Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Federating Identity and Authorization Across Organizations and Platforms Matthew Hur Lead Program Manager Microsoft Corporation

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Federating Identity and Authorization Across Organizations and Platforms Matthew Hur Lead Program Manager Microsoft Corporation"— Presentation transcript:

1 1 Federating Identity and Authorization Across Organizations and Platforms Matthew Hur Lead Program Manager Microsoft Corporation matthur@microsoft.com Matthew Hur Lead Program Manager Microsoft Corporation matthur@microsoft.com Session Code: ARC241

2 2 Tools Client Application Model AvalonWindows Forms Web & Service Application Model ASP.NET / Indigo Win FS Compact Framework Yukon Mobile PC Optimized System.Help System.Drawing System.NaturalLanguageServices Data Systems Application Model Presentation Data Mobile PC & Devices Application Model Communication Command Line NT Service DataSet Mapping ObjectSpaces ObjectSpace Query Schema Item Relationship Media Audio Video Images System.Messaging System. Discovery System.DirectoryServices System.Remoting System.Runtime.Remoting Active Directory Uddi System.Web.Services Web.Service Description Discovery Protocols System.MessageBus Transport Port Channel Service Queue PubSub Router System.Timers System.Globalization System.Serialization System.Threading System.Text System.Design Base & Application Services Fundamentals System.ComponentModel System.CodeDom System.Reflection System.EnterpriseServices System.Transactions Security System.Windows. TrustManagement System.Web. Security System.Message Bus.Security AccessControl Credentials Cryptography System.Web.Configuration System.MessageBus.Configuration System.Configuration System.Resources System.Management System.Deployment System.Diagnostics ConfigurationDeployment/Management System.Windows System.Windows.Forms System.Console System.ServiceProcess System.Windows.Forms System.Web System.Storage System.Data.SqlServer Animation Controls Control Design Panel Controls Dialogs SideBar Notification System.Windows Documents Text Element Shapes Shape Ink UI Element Explorer Media System.Windows.Forms Forms Control Print Dialog Design System.Web.UI Page Control HtmlControls MobileControls WebControls Adaptors Design Ports InteropServices System.Runtime System.IO System.Collections Generic System.Search Annotations Monitoring Logging Relevance System.Data SqlClient SqlTypes SqlXML OdbcClient OleDbClient OracleClient Core Contact Location Message Document Event System.Storage System.Web Personalization Caching SessionState System.Xml Schema Serialization Xpath Query Permissions Policy Principal Token System.Security System.Collaboration RealTimeEndpoint TransientDataSession SignalingSession Media Activities HttpWebRequest FtpWebListener SslClientStream WebClient System.Net NetworkInformation Sockets Cache System.Web Administration Management Navigation Peer Group Policy Serialization CompilerServices Recognition System.Speech Synthesis Authorization

3 3 Agenda What problems are we addressing? Federated security requirements Web services and federation TrustBridge and where we’re heading What problems are we addressing? Federated security requirements Web services and federation TrustBridge and where we’re heading

4 4 Managing Identities is Hard Each organization is an island Must manage Internal identities Must manage External identities Can we create identities that “island-hop”? Fewer identities to manage More meaningful identities Each organization is an island Must manage Internal identities Must manage External identities Can we create identities that “island-hop”? Fewer identities to manage More meaningful identities

5 5 Federated Security Enable each organizational “island” To act as an authority To make secure statements And build bridges of trust between them Each one picks who they trust Each one controls how much they trust Each one controls their principals and assertions Each one uses its own internal protocols Enable each organizational “island” To act as an authority To make secure statements And build bridges of trust between them Each one picks who they trust Each one controls how much they trust Each one controls their principals and assertions Each one uses its own internal protocols Specifications and technology to enable widely-available, interoperable identification, authentication, and authorization

