1 / 35

Windows Identity Foundation (WIF)

Windows Identity Foundation (WIF). Designing & implementing claims-based solutions. Mario Szpuszta Architect Advisor marioszp@microsoft.com. Agenda. Understanding claims and WIF Building relying parties – browser-based Building relying parties – services-based Building identity providers

carlos-chase
Télécharger la présentation

Windows Identity Foundation (WIF)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WindowsIdentity Foundation (WIF) Designing & implementing claims-based solutions Mario Szpuszta Architect Advisor marioszp@microsoft.com

  2. Agenda • Understanding claims and WIF • Building relying parties – browser-based • Building relying parties – services-based • Building identity providers • Summary, key take-aways

  3. Claims-basedSecurity and WIF Understanding claims and the role of WIF

  4. Identities today – typical situation

  5. Tight coupling „application  user identities“ Why do we have this situation? Login.aspx Page1.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores

  6. Tight coupling „application  user identities“ Why do we have this situation? Login.aspx Page1.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Login.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Page1.aspx Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Types / APIs Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores Credential Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores User Attributes Stores

  7. How does the real worldsolve this problem?

  8. Identities in the Real World

  9. Identities in the Real World

  10. Identities in the Real World

  11. Mapping the real world to technologies Identity Provider SecurityTokenService Relying Party App-lication SAMLKerberosX.509 etc. WS-PolicyWS-MetadataExch. Subject Client WS-Trust WS-SecurityWS-SecureConversation Information cardsOpenID, LID, Yadis…

  12. Remove the coupling between app and identity What are we doing, actually? Identity Provider Login.aspx Page1.aspx STS Credential Types / APIs Credential Stores User Attributes Stores

  13. Remove the coupling between app and identity What are we doing, actually? Identity Provider Page1.aspx Pre-Processing WIF ADFS v2 and/or WIF STS Credential Types / APIs Credential Stores User Attributes Stores

  14. Introducing WIF Understanding claims and the role of WIF

  15. Windows Identity Foundation (WIF) • Essential claims programming model • Claims OM integrated with the .NET identity API • Single programming model for ASP.NET & WCF • Config driven • Single programming model for on-premises & cloud • Tools for metadata-driven automatic app configuration • WS-Federation, WS-Trust • Framework for custom STS development • etc.

  16. WIF and Visual Studio Integration • Tools for establishing and maintaining trust • VS templates for claims-aware websites and services • Ready-to-use ASP.NET controls

  17. ASP.NET Relying Parties Building relying parties with „passive protocol“

  18. Also known as „passive“ clients Browser-based Applications and Claims Identity Provider Page1.aspx Pre-Processing STS HTTP Redirect HTTP Redirect Credential Types / APIs Credential Stores User Attributes Stores Browser-basedlogin-page

  19. WIF – HttpModules • HTTPModule(s) in the ASP.NET pipeline of the app • Exposing policy, manage protocol redirects, establish sessions… • WSFederationAuthenticationModule • Implements the WS-Federation redirects protocol • SessionAuthenticationModule • Handling sessions (regardless of the sign-in protocol) • ClaimsPrincipalHttpModule • Provides a hook for injecting claims in the current principal

  20. WIF ASP.NET Processing Pipeline WSFAM SecurityTokenHandler ClaimsAuthenticationManager SessionAuthenticationModule ClaimsAuthorizationManager

  21. Authorization in WIF Claims are so powerful!

  22. How do we authorize in the real world? Credit card number Photo in passport Color of conference badge Statements about us Simple, easy Relying Party requests claims Based on policy Authorization in the real world

  23. WIF & Authorization – Technical Facts • ASP.NET roles will work “as is” • IsInRole, <authorization> element • Any incoming claim type can be used as role • Claims authorization can be much more than RBAC • Age thresholds, dates, spending limits… • WIF offers a hook for your authZ logic • ClaimsAuthorizationManager class • Provide your implementation of CheckAccess • Add it in the WIF pipeline via config

  24. What you can do with claims? • Use claims for authorization, personalization etc. • Claims can be anything! • Claims can be derived from anything in an STS! • Claims can “abstract” information • Simple examples: • User name, email, age, date of birth, location • E.g. use age if you don’t need to share date of birth • E.g. derive location from IP address of a client

  25. WCF Relying Parties Building relying parties with „active protocol“

  26. Browser-based Applications and Claims • Also known as „passive“ clients Identity Provider Service1.svc Pre-Processing STS Get Policy(design time) Credential Types / APIs Credential Stores User Attributes Stores Retrieve tokenvia STS Web Service

  27. WIF and WCF • Same programming model as ASP.NET… • …different hosting architecture • Self-Hosted services: • FederatedServiceCredentials.ConfigureServiceHost(host) • Web activated services: • Derive a new factory from ServiceHostFactory • Override CreateServiceHost • Use the above ConfigureServiceHost call in it • Use custom factory in @ServiceHost directive of .svc file

  28. WIF and WCF – WIF Bindings • UserNameWSTrustBinding • CertificateWSTrustBinding • WindowsWSTrustBinding • KerberosWSTrustBinding • IssuedTokenWSTrustBinding

  29. Building Identity Providers Creating a Security Token Service with WIF

  30. Developing an STS with WIF • WIF provides building blocks for custom STS development • AD FS 2.0 is built with WIF! • Same programming model for all hosting options • Active: WCF • Passive: ASP.NET • Wizards & Templates create a skeleton STS in no time • Perfect for testing purposes • Main activities • Decide who to trust • Decide which kind of credentials you’ll accept • Provide all the cryptographic material for signing & encrypting • Hook in the logic for retrieving claim values

  31. Summary Claims-based Security and WIF

  32. Claims-based security: separation of concerns Security Token Services – authentication Services (consumer, provider) – authorization Advantages of claims-based security More flexible than role-based security Based on open standards – interoperable Easier implementation of single-sign-on Windows Identity Foundation Framework for building claims-based applications Helps building relying party, clients and STS ADFS v2 is built on-top of WIF Summary

  33. MSDN Home Page http://msdn.microsoft.com/identity http://msdn.microsoft.com/en-us/library/ee517280.aspx Blogs http://identityblog.com http://blogs.msdn.com/card http://self-issued.info/ http://identity-des.com/ http://blogs.msdn.com/vbertocci http://www.leastprivilege.com http://www.mszcool.at/blog http://weblogs.thinktecture.com Resources and Links

  34. Thank you for your Attention! • For more Information please contact • Mario Szpuszta • Architect Advisor • marioszp@microsoft.com • http://www.mszcool.at/blog • +43 664 1927 365 • Microsoft Österreich GmbH. • Am Euro Platz 3 • A-1120 Vienna • Austria

More Related