Upload File

claims-based security

19
Claims-based security with Windows Identity Foundation

Upload: abiola

Post on 25-Feb-2016

56 views

Category:

Documents


0 download

Report

DESCRIPTION

Claims-based security. with Windows Identity Foundation. Goals. Introduce you to claims-based security. Show that it isn’t that hard anymore, thanks to WIF. And it’s fun!. Some terminology. Two types of federation. WS-Federation: Active Requestor Profile - Based on WS-Trust - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Claims-based security

Claims-based security

with Windows Identity Foundation

Page 2: Claims-based security

Goals

Introduce you to claims-based security.

Show that it isn’t that hard anymore, thanks to WIF.

And it’s fun!

Page 3: Claims-based security

Some terminology

Page 4: Claims-based security

Two types of federation

WS-Federation: Active Requestor Profile- Based on WS-Trust- For active clients, such as WPF and WinForm applications

WS-Federation: Passive Requestor Profile- Based on WS-Federation- For web clients- "emulating" WS-Trust on top of GET, POST, browser redirects and cookies

Page 5: Claims-based security

Claim

Way too abstract: A statement that is made by one entity about another entity.

Let’s make it a bit more concrete:

A piece of information about a user in a system, issued by a security token service (STS) that a claims-aware application trusts:

NameEmail Identifying claimsPhone Number

NationalityAge Blind claimsHair color

Role, permission

Page 6: Claims-based security

What’s inside a claim?

ClaimType Built-in: name, email, phonenumberCustom: organization number, cost center, member status

…or anything else that makes sense in your system

Usually they have a URI-format, such as:"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”

ClaimValue e.g.: “[email protected]

Issuer (STS) “CN=the.sts.at.somewhere.com”, the name of the STS that has issued the claim

And a couple of more properties: ClaimValueType, OriginalIssuer, ...

Page 7: Claims-based security

So from a security point of view we can say thata user’s identity is made up by a set of claims

Page 8: Claims-based security

Security token

Claims on the wireI.e., a serialized set of claims - digitally signed by the STS-encrypted (optional but recommended)

Security token formats:SAML - an XML-based standard from OASIS - is the most common format - InteroperableKerberosX.509 certificate

Page 9: Claims-based security

Basic rules of Claims-based authorization

Let go of authentication the users yourself.

Let the STS handle it instead.

Establish a trust relationship with the STS

Page 10: Claims-based security

The driving forces

It enables identity federationIt enables SSOLower user administration costs for organizationsAlways fresh user informationSeamless step-up authenticationSeparation of concernsBetter security

Page 11: Claims-based security

What about role-based access control?

Don’t worry...

It’s backward compatible!

Page 12: Claims-based security

Active client

IP-STS

Application= RP

AD

Trust relationship

RST- Credentials- AppliesTo

RSTR- Security token- Proof key

Claims

Gather claims

Authenticate

Validate AppliesTo

Claims based security – One domain

RP = Relying PartyA.K.A.:- Claims-aware application- Service providerExample: WCF Service

E.g.: WPF, WinForm

A.K.A.:- STSE.g.: ADFS 2.0

RPs

Delivers credentialsE.g.:- Username / Pwd- Windows credentials- Certificate

Response

Msg + token

WCF pipeline

IP = Identity Provider

Page 13: Claims-based security

WPF Client

RP-STS

WCF Servicehttp://domain/service1

trusts

Transformation rules

Federated identitySecurity Domain A Security Domain B

trusts

Send Token

Issue new to

ken

IP-STS

Send message + token

Send response

Page 14: Claims-based security

Active Client

CertificatesSecurity Domain A

IP-STSCertificate Store location Purpose

IP:STS:s private key Local Computer/Personal Sign token

RP.STS:s public key Local Computer/Personal Encrypt token

SSL Certificate Local Computer/Personal Secure the channel

Root atuhority certificate Trusted Root Certificate Auth.

Create SSL certificate

Certificate Store location Purpose

RP:s public key Base64 encoded in app.config

Encrypt message and authenticate RP

IP-STS:s SSL public key Local Computer/Trusted People

Secure the channel

Proof key from RP.STS Sign the message to RP

Page 15: Claims-based security

RP-STS

RP

CertificatesSecurity Domain B

Certificate Store location Purpose

IP:STS:s public key Local Computer/Trusted People

Validate signature

RP STS:s private key Local Computer/Personal Decrypt incoming token and Sign issued token