6 6 Federated Security Requires Authorities – Issue assertions They authenticate principals They make assertions They support assertion look-up and discovery Principals – The target of assertions The “entities” authorities assert about (e.g., Users, Services, Devices) Some offer services to other principals Some consume assertions to make authorization decisions Trust Relationships – Limit assertions Implicit trust between principals and their authority Explicit trust between authorities Policy controls who trusts who and for what they are trusted Trust Brokers (optional) – Scale Trusts Ease establishing trust between authorities (not transitive trust) They are optional but enable scaling Authorities – Issue assertions They authenticate principals They make assertions They support assertion look-up and discovery Principals – The target of assertions The “entities” authorities assert about (e.g., Users, Services, Devices) Some offer services to other principals Some consume assertions to make authorization decisions Trust Relationships – Limit assertions Implicit trust between principals and their authority Explicit trust between authorities Policy controls who trusts who and for what they are trusted Trust Brokers (optional) – Scale Trusts Ease establishing trust between authorities (not transitive trust) They are optional but enable scaling

7 7 Build Federation on Web Services Federated Security requires Organizations to contact one another Organizations to share with one another In real-time, across the Internet Web Services enable interoperation Cross platform support and development model Broad, multi-vendor support Based on standards Federated Security requires Organizations to contact one another Organizations to share with one another In real-time, across the Internet Web Services enable interoperation Cross platform support and development model Broad, multi-vendor support Based on standards

8 8 Web Services Need Security Types of Requirements Enable message-level security Establish and use trust Express security policy WS security standards provide the security First specification already at Oasis More coming Types of Requirements Enable message-level security Establish and use trust Express security policy WS security standards provide the security First specification already at Oasis More coming

9 9 Web Service Specifications Internet Transports SOAP and XML Discovery Security Transactions Policy Management WebServices Messaging

10 10 Security Tokens & Claims Signed … X.509 Kerberos XrML Secret Key Password Proof of Possession Messages have security tokens that assert claims Claim – A statement that a client makes (e.g. name, identity, key, group, privilege, capability, etc). SAML Unsigned … Username

11 11 Policies Policy Web services have policies that describe required claims ? Does the request have the correct security tokens? Policies can also describe where to get claims

12 12 Security Token Service Policy WebService Policy SecurityTokenService A security token service issues security tokens It is just a web service A solution may require multiple token services

13 13 Federated Identity: Getting There Key Architectural Principles Multiple “authorities” in a “trust network” Each owns their customers and employees Each owns their infrastructure Each issues their own credentials Each can decide whether to accept credentials from other authorities Key Architectural Principles Multiple “authorities” in a “trust network” Each owns their customers and employees Each owns their infrastructure Each issues their own credentials Each can decide whether to accept credentials from other authorities

14 14 TrustBridge TrustBridge is a project with two primary goals Provide core security infrastructure within.Net Framework in Longhorn (supporting Indigo) the System.Security.Authorization namespace Enable federated trust scenarios Web services Web-based applications TrustBridge is a project with two primary goals Provide core security infrastructure within.Net Framework in Longhorn (supporting Indigo) the System.Security.Authorization namespace Enable federated trust scenarios Web services Web-based applications

15 15 System.Security.Authorization Provide core security components In the.NET Framework In Longhorn Somewhat analogous to CAPI and SSPI Provide core security components In the.NET Framework In Longhorn Somewhat analogous to CAPI and SSPI Indigo Application Sys.Sec.Authorization namespace

16 16 System.Security.Authorization TrustPolicy AuthzPolicy Token Processing Authorization Token Issuance Policy Storage Extensibility Token Processing Authorization Token Issuance Policy Storage Extensibility Application Logic Sys.Sec.Authz TrustPolicy AuthzPolicy SOAP Security Tokens Authenticate Create Tokens Authorize Security Tokens Policy Lookup

17 17 System.Security.Authorization Token Processing Authentication, claim filtering and extraction Creates a SecurityContext. Supports multiple security token types (XrML, SAML, X.509v3, Kerberos, Custom) Authorization Provides framework for authorization processing Roles-based access control interfaces and administration Makes authorization decisions using the claims in the SecurityContext and an AuthorizationContext (the stored policy, and other disparate pieces of policy such as XrML) Token Processing Authentication, claim filtering and extraction Creates a SecurityContext. Supports multiple security token types (XrML, SAML, X.509v3, Kerberos, Custom) Authorization Provides framework for authorization processing Roles-based access control interfaces and administration Makes authorization decisions using the claims in the SecurityContext and an AuthorizationContext (the stored policy, and other disparate pieces of policy such as XrML)

