Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alex Thissen | Achmea Designing and implementing a claims-based architecture Alex Thissen | Achmea Claim typeValue

Published byEmory Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "Alex Thissen | Achmea Designing and implementing a claims-based architecture Alex Thissen | Achmea Claim typeValue"— Presentation transcript:

1 Alex Thissen | Achmea Designing and implementing a claims-based architecture Alex Thissen | Achmea Claim typeValue http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Alex Thissen http://schemas.microsoft.com/ws/2008/06/identity/claims/email alex.thissen@achmea.nl http://schemas.microsoft.com/ws/2008/06/identity/claims/role Architect Microsoft CC

2 www.devreach.com About me: Alex Thissen –Architect with a focus on Microsoft technologies and products Security Competencies and learning –Works at insurance company Achmea –Trainer/coach in software development –Most Valuable Professional for Visual C# –Regional Director for The Netherlands

3 www.devreach.com About The Netherlands

4 www.devreach.com The real Netherlands

5 www.devreach.com Agenda Overview of claims-based security Design and architecture Claims-based security at Achmea Lessons learned Questions and answers

6 OVERVIEW OF CLAIMS-BASED SECURITY Getting into the basics

7 www.devreach.com Corporate domain The need for claims based security Partner domain Internet Security from OS or platform Managed users Unmanaged users Potentially other platform

8 www.devreach.com Leverage existing identities Users already have identities Reputation of provider Capabilities Web identities Corporate identities Issued identities Application identities Identity Provider Security Token Service 3 3 Identities

9 www.devreach.com Claims, issuers, subjects and tokens Claim is attribute of identity Security token holds claimsets Cryptographically signed –Optionally encrypted Token Claimset Claims Issuer Subject

10 www.devreach.com Tokens and claims Gordon wL6Xi5Z5uXQnSu40mRbkpljc5uKvf02HyASCo8uceNk= Token Signature Example Claims NameGroupOlder than 18 Claim 1 Claim 2... Claim n Claim 3 Indicates who created this token and guards against changes

11 www.devreach.com Standards to make it all work Communication WS-Trust WS-Security WS-Secure Conversation WS-SecurePolicy Federation WS-Federation Passive requestor profile Active requestor profile Claims SAML XACML

12 www.devreach.com Elements of claims-based architecture Identity Provider –Identity store –Security Token Service Relying Party (RP) –Application using claims Subject –User –Entity with identity Security token Trust Domain Identity Provider STS 3 3 1 1 2 2 5 5 Identities 4 4 RP 3 3 Account or attribute store

13 www.devreach.com Federation and trust Federation as an alternative when identity centralization is not an option Trust Domain 1Trust Domain 2 STS 3 3 User 4 4 1 1 2 2 5 5

14 www.devreach.com Benefits of identity federation Allows claims-based security Reduce IT pain and risk related to provisioning and de-provisioning users Extend trust to users across domain, corporate and Internet boundaries Support Single Sign-On (SSO) Applications can ask for exactly claims they need

15 DESIGN AND ARCHITECTURE A shift in architecture

16 www.devreach.com Design of a claims model Context-based profile Main profile Credentials Identifier Application attributes E.g. roles in application, identity bound information relevant to application Common attributes E.g. Email address, user name, company name Username/password X509 certificate Kerberos ticket Other security token Unique identifier of identity Per domain uniqueness E.g. samAccountName, SSN, certificate ID Source: Microsoft Architecture Journal #16

17 www.devreach.com Separation of concerns Provisioning of identities and claims issuance by authoritative source Different issuers –Main profile and identifier: IP-STS –Context based profile: Resource-STS (aka Federation-STS)

18 www.devreach.com Federation pattern primitives Transformation Augmentation Can be combined

19 www.devreach.com Usage Customizations STS Provisioning ILM Development Single authentication model in apps Leverage services and support from platform Operation Partly redundant infrastructure Environment separation Security Security standards No custom security implementation Using security products *ilities

20 www.devreach.com Migrating to claims Security model Claims-based access control Less emphasis on traditional role-based security Authentication Brokered authentication Generate claims and token Authorization Use claims instead of other data No longer dependent on authentication mechanism

21 www.devreach.com Shift in architecture Decoupling –Security model from authentication type –Authentication implementation from application code Centralization of identities Federation with other parties (trust) Authentication logic Separate identity and attribute stores

22 www.devreach.com Authentication logic Shift in architecture Decoupling –Security model from mode of authentication –Security implementation from application code Centralization of identities Federation with other parties (trust) Centralized identity store Authentication logic User Multiple web applications

