Welcome!
Dec 05, 2014
Welcome!
How to create a uniform login experience using Federated Identity
Roy CornelissenIT Architect,Info Support
Marcel de VriesTechnology Manager
@marcelv
XamarinEvolve2013
Roy CornelissenIT Architect
@roycornelissen
Your app Demo’s
Problem Solutions
Problem statement
You want to secure your back end
Your app needs to authenticate before it can access services in your backend
How are you going to identify the user at the backend?Roll your own username/password
That’s so 1996….
You already have cloud identities on Facebook, Google, Microsoft, Yahoo!Why not leverage on those?
So what are our options to integrate with these identity providers?
Enterprise IdP’s
Microsoft Active Directory &
Active Directory Federation Services(ADFS)
Social IdP’s
Identity Providers (IdP)
What does an IdP do?
Authenticate against something you know or haveE.g. a password, a smart card, Biometric information
It hands out tokensTokens contain claims
E.g. your name, email address, age or role
We can “chain” IdP’sEach IdP can augment the claim set and with that provide additional claims to the party that uses the token
What does your app need to do?It needs to do something with the claims provided by the IdP
E.g. do a lookup on “nameidentifier” claim and selectively provide access to application resources
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
So an IdP provides an authenticated identity and some claims about that identity
Your app needs to do smart things to authorizethe user based on those claims
Possible solutions
Integrate your app with all different providers out thereRequires trust relationship with each (cloud) identity provider
Requires you to implement the integration with each provider, using their selected protocol
E.g. OAuth, WS Federation, SAML/P, OpenID, etc.
Every time you want to support a new provider, you need to add that integration to your app
Use Windows Azure Active DirectoryUse the Access Control Service (ACS)
You can add any WS-Federation or Open ID compliant IdP such as a corporate ADFS
Access Control Service (ACS)
You integrate with ACS
ACS handles integration with others:Facebook, Yahoo, Windows ID, Google ID, …
ACS Terminology
STSSecurity Token ServiceAny party that can issue an authentication token
Identity Provider (IdP)Party that maintains the user identity, e.g. Windows Live, Google, Yahoo, etc.
Relying PartyThis is the party relying on some IdP to hand over a set of claims about who that identity is, i.e. your app
Windows live -> Unique idGoogle -> Email Address
SAML & Cookie based authentication versus Simple Web Tokens and HTTP header based authentication
SAML or SWT?
You can use SAML or SWT
What are the tradeoffs?
It depends on your services
Call a service with SWTWhen using rest service, you can simply add a custom header to your request (HttpClient, WebClient)
When using WCF & SOAP, you need to add a custom header to the request
string headerValue = string.Format("WRAP access_token=\"{0}\"", token);client.Headers.Add("Authorization", headerValue);
using (var ctx = new OperationContextScope(proxy.InnerChannel)){HttpRequestMessageProperty httpRequestProperty = new HttpRequestMessageProperty();httpRequestProperty.Headers[HttpRequestHeader.Authorization] =
String.Format("WRAP access_token=\"{0}\"", token);OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] =
httpRequestProperty;}
Call a service with SAML Token(cookie based)
When using rest service, you need to add the cookie to the cookie collection in the header of request
For SOAP using WCF stack simply use CookieContainer
CookieCollection coll = App.AuthenticationCookieContainer;WebClient webrequest = new WebClient();String cookiestring ="" ;foreach (Cookie cookie in coll){ if (count++ > 0){cookiestring += "; ";}
cookiestring += cookie.Name + "=" + cookie.Value;}webrequest.Headers[HttpRequestHeader.Cookie] = cookiestring;
EventsServices.EventsDomainServicesoapClient proxy = newEventsServices.EventsDomainServicesoapClient(); proxy.CookieContainer = App.AuthenticationCookieContainer;
Your (web) services (RP)
Identity Providers (IdP)
redirect
ACS (STS)
Authenticate
Get IdP list
Access the service
redirect
Get token/cookie
WIF
< soap/> { json }
Conceptual model
.aspx
Cookie
ISKE Events App
Mobile App ACS
GetIdentityProviders()
Identity Provider
Request to login page
Map claims
Realm page
ACS Token
Cookie (containingACS token)
Request (with cookie)
IDP Token
Login
Your Service
Depending on ACS config for SWT or SAML you get a header or a cookie
Authentication flow
SignInWebViewDelegate
SignInViewController
SignInController ACSJSON
IdentityProviderDiscoveryClient
Relying Party
ACS namespaceRealmHttpCookieContainer
Identity Provider
LoginView
WebView
WebBrowser
AccessControlServiceSignIn control
ACSJSON
IdentityProviderDiscoveryClient
Relying Party
ACS namespaceRealmHttpCookieContainer
Identity Provider
SignInActivity
SignInWebView
IdentityProviderListActivity
SignInController ACSJSON
IdentityProviderDiscoveryClient
Relying Party
[navigate]
ACS namespaceRealmHttpCookieContainer
Identity Provider
I want that! NOW!
We’ll publish the code on CodePlex
And depending on demand:
Nuget package and Xamarin Store
Wait, what about
Windows Azure Toolkit?
It’s deprecated
Replacement does not provide the
same experience
Our code is a fork of the original
AND works on multiple platforms!
@roycornelissenroycornelissen.wordpress.com
Thank [email protected]/marcelv
Come see us again,
tomorrow at 1.30 PM