18 18 System.Security.Authorization Token Issuance Claim Transformation Generate the following token types XrML SAML Policy Storage Mechanism for storing trust partner policy, claim filtering policy, transformation policy, and RBAC authorization policy Provides an administration object model for all of the above polices. Extensibility points Custom token types Custom authorization engines Custom claim types Token Issuance Claim Transformation Generate the following token types XrML SAML Policy Storage Mechanism for storing trust partner policy, claim filtering policy, transformation policy, and RBAC authorization policy Provides an administration object model for all of the above polices. Extensibility points Custom token types Custom authorization engines Custom claim types

19 19 TrustBridge Federation Goals/Scenarios Web-based applications Web services Interop with Passport Interop with other WS-* compliant vendors Web-based applications Web services Interop with Passport Interop with other WS-* compliant vendors

20 20 How to Manage Trust Federation Border Federation Border MESH Manage at the edge through trust gateways

21 21 Org #1 PrivateNamespace Org #2 PrivateNamespace Business Level Agreement Defines a Common Namespace Terms, Keys, Limits Terms, Keys, Limits Auditing requirements Auditing requirements Etc. Etc. The Federation Model

22 22 Org #2 PrivateNamespace Org #1 PrivateNamespace The Federation Model FederationServer FederationServer Federation Namespace Federation Servers Broker trust between organizations

23 23 Web Services Single Sign-On Exchange Web Service Collaboration IntranetApplications ActiveDirectory Security Token (eg Kerberos Ticket) Security Token User Account/Credentials WS Security Application Application Wants XrML Wants SAML 1.User requests access to Supplier A 2.STS creates XrML token 3.Signs it with company’s private key 4.Sends token back to user 5.Access Supplier A with XrML token 1.User requests access to Supplier B 2.STS creates SAML token 3.Signs it with company’s private key 4.Sends token back to user 5.Accesses Supplier B with SAML token Supplier A Supplier B Federation STS

24 24 Web-based Single Sign-On 1.User accesses A. Datum portal to Trey Research order processing application Trey Research Inc. A.Datum Corp. 2.User authenticates to A.Datum STS using Active Directory integrated authentication – passes SIDs as input claims 3.User obtains federation SAML token from A.Datum STS – Federation claims per business level agreement between A.Datum and Trey Research 4.User obtains security token from Trey Research STS – Claims specific to Trey Research 5.User accesses Trey Research order processing application ActiveDirectory FederationSTS FederationSTS SIDs FederationClaims ApplicationClaims Order Entry Application Order Entry Portal

25 25 WS-Federation Passive Requestor Profile

26 26 TrustBridge and Distributed Authorization Resource Domain Account Domain ActiveDirectory SIDs Federation Domain FederationClaims FederationSTS ApplicationClaims FederationSTS Application AzMan

27 27 Deployment Design RBAC Management Policy Store Storage in AD, XML, SQL Role Permissions needed to do a job Task Work units that make sense to administrators Operation Application action that developer writes dedicated code for. Policy Store Storage in AD, XML, SQL Role Permissions needed to do a job Task Work units that make sense to administrators Operation Application action that developer writes dedicated code for. Database Operation Web Operation Directory Operation Payment System Operation AuditorAcct RepBuyer Change Approver Approve Deny Payment Approve Reject Report Submit Report Cancel Report Check Status XML SQL Policy Store

28 28 Role Assignment Buyer: email = *@ADatum.com Role Assignments BuyerAuditor Role Assignment Acct Rep: Group = Dept01Manager Role Assignment Auditor: (Group = TreyAuditor) && (Status = Active) Role Definitions Web Ordering Application Acct Rep