23 www.devreach.com Identity and access management Unified Access Gateway Identity Manager 2010 (ILM) Window Identity Foundation Windows Communication Foundation ASP.NET 3.5 WIF integration Microsoft platform, products and frameworks Infrastructure Software Domain Services Lightweight Directory Services Federation Server 2.0 Certificate Services

24 www.devreach.com Implementing claims-based security 1.Acquire or build issuer 2.Configure application to trust issuer 3.Configure issuer to know about application 4.Add logic to your application to support claims

25 IDENTITY & ACCESS MANAGEMENT AT ACHMEA A real-world example

26 www.devreach.com Achmea target architecture Based on Achmea IT vision –“Inleven, vernieuwen, waarmaken” Rationalize existing application landscape Leverage products OOB Minimize custom implementations

27 www.devreach.com Divisions and labels Adopt to modern internet usage Reduced effort on creating and provisioning customer accounts Achmea IT Centralizing and providing generic infrastructure Deliver more services at lower cost and higher SLA Business case

28 www.devreach.com Generic Internet-street Achmea Centralizing services for hosting and securing internet portals Reduce costs by standardizing platform SharePoint 2010 for building Web Portals Photo by Paul KellerPaul Keller

29 www.devreach.com Customer Domain Customers Identity and access management SharePoint 2010 Application farm Attributes ADFS 2.0 Resource- STS AD Lightweight Directory Services DigiD IP-STS Identity Attribute Healthcare Division ClaimValue SSN 148281337 ClaimValue Cn 148281337 Identity 148281337 Role Insured Email someone@somewhere.nl ClaimValue SSN 148281337 ClaimValue Cn 148281337 Identity 148281337 Role Insured Email someone@somewhere.nl

30 www.devreach.com Employees Customer Domain Employees Domain Customers Identity and access management ADFS IP-STS ADFS IP-STS AD Domain Services Attributes ADFS 2.0 Resource- STS AD Lightweight Directory Services DigiD IP-STS Identity Attribute Healthcare Claim augmentation and transformation Other Divisions InternalIntermediaries Access Control Service

31 www.devreach.com Windows Azure Access Control Service Relying Party Web Relying Party Web Access Control Access Control Google Yahoo! Windows Live Windows Live FaceBook Browser 1 1 2 2 5 5 3 3 4 4 Enterprise Identity Provider 3 3

32 SOFTER SIDE OF CLAIMS-BASED SECURITY Lessons learned from a changing security architecture

33 www.devreach.com IT Environment Governance on identities and claims –Meta model for claims Availability of technology –E.g. currently government IP-STS DigiD does not have a STS Specialized team for Identity & Access Management is advised

34 www.devreach.com Human dynamics Encourage to move towards target architecture Negotiations − Active vs. passive authentication − “Everything is an attribute”

35 www.devreach.com Interaction challenges Design of attributes for claims Authorization model What makes a good claim? Volatile, main or context profile?

36 www.devreach.com New technologies Relative new technologies –Frameworks –Products Non-trivial standards Distributed teams

37 WRAPPING UP Almost there

38 www.devreach.com Lessons learned Achieving your goals in more than one step Taskforce can be very effective –Right people together with a single mission Multiple parties means multiple strategies, agendas and plannings External contractors may have a different view on target (software) architecture

39 www.devreach.com Summary Claims-based security as a new paradigm Needs a different security architecture Trust and federation are essential Start transitioning from role based to claims based security architecture!

40 www.devreach.com Q&A and discussion Go ahead and ask your questions now! Maybe later? @alexthissen alex.thissen@achmea.nl @

41 www.devreach.com Resources Ebook “A guide to Claims-based Identity and Access Control”Ebook “A guide to Claims-based Identity and Access Control” Microsoft Architecture Journal # 16Microsoft Architecture Journal OASIS Standards Microsoft resources: –WIFWIF –Active Directory ServerActive Directory Server

42 Alex Thissen | Achmea Thank you! @alexthissen blog.alexthissen.nl www.linkedin.com/in/alexthissen alex.thissen@achmea.nl Alex Thissen | Achmea @

Download ppt "Alex Thissen | Achmea Designing and implementing a claims-based architecture Alex Thissen | Achmea Claim typeValue"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Microsoft Identity Solutions

Microsoft Identity Solutions
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Implementing and Administering AD FS

Implementing and Administering AD FS
Eric Raff. Usergroup up

Eric Raff. Usergroup up
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Understanding Active Directory

Understanding Active Directory
Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.

Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager.

Identity & Access Management Conversation Karlien Vanden Eynde Product Marketing Manager.
Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services

Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
A claims-based Identity Metasystem

A claims-based Identity Metasystem
Identity and Access Management

Identity and Access Management
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Similar presentations

Ads by Google