RP:s public key Local Computer/ Trusted People

Encrypt token

Certificate Store location Purpose

RP:s private key Local computer/Personal Decrypt token

RP.STS:s public key Local Computer/Trusted People

Validate RP-STS:s signature

Page 16: Claims-based security

Certificates

Certificate AuthorityVeriSignSelf-signed test certificates – during developmentmakecert.exe

Page 17: Claims-based security

WIF

A framework for building claims-based applications as well as STS:sAn abstraction layer over the WS-Trust and WS-Federation

It contains- a set of .NET classes inside Microsoft.IdentityModel- Visual Studio project templates for ASP.NET, WCF applications and STS services- ASP.NET controls, e.g. FederatedPassiveSignInControl- FedUtil, a tool that makes it easy to establish trust between the application and the STS

Page 18: Claims-based security

You need this get started:

Visual Studio 2008 /2010WIFWIF SDK, includes guidelines, samples etc.

Page 19: Claims-based security

Demo


Claims-based security and multitenancy using Windows Azure Access

Claims Based Authentication and Windows Identity Foundation

Configuring Claims-based Authentication for Microsoft ... · PDF fileConfiguring Claims-based Authentication for ... Configure Claims-based Authentication for Microsoft Dynamics CRM

Using Claims Based Authorization to Strengthen SharePoint ... Claims... · Title Name Date Using Claims Based Authorization to Strengthen SharePoint Data Governance Antonio Maio Senior

SharePoint SAML-based Claims Authentication with A10 ... · PDF fileDEPLOYMENT GIDE SharePoint SAML-based Claims Authentication with A10 Thunder ADC How to integrate SharePoint SAML-based

“REACH-THROUGH CLAIMS” “Reach-through claims” are claims to future inventions based on currently disclosed inventions. These include claims directed

Claims-Based Identity for Windows - David Chappell

Claims based identity for windows

Authentication through Claims-Based Authentication

Top 8 social security claims representative resume samples

WEB-BASED CLAIMS REPORTING - Specialty Insurance · WEB-BASED CLAIMS REPORTING . ... Claims Service Center. ... Web FNOL Application – Powered by Succeed Management Solutions LLC

Advanced Message Queuing Protocol (AMQP) Claims-based ...  · Web viewAdvanced Message Queuing Protocol (AMQP) Claims-based Security Version 1.0. Working Draft 08. 23 May 2019. Technical

Security Design with Claims- Based Authentication Israel Vega, Nathan Miller OSP431

Hospital Value-Based Purchasing: Claims-Based Measures

SCATTERGORIES: Winning Asylum Claims Based … › downloads › 2014_Conference › aila...SCATTERGORIES: Winning Asylum Claims Based on Particular Social Group Speakers: Dree Collopy,

MAKING EVIDENCE-BASED CLAIMS - Nassau BOCES

Social Security Disability Claims Outline

Technology-Based Industrialization of Claims Management …webdoc.sub.gwdg.de/univerlag/2010/mkwi/03_anwendungen/informatio… · Technology-Based Industrialization of Claims Management

Configuring Claims-based Authentication - … · Web viewConfigure Microsoft Dynamics CRM for Outlook to Use Claims-based Authentication 35 Additional Considerations 37 Claims-based

Claims-Based Identity for Windows

Configuring Claims-based Authentication for Microsoft ... FS in step 3 and steps 4 through 7 are skipped. 8. AD FS provides a security token containing claims for access to Microsoft

MAKING EVIDENCE-BASED CLAIMS

9 Deadly Sins That Destroy Social Security Disability Claims

Claims Walkthrough - Creating Forms-Based Authentication for Claims-Based SharePoint 2010 Web Applications Using ASP.net SQL Membership and Role Providers

Claims-Based Identity, Facebook, and the Cloud

Claims Based Authentication A Beginners Guide

The Worn-Out Worker and Social Security Disability Claims

Claims-Based Identity in SharePoint 2010

CNPweb Claims Upload and Security. 1. Claim Upload File

MAKING EVIDENCE-BASED CLAIMS - EngageNY · PDF fileof critical reading skills from their full expression ... • Forming Evidence-Based Claims • Making Evidence-Based Claims

Land Policy Reform in Rwanda and Land Tenure Security for ... · Gakenke Gihundwe Kazo Kibilizi Rwerere Received claims Solved claims Received claims Solved claims ... ts04g_ernest_theodomir_4914_ppt.ppt

MUSEVENI’S SECURITY DETAIL AND FORTRESS WHY HE CLAIMS …

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities

Site-based Online Claims Manual - dpi.wi.gov · Site-based Online Claims Manual How to enter, modify, view-print claims for the National School Lunch Program, School Breakfast Programs,

Claims Trends and Avoidance & Escrow Security Issues