260 likes | 519 Vues
SVC02. Windows Identity Foundation Overview. Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation. Agenda. Claims Based Identity Windows Identity Foundation. Your Applications Are Prisoners. Login.aspx. Page1.aspx. Credential Stores. Credential Types / APIs.
E N D
SVC02 Windows Identity Foundation Overview Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation
Agenda • Claims Based Identity • Windows Identity Foundation
Your Applications Are Prisoners Login.aspx Page1.aspx Credential Stores Credential Types / APIs User Attributes Stores
Identification in Real Life Works Pretty Well…How Do We Do That? Externalizes Authentication Gets user info from the document
Claims Can Set Your Application Free Identity Provider Active Directory Federation Services 2.0 STS Claims Relying Party Security Token
Essential claims programming model • Claims OM integrated with the .NET identity API • Single programming model for ASP.NET & WCF • Config driven • Single programming model for on-premises & cloud • Tools for metadata-driven automatic app configuration • WS-Federation, WS-Trust • Framework for custom STS development • And more…
Windows Identity FoundationObject Model void Page_Load(object sender, EventArgs e) { IClaimsPrincipalicp = (IClaimsPrincipal) Thread.CurrentPrincipal; IClaimsIdentityclaimsIdentity = (IClaimsIdentity)icp.Identity; ageClaimValue = (fromcinclaimsIdentity.Claims wherec.ClaimType == "http://MyNS/AgeClaim" selectc.Value ).Single(); } Claim IClaimsPrincipal IClaimsIdentity Claims Subject IClaimsIdentity Claim IClaimsIdentity Claim Identities Issuer OriginalIssuer Delegate ClaimType IIdentity AuthenticationType IsAuthenticated Name IPrincipal IsInRole Value Identity ValueType
Windows Identity FoundationVisual Studio Integration • Tools for establishing and maintaining trust • VS templates for claims-aware websites and services • Ready-to-use ASP.NET controls
Windows Identity FoundationHttpModules • HTTPModule(s) in the ASP.NET pipeline of the app • They take care of exposing policy, manage protocol redirects, establish sessions… • WSFederationAuthenticationModule • Implements the WS-Federation redirects protocol • SessionAuthenticationModule • Takes care of handling sessions (regardless of the sign-in protocol) • ClaimsPrincipalHttpModule • Provides a hook for injecting claims in the current principal
Fabrikam Shipping:- Basic Authentication Externalization- Claims Consumption demo
WIF ASP.NET Processing Pipeline WSFAM SecurityTokenHandler ClaimsAuthenticationManager SessionAuthenticationModule ClaimsAuthorizationManager
WIF & Authorization • ASP.NET roles will work “as is” • IsInRole, <authorization> element • Any incoming claim type can be used as role • Claims authorization can be much more sophisticated that RBAC • Age thresholds, dates, spending limits… • WIF offers a hook for your authZ logic • ClaimsAuthorizationManagerclass • Provide your implementation of CheckAccess • Add it in the WIF pipeline via config
WIF and WCFInitializing the WIF Pipeline in WCF • Same programming model as ASP.NET… • …different hosting architecture • Self-Hosted services: • Call FederatedServiceCredentials.ConfigureServiceHost(host)on your ServiceHostbeforeOpening it • Web activated services: • Derive a new factory from ServiceHostFactory • Override CreateServiceHostand use the above ConfigureServiceHostcall in it • Use your custom factory in the @ServiceHost directive of your .svc file
WIF and WCFWIF Bindings • UserNameWSTrustBinding • CertificateWSTrustBinding • WindowsWSTrustBinding • KerberosWSTrustBinding • IssuedTokenWSTrustBinding
Developing an STS with WIF • WIF provides building blocks for custom STS development • AD FS 2.0 is built with WIF! • Same programming model for all hosting options • Active: WCF • Passive: ASP.NET • Wizards & Templates create a skeleton STS in no time • Perfect for testing purposes • Main activities • Decide who to trust • Decide which kind of credentials you’ll accept • Provide all the cryptographic material for signing & encrypting • Hook in the logic for retrieving claim values
Delegation: Flowing Identity Through Tiers STS STS Frontend Backend
We Barely Scratched the Surface… • TrustChannel • WIF SAML2N • Advanced session management • Step-up authentication • Web farms • Windows Azure • …
Identity @ PDC 2009 • Come visit us at the booth in the pavilion! • Try a hands on lab • Introduction to Windows Identity Foundation • Using WIF to Secure Windows Azure Applications • Attend identity sessions • SVC28: System.Identity Model Accessing Directory Services • PR11: Leveraging & Extending SharePoint Identity Features • SVC26: How Microsoft SharePoint 2010 was Built with WIF • SVC17: Enabling SSO to Windows Azure Applications • SVC02: Windows Identity Foundation Overview • SVC19: REST Security Services in Windows Azure using the Access Control Service
Summary • Claims-base identity simplifies authentication, authorization and customization for your apps • WIF makes easy for .NET developers to program with claims Free your applications…
YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com
Learn More On Channel 9 • Expand your PDC experience through Channel 9. • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses. channel9.msdn.com/learn Built by Developers for Developers….