Presentation is loading. Please wait.

Presentation is loading. Please wait.

Claims-based security with Windows Identity Foundation.

Published byEsther Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Claims-based security with Windows Identity Foundation."— Presentation transcript:

1 Claims-based security with Windows Identity Foundation

2 Goals Introduce you to claims-based security. Show that it isn’t that hard anymore, thanks to WIF. And it’s fun!

3 Some terminology

4 Two types of federation WS-Federation: Active Requestor Profile - Based on WS-Trust - For active clients, such as WPF and WinForm applications WS-Federation: Passive Requestor Profile - Based on WS-Federation - For web clients - "emulating" WS-Trust on top of GET, POST, browser redirects and cookies

5 Claim Way too abstract: A statement that is made by one entity about another entity. Let’s make it a bit more concrete: A piece of information about a user in a system, issued by a security token service (STS) that a claims-aware application trusts: Name EmailIdentifying claims Phone Number Nationality Age Blind claims Hair color Role, permission

6 What’s inside a claim? ClaimTypeBuilt-in: name, email, phonenumber Custom: organization number, cost center, member status …or anything else that makes sense in your system Usually they have a URI-format, such as: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” ClaimValue e.g.: “john.doe@somewhere.com” Issuer (STS) “CN=the.sts.at.somewhere.com”, the name of the STS that has issued the claim And a couple of more properties: ClaimValueType, OriginalIssuer,...

7 So from a security point of view we can say that a user’s identity is made up by a set of claims

8 Security token Claims on the wire I.e., a serialized set of claims - digitally signed by the STS -encrypted (optional but recommended) Security token formats: SAML - an XML-based standard from OASIS - is the most common format - Interoperable Kerberos X.509 certificate

9 Basic rules of Claims-based authorization Let go of authentication the users yourself. Let the STS handle it instead. Establish a trust relationship with the STS

10 The driving forces It enables identity federation It enables SSO Lower user administration costs for organizations Always fresh user information Seamless step-up authentication Separation of concerns Better security

11 What about role-based access control? Don’t worry... It’s backward compatible!

12 Active client IP-STS Application = RP Application = RP AD Trust relationship RST - Credentials - AppliesTo RSTR - Security token - Proof key Claims Gather claims Authenticate Validate AppliesTo Claims based security – One domain RP = Relying Party A.K.A.: - Claims-aware application - Service provider Example: WCF Service E.g.: WPF, WinForm A.K.A.: - STS E.g.: ADFS 2.0 RPs Delivers credentials E.g.: - Username / Pwd - Windows credentials - Certificate Response Msg + token WCF pipeline IP = Identity Provider

13 WPF Client RP-STS WCF Service http://domain/service1 WCF Service http://domain/service1 trusts Transformation rules Federated identity Authenticate Issue token Security Domain A Security Domain B trusts Send Token Issue new token IP-STS Send message + token Send response

14 Active Client Certificates Security Domain A IP-STS CertificateStore locationPurpose IP:STS:s private keyLocal Computer/PersonalSign token RP.STS:s public keyLocal Computer/PersonalEncrypt token SSL CertificateLocal Computer/PersonalSecure the channel Root atuhority certificateTrusted Root Certificate Auth. Create SSL certificate CertificateStore locationPurpose RP:s public keyBase64 encoded in app.configEncrypt message and authenticate RP IP-STS:s SSL public keyLocal Computer/Trusted People Secure the channel Proof key from RP.STSSign the message to RP

15 RP-STS RP Certificates Security Domain B CertificateStore locationPurpose IP:STS:s public keyLocal Computer/Trusted People Validate signature RP STS:s private keyLocal Computer/PersonalDecrypt incoming token and Sign issued token RP:s public keyLocal Computer/ Trusted People Encrypt token CertificateStore locationPurpose RP:s private keyLocal computer/PersonalDecrypt token RP.STS:s public keyLocal Computer/Trusted People Validate RP-STS:s signature

16 Certificates Certificate Authority VeriSign Self-signed test certificates – during development makecert.exe

17 WIF A framework for building claims-based applications as well as STS:s An abstraction layer over the WS-Trust and WS-Federation It contains - a set of.NET classes inside Microsoft.IdentityModel - Visual Studio project templates for ASP.NET, WCF applications and STS services - ASP.NET controls, e.g. FederatedPassiveSignInControl - FedUtil, a tool that makes it easy to establish trust between the application and the STS

18 You need this get started: Visual Studio 2008 /2010 WIF WIF SDK, includes guidelines, samples etc.

19 Demo

Download ppt "Claims-based security with Windows Identity Foundation."

Similar presentations

Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Implementing and Administering AD FS

Implementing and Administering AD FS
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.

Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services

Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
A claims-based Identity Metasystem

A claims-based Identity Metasystem
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Similar presentations

Ads by Google