntranetApplications ActiveDirectory Security Token (eg Kerberos Ticket) Security Token User Account/Credentials WS Security Application Application Wants XrML Wants SAML 1.User requests access to Supplier A 2.STS creates XrML token 3.Signs it with company’s private key 4.Sends token back to user 5.Access Supplier A with XrML token 1.User requests access to Supplier B 2.STS creates SAML token 3.Signs it with company’s private key 4.Sends token back to user 5.Accesses Supplier B with SAML token Supplier A Supplier B Federation STS

24 Web-based Single Sign-On 1.User accesses A. Datum portal to Trey Research order processing application Trey Research Inc. A.Datum Corp. 2.User authenticates to A.Datum STS using Active Directory integrated authentication – passes SIDs as input claims 3.User obtains federation SAML token from A.Datum STS – Federation claims per business level agreement between A.Datum and Trey Research 4.User obtains security token from Trey Research STS – Claims specific to Trey Research 5.User accesses Trey Research order processing application ActiveDirectory FederationSTS FederationSTS SIDs FederationClaims ApplicationClaims Order Entry Application Order Entry Portal

25 WS-Federation Passive Requestor Profile

26 TrustBridge and Distributed Authorization Resource Domain Account Domain ActiveDirectory SIDs Federation Domain FederationClaims FederationSTS ApplicationClaims FederationSTS Application AzMan

27 Deployment Design RBAC Management Policy Store Storage in AD, XML, SQL Role Permissions needed to do a job Task Work units that make sense to administrators Operation Application action that developer writes dedicated code for. Policy Store Storage in AD, XML, SQL Role Permissions needed to do a job Task Work units that make sense to administrators Operation Application action that developer writes dedicated code for. Database Operation Web Operation Directory Operation Payment System Operation AuditorAcct RepBuyer Change Approver Approve Deny Payment Approve Reject Report Submit Report Cancel Report Check Status XML SQL Policy Store

28 Role Assignment Buyer: = Role Assignments BuyerAuditor Role Assignment Acct Rep: Group = Dept01Manager Role Assignment Auditor: (Group = TreyAuditor) && (Status = Active) Role Definitions Web Ordering Application Acct Rep

29 Integrated RBAC Model Natural fit with System.Security.Authorization and Federation Managed Code Integrated into the.Net Framework Write custom business rules in managed code. Administrative Flexibility Nested scopes model authorization in hierarchy Define membership based on claim values Use Principals stored in SQL / ADAM / Etc. Store RBAC policy in AD, SQL, XML Natural fit with System.Security.Authorization and Federation Managed Code Integrated into the.Net Framework Write custom business rules in managed code. Administrative Flexibility Nested scopes model authorization in hierarchy Define membership based on claim values Use Principals stored in SQL / ADAM / Etc. Store RBAC policy in AD, SQL, XML

30 Summary System.Security.Authorization Core security infrastructure in.Net Framework and Longhorn Distributed authorization AzMan in Windows Server 2003 evolves and provides RBAC Federation for web services and web applications System.Security.Authorization Core security infrastructure in.Net Framework and Longhorn Distributed authorization AzMan in Windows Server 2003 evolves and provides RBAC Federation for web services and web applications

31 TrustBridge Federation Summary Non-propriety cross-platform support Support multiple security tokens (Kerberos, PKI, SAML, XrML) Integrate with AD, Authorization Manager, any LDAP server, Passport Web Single Signon Windows extends naturally into federated scenarios Non-propriety cross-platform support Support multiple security tokens (Kerberos, PKI, SAML, XrML) Integrate with AD, Authorization Manager, any LDAP server, Passport Web Single Signon Windows extends naturally into federated scenarios

32 Community Resources Get Your Questions Answered! Client Lounge: middle of the Exhibit Hall connect with Microsoft client product teams, and PDC 2003 Speakers Ask The Experts: Tuesday 7 pm – 9 pm in Hall G,H Web Sites: Client Lounge: middle of the Exhibit Hall connect with Microsoft client product teams, and PDC 2003 Speakers Ask The Experts: Tuesday 7 pm – 9 pm in Hall G,H Web Sites:

33 Community Resources Get Your Questions Answered! Come to the booth at the PDC Pavilion Other Talks: WSV304 “Indigo: Building Secure Distributed Applications with Web Services” WSV404 “"Indigo": The Web Services Protocols and Architecture” ARC343 “Introducing the Longhorn Identity System” Come to the booth at the PDC Pavilion Other Talks: WSV304 “Indigo: Building Secure Distributed Applications with Web Services” WSV404 “"Indigo": The Web Services Protocols and Architecture” ARC343 “Introducing the Longhorn Identity System”

34 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.