Claims-based security

Claims-based security with Windows Identity Foundation

Goals Introduce you to claims-based security. Show that it isn’t that hard anymore, thanks to WIF. And it’s fun!

Some terminology

Two types of federation WS-Federation: Active Requestor Profile - Based on WS-Trust - For active clients, such as WPF and WinForm applications WS-Federation: Passive Requestor Profile - Based on WS-Federation - For web clients - "emulating" WS-Trust on top of GET, POST, browser redirects and cookies

Claim Way too abstract: A statement that is made by one entity about another entity. Let’s make it a bit more concrete: A piece of information about a user in a system, issued by a security token service (STS) that a claims-aware application trusts: Name Email Identifying claims Phone Number Nationality Age Blind claims Hair color Role, permission

What’s inside a claim? ClaimType Built-in: name, email, phonenumber Custom: organization number, cost center, member status …or anything else that makes sense in your system Usually they have a URI-format, such as:"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” ClaimValue e.g.: “john.doe@somewhere.com” Issuer (STS) “CN=the.sts.at.somewhere.com”, the name of the STS that has issued the claim And a couple of more properties: ClaimValueType, OriginalIssuer, ...

So from a security point of view we can say that auser’s identity is made up by a set of claims

Security token Claims on the wire I.e., a serialized set of claims - digitally signed by the STS -encrypted (optional but recommended) Security token formats: SAML - an XML-based standard from OASIS - is the most common format - Interoperable Kerberos X.509 certificate

Basic rules of Claims-based authorization Let go of authentication the users yourself. Let the STS handle it instead. Establish a trust relationship with the STS

The driving forces It enables identity federation It enables SSO Lower user administration costs for organizations Always fresh user information Seamless step-up authentication Separation of concerns Better security

What about role-based access control? Don’t worry... It’s backward compatible!

Claims based security – One domain Authenticate IP = Identity Provider IP-STS AD Validate AppliesTo RPs Trust relationship A.K.A.: - STS E.g.: ADFS 2.0 Gather claims Claims WCF pipeline RSTR - Security token - Proof key RST - Credentials - AppliesTo Application = RP Access Control Token Validation Msg + token Active client Delivers credentials E.g.: - Username / Pwd - Windows credentials - Certificate RP = Relying Party A.K.A.: - Claims-aware application - Service provider Example: WCF Service Response E.g.: WPF, WinForm

Federated identity Security Domain A Security Domain B RP-STS IP-STS trusts Transformation rules Send Token Issue token Authenticate trusts Issue new token WCF Service http://domain/service1 Send message + token WPF Client Send response

Certificates Security Domain A IP-STS Active Client

Certificates Security Domain B RP-STS RP

Certificates Certificate Authority VeriSign Self-signed test certificates – during development makecert.exe

WIF A framework for building claims-based applications as well as STS:s An abstraction layer over the WS-Trust and WS-Federation It contains - a set of .NET classes inside Microsoft.IdentityModel - Visual Studio project templates for ASP.NET, WCF applications and STS services - ASP.NET controls, e.g. FederatedPassiveSignInControl - FedUtil, a tool that makes it easy to establish trust between the application and the STS

You need this get started: Visual Studio 2008 /2010 WIF WIF SDK, includes guidelines, samples etc.

Demo

Claims-based security