single signon with federation using claims
DESCRIPTION
This is a presentation that talks about SSO, Claims based authenticarion, SAML2 protocol.TRANSCRIPT
![Page 1: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/1.jpg)
Federation, SSO,Claims
Volkan Uzun
![Page 2: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/2.jpg)
About MeSoftware Dev Staff Engineer @ Dell @ RD
Working on Identity Management Applications
Blog: http://volkanuzun.com/blog
Twitter: @volkanuzun
Email: [email protected]
![Page 3: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/3.jpg)
Authentication/Authorization
![Page 4: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/4.jpg)
Why Identity Federation?• Decouple authentication mechanism from
applications and services• Go claims-based• Reduce IT pain and risk related to
provisioning and de-provisioning users • Extend trust to users across domain,
corporate and Internet boundaries• Support Single Sign-On (SSO)
![Page 5: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/5.jpg)
Decouple Authentication• Windows/Kerberos• Forms authentication• HTTP basic authentication• SSL Certificates• WS-Fed• WS-Trust• SAML• OAuth (authorization , people use it wrong!)• OpenID (authentication)
![Page 6: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/6.jpg)
ClaimsAny information about a subject from a
provider.
Identity providers typically issue claims based on the user’s identity
Authenticate
Claims:Name=volkan uzun
IsOver21=true
Role=Admin
Role=User
Credentials:
UserName=volkanuzun
Password =*******
![Page 7: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/7.jpg)
ClaimsApplications may transform identity claims into
application-specific claims
Transform
Application Specific Claims:
LicenseKey=ABC12345
Permission=Create
Permission=Read
Permission=Update
Permission=Delete
Identity Provider
Claims:Name=Volkan Uzun
IsOver21=true
Role=Admin
Role=User
![Page 8: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/8.jpg)
Token• Contains the claims• The signature• Information about the issuer• May be encrypted• In XML format• Has an expiration date• SAML 1.1/2.0, Simple Web Token, JSON
Web Token
![Page 9: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/9.jpg)
Token Types• SAML
XML based, encryption and signature with asymmetric or symmetric, processing power
• Simple Web Token (SWT)URL/Form encoded, symmetric signature only
• JSON Web Token (JWT)The new cool guy, symmetric or asymmetric, JSON encoded
![Page 10: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/10.jpg)
Claims-based Identity ProsBefore Claims-based:• App authenticated the user or relies on 3rd
party to authenticate such as AD• App gets simple information from user, such
user name.
After Claims-based:• Authentication is outsourced to STS• App gets any information it needs
![Page 11: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/11.jpg)
STS• Security Token Service• Claims are issued by a provider (STS)• A security token service (STS) is the
service component that builds, signs, and issues security tokens
• Client applications trust STS• The basic flow is: Client requests token,
issuer issues token, resource consumes the token
![Page 12: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/12.jpg)
Passive Federation
IdP DomainRP Domain
2SignIn
Web Site
(RP)
Authorize
Access 7
Quest STS
(IdP)
5Authenticate / Issue Token
Browser
(requestor)
Login
Page
POST
Credentials
341
POST
SignIn
Response
6
User
(subject)
![Page 13: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/13.jpg)
Active Federation
RP DomainIdP Domain
Rich
Client
Identity
Provider
(IdP)
Application
(Relying Party, RP)
1 3 4
2Authenticate
/ Issue
5Authorize
Credentials Security
Token / Claims
![Page 14: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/14.jpg)
Certificate• Token is signed with certificate• Same cert maybe used for encrypting the
message• Same cert maybe used for cookie
encryption• Cert Type
![Page 15: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/15.jpg)
.NET help me please
RBAC
(Since 2002)
IIdentity
IPrincipal
IIdentity: IsAuthenticated; AuthenticationType; Name
IPrincipal: IIdentity; IsInRole(string roleName);
Thread.CurrentPrincipal
![Page 16: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/16.jpg)
DEMOOld style
![Page 17: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/17.jpg)
First Attempt: WIFWindows Identity Foundation
• Hooks into ASP.NET pipeline• Not a new solution: Claims• Embedded into the .NET 4.5
![Page 18: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/18.jpg)
ClaimsIdentity, ClaimsPrincipal
ClaimsIdentity:IIdentity {IEnumerable<Claim>Claims}
ClaimsPrincipal:IPrincipal {ReadOnlyCollection<ClaimsIdentity>Identities}
![Page 19: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/19.jpg)
DEMOVisual Studio 2010 Demo with WIF
Visual Studio 2012 Demo with .NET 4.5
![Page 20: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/20.jpg)
SSO• Client applications are responsible for
authorization (cookie)• STS is responsible for user authentication.
(cookie)• STS can generate the session token from
the cookie • STS can reissue the session token from the
cookie
![Page 21: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/21.jpg)
Log Out• More difficult than login• STS has to delete its own cookie• Each client application must be notified for a
logout
![Page 22: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/22.jpg)
Partner Federation• Your STS acts as a client application for
another STS• When your STS doesn’t have the user
identity• Client application still trusts only your STS• Your STS does claims transformation
![Page 23: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/23.jpg)
Home Realm Redirection
IdP DomainApplication Domain
Browser
1 23
11
Sign-In
Request5
4
POST
Credentials
Set
Cookie 7IdP
SAML
9
Web Site
Authorize
Access10
Quest
STS
8
IdP
STS6Authenticate /
Issue Token
Login
Page
Sign-In
Request
Gather Attributes/ Issue
Assertion
Keystone Assertion w/ Session Token
![Page 24: Single SignOn with Federation using Claims](https://reader035.vdocument.in/reader035/viewer/2022070303/54b5b89d4a7959ef6b8b4762/html5/thumbnails/24.jpg)
Warnings• Caching SessionSecurityToken• Cookie size may be an issue (even with
chunking)• Infinite loops (cookie issue)• Load balancer issue (cookie issue)• Use SSL• QueryString length may be an issue