29 29 Integrated RBAC Model Natural fit with System.Security.Authorization and Federation Managed Code Integrated into the.Net Framework Write custom business rules in managed code. Administrative Flexibility Nested scopes model authorization in hierarchy Define membership based on claim values Use Principals stored in SQL / ADAM / Etc. Store RBAC policy in AD, SQL, XML Natural fit with System.Security.Authorization and Federation Managed Code Integrated into the.Net Framework Write custom business rules in managed code. Administrative Flexibility Nested scopes model authorization in hierarchy Define membership based on claim values Use Principals stored in SQL / ADAM / Etc. Store RBAC policy in AD, SQL, XML

30 30 Summary System.Security.Authorization Core security infrastructure in.Net Framework and Longhorn Distributed authorization AzMan in Windows Server 2003 evolves and provides RBAC Federation for web services and web applications System.Security.Authorization Core security infrastructure in.Net Framework and Longhorn Distributed authorization AzMan in Windows Server 2003 evolves and provides RBAC Federation for web services and web applications

31 31 TrustBridge Federation Summary Non-propriety cross-platform support Support multiple security tokens (Kerberos, PKI, SAML, XrML) Integrate with AD, Authorization Manager, any LDAP server, Passport Web Single Signon Windows extends naturally into federated scenarios Non-propriety cross-platform support Support multiple security tokens (Kerberos, PKI, SAML, XrML) Integrate with AD, Authorization Manager, any LDAP server, Passport Web Single Signon Windows extends naturally into federated scenarios

32 32 Community Resources Get Your Questions Answered! Client Lounge: middle of the Exhibit Hall connect with Microsoft client product teams, and PDC 2003 Speakers Ask The Experts: Tuesday 7 pm – 9 pm in Hall G,H Web Sites: http://pdcbloggers.net http://msdn.microsoft.com/pdc/ http://msdn.microsoft.com/webservices http://www.oasis-open.org http://www.ws-i.org Client Lounge: middle of the Exhibit Hall connect with Microsoft client product teams, and PDC 2003 Speakers Ask The Experts: Tuesday 7 pm – 9 pm in Hall G,H Web Sites: http://pdcbloggers.net http://msdn.microsoft.com/pdc/ http://msdn.microsoft.com/webservices http://www.oasis-open.org http://www.ws-i.org

33 33 Community Resources Get Your Questions Answered! Come to the booth at the PDC Pavilion Other Talks: WSV304 “Indigo: Building Secure Distributed Applications with Web Services” WSV404 “"Indigo": The Web Services Protocols and Architecture” ARC343 “Introducing the Longhorn Identity System” Come to the booth at the PDC Pavilion Other Talks: WSV304 “Indigo: Building Secure Distributed Applications with Web Services” WSV404 “"Indigo": The Web Services Protocols and Architecture” ARC343 “Introducing the Longhorn Identity System”

34 34 © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35

Download ppt "1 Federating Identity and Authorization Across Organizations and Platforms Matthew Hur Lead Program Manager Microsoft Corporation"

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Active Directory Federation Services Architecture Drilldown

Active Directory Federation Services Architecture Drilldown
Implementing and Administering AD FS

Implementing and Administering AD FS
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Understanding Active Directory

Understanding Active Directory
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Module 1: Overview of the Microsoft.NET Framework.

Module 1: Overview of the Microsoft.NET Framework.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
1 Introducing ClickOnce: The New Application Deployment Model for Windows Forms and “Avalon” Jamie Cool Program Manager Microsoft.

1 Introducing ClickOnce: The New Application Deployment Model for Windows Forms and “Avalon” Jamie Cool Program Manager Microsoft.
Understanding Active Directory

Understanding Active Directory
Building Rights Management Enabled Applications For Windows Longhorn Steve Bourne Chandramouli Venkatesh Microsoft Corporation Steve Bourne Chandramouli.

Building Rights Management Enabled Applications For Windows "Longhorn" Steve Bourne Chandramouli Venkatesh Microsoft Corporation Steve Bourne Chandramouli.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
1 Programming Windows Help Shane McRoberts Group Program Manager Microsoft Corporation Shane McRoberts Group Program Manager Microsoft.

1 Programming Windows Help Shane McRoberts Group Program Manager Microsoft Corporation Shane McRoberts Group Program Manager Microsoft.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Similar presentations

Ads by Google