Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Your Applications and Web Services with the Geneva Framework Jim Lavin.

Published byKayli Robertshaw Modified over 10 years ago

Similar presentations

Presentation on theme: "Securing Your Applications and Web Services with the Geneva Framework Jim Lavin."— Presentation transcript:

1 Securing Your Applications and Web Services with the Geneva Framework Jim Lavin

2 About Me Technical Lead with the Transportation Industry Consulting Services Group of EDS, an HP Company Programming since 1978 – Assembly Language on a HeathKit H8 computer Worked mostly on Mid-Range, Desktop and Hand-Held Systems Polyglot Programmer – Assembly, Basic, C, C++, Pascal, Fortran, C#, XML, XSLT, XAML, HTML, CSS, JavaScript and Java Allergic to Big Metal, PL/1, Cobol and IMS

3 Agenda Challenges in a Connected World Claims-Based Identity Concepts Building a simple Passive Security Token Service Securing your ASP.NET Web Application Building a simple Active Security Token Service Securing your WCF Web Services Using Delegation to access secured Web Services

4 Challenges In Identity Identity is essential, but not straightforward –Lots of technologies and standards –Complex decision tree, technology to scenario Cloud computing adds new requirements –Federated single sign on is a must –Usually cant read enterprise directory Need a new approach –Simplify programming model –Cloud/on-premises agnostic

5 Challenge: Getting Information About the User Many authentication systems only convey an identifier, not user attributes Applications must do lookups in directories, databases for information about user –Location of info not obvious – every organizations information system is slightly different –Not straightforward how to look up information about a user from another organization –Applications residing in cloud may not be able to read enterprise directory

6 Challenge: Federation Federation is essential for business to business applications, and when using cloud services –Organizations dont want to manage separate user accounts at every cloud service or partner –Want end users to have single sign on experience

7 Challenge: Identity Delegation Front end application wants to call back end service, Acting As logged in user Todays approaches –Gather users credentials at front end – gives front end app too much power –Give front end full privileged to back end, Trusted subsystem – takes control out of hands of back end app –Kerberos constrained delegation – only works with Kerberos

8 Claims-Based Access Model Claim –Statement by one party about other party –May be an identifier, a characteristic Security token –Signed document containing claims –Produced by Security Token Service (STS) Identity Metasystem –Protocols and architecture for exchange claims Claims-aware application –Claims delivered when user accesses app

9 Application Server Claims-Based Access Model Security Token Service End User 3. Read policy 5. Send claims 1.Establish relationship using metadata 2. Read policy trust 4. Get claims

10 Role Of Security Token Services Key to flexibility in model: Externalize authentication to an STS STS takes care of –How to authenticate user –Where to source claim values about user –Emitting specific types, formats and values of claims to satisfy a specific application Active and Passive STS –Passive STS used by clients that do not have capability to interact with the STS directly; HTML, ASP.NET –Active STS used mainly by smart clients; WinForm, WPF, WCF, etc. Allows application logic to be driven by claims

11 Building a Passive STS Steps –Create an implementation class derived from SecurityTokenService –Create an implementation class derived from SecurityTokenServiceConfiguration –Add a FederatedPassiveTokenService server object to the default.aspx –Configure authentication method

12 BUILDING A PASSIVE STS Demo

13 Securing an ASP.NET Application Steps –Add Assemblies and HTTP Modules to web.config –Switch to anonymous authentication –Create metadata to establish trust –Turn on Passive Redirection –User redirected, authenticated, returns claims Benefit –No code change: works with.Net role-based security –Flexibility: STS admin decides how to authenticate user and retrieve role data

14 Getting Information About User Steps –Write code to read claims using IClaimsPrincipal, IClaimsIdentity Benefits –Easy to get user information –No directory lookup necessary in application –STS admin decides where to get information about user

15 SECURING AN ASP.NET APPLICATION Demo

16 Securing an WCF Service Steps –Add Assemblies to project –Implement a class derived form ServiceHostFactory –Implement a class derived from IssuerNameRegistry –Implement a class derived from IdentityModelServiceAuthorizationManager –Create metadata to establish trust –Modify the.SVC to use the ServiceHostFactory –Modify the binding to use WS-Federation Benefit –Little code change, mostly hosting plumbing –Allows you to access Claims information via Thread.CurrentPrincipal

17 SECURING A WCF SERVICE Demo

18 Calling a WCF Service using Identity Delegation

19 Steps –Configure delegation policy on STS –Write WCF code to call back end service using ActAs client credential Benefits –Familiar WCF programming model –Fine grained control over delegation policy –Back end gets claims it needs –Back end can audit user access accurately –App can turn claims back into mapped NT user for access to Kerberos-protected resources

20 CALLING A WCF SERVICE USING IDENTITY DELEGATION Demo

21 "Geneva" Schedule Beta 1 October 2008 Beta 1 October 2008 Beta 2 1st Half 2009 Beta 2 1st Half 2009 RTM 2nd Half 2009 RTM 2nd Half 2009

22 Review Challenges in a Connected World Claims-Based Identity Concepts Building a simple Passive Security Token Service Securing your ASP.NET Web Application Building a simple Active Security Token Service Securing your WCF Web Services Using Delegation to access secured Web Services

23 PDC Presentations About Identity http://channel9.msdn.com/pdc2008 PDC Tag: Identity Software –(BB42) Identity: "Geneva" Server and Framework Overview –(BB43) Identity: "Geneva" Deep Dive –(BB44) Identity: Windows CardSpace "Geneva" Under the Hood Services –(BB22) Identity: Live Identity Services Drilldown –(BB29) Identity: Connecting Active Directory to Microsoft Services –(BB28).NET Services: Access Control Service Drilldown –(BB55).NET Services: Access Control In the Cloud Services

24 Contact Info Email: jlavin@jimlavin.netjlavin@jimlavin.net Blog: http://www.jimlavin.net/bloghttp://www.jimlavin.net/blog Twitter: http://twitter.com/jimlavinhttp://twitter.com/jimlavin

Download ppt "Securing Your Applications and Web Services with the Geneva Framework Jim Lavin."

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Hello i am so and so, title/role and a little background on myself (i.e. former microsoft employee or anything interesting) set context for what going.

Hello i am so and so, title/role and a little background on myself (i.e. former microsoft employee or anything interesting) set context for what going.
Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -

Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
 Rich Randall Development Lead Microsoft Corporation BB44.

 Rich Randall Development Lead Microsoft Corporation BB44.
2 Connecting Active Directory To Cloud Services Jorgen Thelin Senior Program Manager Microsoft Corporation Session Code: IDA306.

2 Connecting Active Directory To Cloud Services Jorgen Thelin Senior Program Manager Microsoft Corporation Session Code: IDA306.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
SAML 2.0 og ”Geneva” OIOSAML Workshop 31. marts 2009 Århus René Løhde, Microsoft

SAML 2.0 og ”Geneva” OIOSAML Workshop 31. marts 2009 Århus René Løhde, Microsoft
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.

 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.

 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google