windows identity foundation
DESCRIPTION
TRANSCRIPT
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Windows Identity Framework
An overview of digital identity and single sign on.
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Agenda What problems are we trying to solve Claims Security Token Service (STS) Active Directory Federation Services (ADFS 2.0) Claims Aware Application Windows Identity Foundation (WIF) Passive Federation (Intranet Scenario) Partner Federation Demo
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
What problems are we trying to solve?
• One user store per application• The amount of identities users must relate to (roles, groups)• Increasing cost around administration and maintenance of user
stores• Lack of control over user identities, both by user himself and the
organizations• When someone quits, how many identities in how many systems
must be deactivated ?• Single Sign-On
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Claims• Not limited in the same way as e.g. Windows
Tokens (Kerberos)
- Username
- Groups
• …or ASP.NET membership provider:
- User
- Roles
- Profiles
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Claims (contd..)
• Claims can carry more information about the user, roles, email, age…anything
• Applications using Claims have one common model.• Anonymize users (IsOver18).• Can be accessed over internet as well as intranet.• Can work with browsers and web services.• The Name Claim and Role Claim is something that .NET
understands today.:- HttpContext.Current.User
IPrincipal (IsInRole)
- HttpContext.Current.User.IdentityIIdentity (Name, IsAuthenticated)
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Security Token Service (STS)• A centralized service for authentication outside
the application (separation of concern)
• Talks to other STSs with partner organization
• Issues and transforms Claims
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Active Directory Federation Services (ADFS 2.0)
• Microsoft STS• Integrated with Active Directory• Supports both active as well as passive clients• Can integrate with other WS-trust, and other STS’s• Supports SAML 1.1 and 2.0 Tokens.• Supports WS-Fed (1 and 2) and SAML 2.0 protocol (not 1.1)• Two flavors : Service and Proxy
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Claims Aware Application• The application makes authorization decisions
based on the claims contained in the security token• No longer required to make authentication
decisions
• Same authorization logic for Application• Deployed on the Intranet or as a Cloud service• Receiving claims from its own organization’s users
or users from trusted partners
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Windows Identity Foundation (WIF)
• Provides a common programming model for claims.• Validates incoming security token parses claims that
are inside.• Reduces complexity and necessary code to
implement security in .NET apps. (no need to be a security expert)
• Provides plumbing tools integrated into Visual studio to configure .NET apps to use Claims and STS’s
• Works with WCF and ASP.NET applications.
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
User
ADFS STSClaims-aware app Active Directory
Browse app
Not authenticated
Redirected to STS Authenticate
User
Query for user attributesReturn Security Token
Return pageand cookie
Send Token
ST
ST
App trusts STS
Passive Client (Intranet scenario)
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Process token
Home realm discovery
ST
ST
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
ST
YourADFS STS
YourClaims-aware app
Partner ActiveDirectory
Partner user PartnerADFS STS & IP
Redirected to your STS
ST
Authenticate
Send Token
Return pageand cookie
Browse app
Not authenticated
Redirect to your STS
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
DEMO
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
More Info
http://msdn.microsoft.com/en-us/security/aa570351
Q&A
Manu Sharma Senior Software Developer
Are you .NET Developer? We are hiring! Call us at: 818-223-9008
Windows Identity Framework
Manu SharmaBlackLine .com
Thank You!