Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

Similar presentations


Presentation on theme: "SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation"— Presentation transcript:

1 SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation dbayer@microsoft.com

2 SAML August 27, 2001 S2 Agenda  Overview of Microsoft authentication & authorization plans  Problem space  Our understanding of the scenarios  Our current approach  How could we use SAML?  Migration?  Integration?

3 SAML August 27, 2001 S3 Windows.NET Windows.NET Authentication Architecture  Windows.NET Authorization: Extending the Windows Model  Resource-Based Authorization: ACLs & Groups  Application-Based Authorization: RBAC  Making It All Secure

4 SAML August 27, 2001 S4.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 11 11 11 11 RequestMeetingRequestMeeting

5 SAML August 27, 2001 S5.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 22 22 Query&RequestQuery&Request

6 SAML August 27, 2001 S6.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 33 SOAPMessageSOAPMessage

7 SAML August 27, 2001 S7.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 44 AcceptAccept 44

8 SAML August 27, 2001 S8.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority Signed Message; Accepted 55

9 SAML August 27, 2001 S9 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStoreDirectTrustDirectTrust MMSMMS KerberosKerberos Direct Trust (XCerts, XKMS) Direct Trust (XCerts, XKMS) Signed Messages (XMLDSIG, S/MIME, CAPICOM) Signed Messages (XMLDSIG, S/MIME, CAPICOM)

10 SAML August 27, 2001 S10 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStoreDirectTrustDirectTrust MMSMMS KerberosKerberos Trust Federation (Passport, Identrus) Trust Federation (Passport, Identrus) Passport, Kerberos, Basic SSL, Digest, …

11 SAML August 27, 2001 S11 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStore RBACPolicy RBACPolicyRBACPolicy Threats from Inside & DMZ Threats from Internet

12 SAML August 27, 2001 S12 Windows.NET Authentication  Multiple credential types  Passwords, tokens, smartcards  Multifactor: Key + biometric  Multiple Client to Server protocols:  Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, …  Converge on Kerberos & Kerberos/TLS in the future  Message Signing and Signature verification  Single Server to Server protocol: Kerberos w/constrained delegation  IETF standard, interoperable, scalable  Secure: mutual authentication  Extensible credentials support  Passwords, X.509 certificates, tokens,…  Directory independent authentication

13 SAML August 27, 2001 S13 Front End Application Windows.NET Authentication Verify Policy: Allowed-To-Delegate-To Users KDC Back End Application TicketTicket TicketTicket TrustTrust Passport Basic Digest SSL Signed Messages, S/MIME/SMTP XMLDSIG/HTTP Cert Kerberos

14 SAML August 27, 2001 S14 Application Classification For Authorization  Resource Managers  Resources are well-defined with persistence  Access is controlled to operations on such objects  E.g. File system, database, Active Directory, …  Gatekeepers: Special form of resource managers  Resources are other applications  Controls access to other applications  E.g. OS itself, Web Server, VPNs, Firewalls, …  Business Processes  Resources aren’t well defined; operations, processes & workflows are  Access is controlled to operations, processes, workflows  E.g. LOB applications, Transaction processing,...

15 SAML August 27, 2001 S15 Authorization: Role Based Model  Roles-based  LOB, B2B, B2C and workflow applications  Characteristics  No real objects but operations & tasks are well-defined  Authorizations aren’t simply yes/no on operation  Operation data & business rules matter  Typically have a state machine  Where do you ‘hang’ the ACL?  Applications enforce access  Users authenticate to Authentication Authority  Application performs authorization  Application has full access to underlying objects

16 SAML August 27, 2001 S16 Roles-Based Authorization Manager Windows Authorization API Gatekeeper Applications (Web Server/URL, VPNs, Firewalls,…) Resource Manager Applications (Document Store, Mail Store,…) Business Process Applications (E-Commerce, LOB Applications,…) Windows Authorization API Authorization Administration Manager Common Roles Management UI PolicyStorePolicyStore Active Directory Or XML (Files, SQL)

17 SAML August 27, 2001 S17 Roles-Based Authorization Manager Windows Authorization API Gatekeeper Applications (Web Server/URL, VPNs, Firewalls,…) Common Roles Management UI URL-Based Authorization Scopes VDirs, URL, PrefixVDirs, URL, PrefixTasks Basic: GET/POSTBasic: GET/POST Dynamic by associating VBscript business rulesDynamic by associating VBscript business rulesGroups StaticStatic ComputedComputed LDAP queryLDAP queryRoles Defined by administrators and applicationsDefined by administrators and applications URL Windows Authorization API Web-Based Application Windows Authorization API IIS

18 SAML August 27, 2001 S18 SAML/Kerberos – Protocol Overview Web Servers KDC WebAuthServer(s) GetGet (NetscapeMAC) (Web Sphere) AIX (Windows.NET)

19 SAML August 27, 2001 S19 SAML/Kerberos Protocol Overview Web Servers KDC WebAuthServer(s) Redirect(1)Redirect(1) SSL User Name Password AS-ReqTGS-Reg(2)AS-ReqTGS-Reg(2) Sess-CookieTGT AP-Req(3)AP-Req(3)

20 SAML August 27, 2001 S20 Web Servers SAML/Kerberos Protocol Overview KDC WebAuthServer(s) GetGet Sess-CookieTGT AP-ReqAP-Req Sess-CookieAP-Req Dat a AP-Req(cached) Subsequent requests: Browser sends AP-REQ in cookie Web Server checks against saved AP-REQ, if OK, returns requested URL

21 SAML August 27, 2001 S21 Protocol Overview – Initial Request to Second Web Server  Browser does GET to WebSphere  WebSphere redirects to WebAuth  Redirect contains TGT in cookie  WebAuth does TGS-REQ, then proceeds as before

22 SAML August 27, 2001 S22 SAML/Kerberos – Protocol Overview Web Servers KDC DirectoryDirectory MIT-KDC Apache WebAuthServer(s) GetGet Sess-CookieTGT Affiliate Site

23 SAML August 27, 2001 S23 SAML/Kerberos Protocol Overview Web Servers KDC DirectoryDirectory KDC WebAuthServer(s) Redirect(1)Redirect(1) SSL Sess-CookieTGT AS-Req(2)AS-Req(2) AP-Req(3)AP-Req(3) Sess-CookieTGT AS-ReqAS-Req Affiliate Site

24 SAML August 27, 2001 S24 SAML/Kerberos – Protocol Overview Web Servers KDC DirectoryDirectory KDC WebAuthServer(s) GetGet Sess-CookieTGT Affiliate Site AP-ReqAP-Req Sess-CookieAP-Req Dat a

25 SAML August 27, 2001 S25 Questions?


Download ppt "SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation"

Similar presentations


Ads by Google