Introduction to Windows Identity Foundation Jax ArcSig 3/22/2011 Keith Tingle
Feb 22, 2016
Introduction to Windows Identity Foundation
Jax ArcSig3/22/2011
Keith Tingle
About MeKeith Tingle
http://keith-tingle.com/[email protected]
Lender Processing Serviceshttp://www.lpsvcs.com
What is WIF?Simplifies the programming model of:
WS-Trust Smart Clients a.k.a Active Clients
WS-Federation Browsers a.k.a. Passive Clients
SAMLMakes it relatively easy to implement
Federated AuthenticationDelegationSingle Sign On
What is WIF? (cont’d)Extends the .NET model of identity to claimsTooling in Visual Studio
Project templates for claims-aware apps & STS‘Add STS Reference’FedUtil.exe
ASP.NET controlsLogin Status Control
Handles Single Sign Out
Federated AuthenticationWhat does it mean?
Offload responsibility for authentication to the STS Delete your login.aspx! Reduces the amount of security code App is agnostic to authentication method
Based on the concept of Relying Party & Trust Public Key Infrastructure is the glue that holds
everything together! Relying Party installs the STS certificate and ‘trusts’ it Metadata is standardized (FederatedMetaData.xml)
Active Directory is AnalogousBUT
Only works in the boundaries of a DomainMachines must be joined to a domain
What about machines in the DMZ? What about the Cloud?
Clients must be on the domainMachines typically run Windows
What about OS X, Linux? What about iOS, Android?
What is an STS?Identity STS (‘IdP’)
Authenticates usersSupports * authentication methods
Windows Authentication User / Name Password X509 Client Certificates
Issues SAML tokens that contain claims Signed & possibly encrypted
OptionsRoll your ownADFS 2.0
SecurityTokenService
RelyingParty
12
SAMLToken
3
Federated Authentication
Trust
Review of Claims Jargon‘Passive’ client versus ‘Active’ client
Passive clients are browsers.Active clients = Stand alone applications w/ access to
a SOAP stack, e.g. a .NET console application.‘Relying Party’ or ‘RP’
An application that trusts the tokens issued by an STSA ‘Trust’
A key exchange between an RP and an STS‘Identity Provider’ or ‘IdP’
STS that authenticates a users identity ADFS 2.0 can serve as an IdP for AD User Stores
Identity in .NETRepresentation of identity
public interface IIdentity{ string AuthenticationType { get; } bool IsAuthenticated { get; } string Name { get; }}
FormsIdentity : IIdentity ‘ktingle’WindowsIdentity : IIdentity ‘NTLM\ktingle’x509Identity : IIdentity ‘CN=KeithTingle, 54ED5443D…’
Identity in .NET w/ ClaimsExtended to claims
public interface IClaimsIdentity : IIdentity{ ClaimCollection Claims {get;}}
public class Claim {
// Properties public virtual string ClaimType { get; } public virtual string Issuer { get; } public virtual IClaimsIdentity Subject { get; } public virtual string Value { get; }
}
Federated Authentication Demo w/ WIF
WIF PackagingTwo packages
WIF Runtime Minimum of .NET FX 3.5 Install the runtime on your servers Clients do not need WIF Runtime unless you develop a smart client that
utilizes the WIF extensions for client apps. Passive clients Vanilla WCF 3.5 supports
Most scenarios will have these features used in delegation scenarios Separate .NET 3.5 & .NET 4.0 downloads
WIF SDK Visual Studio 2010 Project Templates FedUtil.exe utility User Controls
SignIn Status Do *not* underestimate the value of these controls!
Active Directory Federation Services 2.0Requires Windows Server 2008Supports HA configurations
Federation farms & proxyADFS 1.0 (not 2.0) comes on the Windows Server
2008 installation media.ADFS 2.0 is complete rewrite of ADFS 1.0
Built on WIF Available as a download only (http://bit.ly/ePLV4s)
ADFS 1.0 will serve as IdP for Active Directory Lightweight Directory Services (a.k.a. ADAM)
ADFS 2.0 will only serve as an IdP for Active Directory
SharePoint 2010Rewritten security model on top of WIF
All intra-farm security is claims basedSupports
Federated Authentication Trusted Identity Provider
Must use Powershell to create a providerIClaimsIdentity available to custom
Quick SharePoint 2010 Demo
When to consider Claims?When do we consider using claims?
Single Sign On ScenariosHeterogeneous user stores
Corporate AD AD Lightweight Directory Services External Systems SQL, XML
Heterogeneous authentication methods Username / Password Kerberos / NTLM X509 Certificates
Delegation
Claims-based Identity GotchasDistinguish between application claims and
enterprise claimsName, E-Mail, AgeUploader, Editor
Getting StartedStarterSTS & Starter RP
http://startersts.codeplex.comDeployed as an ASP.NET web siteUses ‘standard’ ASP.NET membership & role
providersWIF templates for a custom STS are very
basicCreating an STS from scratch is a major
undertaking, consider out the box alternatives
Additional ResourcesA Guide to Claims-based Identity and Access
Controlhttp://tinyurl.com/claimsguide
Exploring Claims-based Identityhttp://msdn.microsoft.com/en-us/magazine/cc1
63366.aspx
The End
User Store
STSRSTRequest for
Security Token
RSTRRequest for Security
Token Response
Security Token Service
SAML Token
Relying Party Endpoi
nt
WS-Trust Enabled Web Service Client
Trust
The Public Key InfrastructureThe PKI is the foundation for trust and establishing identity on the
InternetBuilt on top of asymmetrical encryption algorithms
Symmetric Encryption Algorithms – Both the sender and recipient of the message share a secret key.
Asymmetric Encryption Algorithms – The sender and the receiver create asymmetrical key pairs, and exchange the public keys with one another.
A key pair – the two keys are related mathematically but it essentially impossible to derive one key from the other.
Public Key – Distributed anywherePrivate Key – A compromised private key should result in a
‘revocation’ of the corresponding certificate. Revocation is formal concept There are protocols (CRLs, OCSP)