Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

Published byDalia Hight Modified over 9 years ago

Similar presentations

Presentation on theme: "SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation"— Presentation transcript:

1 SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation dbayer@microsoft.com

2 SAML August 27, 2001 S2 Agenda  Overview of Microsoft authentication & authorization plans  Problem space  Our understanding of the scenarios  Our current approach  How could we use SAML?  Migration?  Integration?

3 SAML August 27, 2001 S3 Windows.NET Windows.NET Authentication Architecture  Windows.NET Authorization: Extending the Windows Model  Resource-Based Authorization: ACLs & Groups  Application-Based Authorization: RBAC  Making It All Secure

4 SAML August 27, 2001 S4.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 11 11 11 11 RequestMeetingRequestMeeting

5 SAML August 27, 2001 S5.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 22 22 Query&RequestQuery&Request

6 SAML August 27, 2001 S6.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 33 SOAPMessageSOAPMessage

7 SAML August 27, 2001 S7.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority 44 AcceptAccept 44

8 SAML August 27, 2001 S8.NET Process Scenario MyHS.NET MyNotifications.NET Fred@TinyCo.com Mary@BigCo.comFredOwnerMaryViewer Roles myCalendar.NET myCalendar.NET DirectoryDirectory KDC AA AA = Authentication Authority Signed Message; Accepted 55

9 SAML August 27, 2001 S9 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStoreDirectTrustDirectTrust MMSMMS KerberosKerberos Direct Trust (XCerts, XKMS) Direct Trust (XCerts, XKMS) Signed Messages (XMLDSIG, S/MIME, CAPICOM) Signed Messages (XMLDSIG, S/MIME, CAPICOM)

10 SAML August 27, 2001 S10 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStoreDirectTrustDirectTrust MMSMMS KerberosKerberos Trust Federation (Passport, Identrus) Trust Federation (Passport, Identrus) Passport, Kerberos, Basic SSL, Digest, …

11 SAML August 27, 2001 S11 Windows.NET Application Security Framework DMZ Partner/Supplier Store = Directory or Database AA =Authentication Authority Customer Employee Enterprise Internet AA StoreStore RBACPolicy RBACPolicyRBACPolicy Threats from Inside & DMZ Threats from Internet

12 SAML August 27, 2001 S12 Windows.NET Authentication  Multiple credential types  Passwords, tokens, smartcards  Multifactor: Key + biometric  Multiple Client to Server protocols:  Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, …  Converge on Kerberos & Kerberos/TLS in the future  Message Signing and Signature verification  Single Server to Server protocol: Kerberos w/constrained delegation  IETF standard, interoperable, scalable  Secure: mutual authentication  Extensible credentials support  Passwords, X.509 certificates, tokens,…  Directory independent authentication

13 SAML August 27, 2001 S13 Front End Application Windows.NET Authentication Verify Policy: Allowed-To-Delegate-To Users KDC Back End Application TicketTicket TicketTicket TrustTrust Passport Basic Digest SSL Signed Messages, S/MIME/SMTP XMLDSIG/HTTP Cert Kerberos

14 SAML August 27, 2001 S14 Application Classification For Authorization  Resource Managers  Resources are well-defined with persistence  Access is controlled to operations on such objects  E.g. File system, database, Active Directory, …  Gatekeepers: Special form of resource managers  Resources are other applications  Controls access to other applications  E.g. OS itself, Web Server, VPNs, Firewalls, …  Business Processes  Resources aren’t well defined; operations, processes & workflows are  Access is controlled to operations, processes, workflows  E.g. LOB applications, Transaction processing,...

15 SAML August 27, 2001 S15 Authorization: Role Based Model  Roles-based  LOB, B2B, B2C and workflow applications  Characteristics  No real objects but operations & tasks are well-defined  Authorizations aren’t simply yes/no on operation  Operation data & business rules matter  Typically have a state machine  Where do you ‘hang’ the ACL?  Applications enforce access  Users authenticate to Authentication Authority  Application performs authorization  Application has full access to underlying objects

16 SAML August 27, 2001 S16 Roles-Based Authorization Manager Windows Authorization API Gatekeeper Applications (Web Server/URL, VPNs, Firewalls,…) Resource Manager Applications (Document Store, Mail Store,…) Business Process Applications (E-Commerce, LOB Applications,…) Windows Authorization API Authorization Administration Manager Common Roles Management UI PolicyStorePolicyStore Active Directory Or XML (Files, SQL)

17 SAML August 27, 2001 S17 Roles-Based Authorization Manager Windows Authorization API Gatekeeper Applications (Web Server/URL, VPNs, Firewalls,…) Common Roles Management UI URL-Based Authorization Scopes VDirs, URL, PrefixVDirs, URL, PrefixTasks Basic: GET/POSTBasic: GET/POST Dynamic by associating VBscript business rulesDynamic by associating VBscript business rulesGroups StaticStatic ComputedComputed LDAP queryLDAP queryRoles Defined by administrators and applicationsDefined by administrators and applications URL Windows Authorization API Web-Based Application Windows Authorization API IIS

18 SAML August 27, 2001 S18 SAML/Kerberos – Protocol Overview Web Servers KDC WebAuthServer(s) GetGet (NetscapeMAC) (Web Sphere) AIX (Windows.NET)

19 SAML August 27, 2001 S19 SAML/Kerberos Protocol Overview Web Servers KDC WebAuthServer(s) Redirect(1)Redirect(1) SSL User Name Password AS-ReqTGS-Reg(2)AS-ReqTGS-Reg(2) Sess-CookieTGT AP-Req(3)AP-Req(3)

20 SAML August 27, 2001 S20 Web Servers SAML/Kerberos Protocol Overview KDC WebAuthServer(s) GetGet Sess-CookieTGT AP-ReqAP-Req Sess-CookieAP-Req Dat a AP-Req(cached) Subsequent requests: Browser sends AP-REQ in cookie Web Server checks against saved AP-REQ, if OK, returns requested URL

21 SAML August 27, 2001 S21 Protocol Overview – Initial Request to Second Web Server  Browser does GET to WebSphere  WebSphere redirects to WebAuth  Redirect contains TGT in cookie  WebAuth does TGS-REQ, then proceeds as before

22 SAML August 27, 2001 S22 SAML/Kerberos – Protocol Overview Web Servers KDC DirectoryDirectory MIT-KDC Apache WebAuthServer(s) GetGet Sess-CookieTGT Affiliate Site

23 SAML August 27, 2001 S23 SAML/Kerberos Protocol Overview Web Servers KDC DirectoryDirectory KDC WebAuthServer(s) Redirect(1)Redirect(1) SSL Sess-CookieTGT AS-Req(2)AS-Req(2) AP-Req(3)AP-Req(3) Sess-CookieTGT AS-ReqAS-Req Affiliate Site

24 SAML August 27, 2001 S24 SAML/Kerberos – Protocol Overview Web Servers KDC DirectoryDirectory KDC WebAuthServer(s) GetGet Sess-CookieTGT Affiliate Site AP-ReqAP-Req Sess-CookieAP-Req Dat a

25 SAML August 27, 2001 S25 Questions?

Download ppt "SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation"

Similar presentations

Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

Similar presentations

Ads by Google