Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation ARC303 Pedro Félix CCISEL

Similar presentations


Presentation on theme: "Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation ARC303 Pedro Félix CCISEL"— Presentation transcript:

1 Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation ARC303 Pedro Félix CCISEL

2 A gestão de identidades e controlo de acesso sempre foram um aspecto importante na arquitectura e implementação de sistemas descentralizados. O advento dos paradigmas do Software as a Service e de Cloud Computing veio aumentar esta importância, ao tornar os estes cenários descentralizados mais comuns. Recentemente, o modelo baseado em claims emergiu como uma forma flexível e escalável de gerir a identidade e o controlo de acesso nestes contextos descentralizados. O Windows Identity Foundation (WIF) fornece o modelo de programação e a infra-estrutura para a realização, sobre as plataformas WCF e ASP.NET, de aplicações baseadas em claims. Esta sessão tem por objectivo fornecer aos participantes o conhecimento essencial para começarem a usar o WIF de forma efectiva. Começa por uma revisão do modelo baseado em claims, nomeadamente os conceitos de claim, security token e issuer. Depois, mostra como estes conceitos são materializados no modelo de objectos do WIF, nomeadamente: A representação de identidade através de claims. O pipeline de processamento de security tokens e claims, incluindo o registo de issuers, e os gestores de autenticação e autorização. A autorização baseada em claims. Windows Identity Foundation Essentials 2

3 Pedro Félix é professor no Instituto Superior de Engenharia de Lisboa (ISEL), onde é responsável por disciplinas nas áreas da segurança informática e da programação. É também membro do Centro de Cálculo do ISEL (CCISEL), onde realiza actividades de desenvolvimento, consultoria e formação avançada para empresas. Em 2008 e 2009 foi-lhe atribuído o título de MVP - Connected Systems Developer pela Microsoft. Pedro Félix Centro de Cálculo do ISEL (CCISEL) Pedro Félix 3

4 Motivation The claims based model Windows Identity Foundation Identity and claims representation Consumption pipeline ASP.NET and WCF Integration Issuance pipeline try { 4

5 5 Motivation CloudTrack. Create/view issuesView/manage issues

6 Identity and Authorization creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr 6

7 webapp (IssueTracker) Centralized Solution creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr 7 Membership Provider Membership Provider Role Provider Role Provider IPrincipal.IsInRole(...)

8 webapp (IssueTracker) Decentralized Authority creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev webapp:: IssueMgr 8 Contoso Authority

9 Contoso webapp The Claims Model creds Contoso:: Alice webapp:: IssueView Contoso:: LeadDev Alice webapp:: IssueMgr 9 Claims Security Token Identity Provider (Issuer) Identity Provider (Issuer) Identity Consumer (Relying Party) Identity Consumer (Relying Party) Accepts Issues

10 10 The Claims Model Consumer/ Provider Consumer/ Provider Identity {Claims} Identity {Claims} Consumer Subject Provider Security Tokens Issue About UseIssue Use

11 11 Demo Demo.RP ADFS Demo.MIP username+password Memb. Prov. Role Prov. ASP.NET WIF Identity Consumer Identity Transformer Identity Provider

12 12 Not only for Federation webapp 2 smart card or username+password windows authn AD webapp 1

13 13 Not only for Federation external app/service Partner windows authn IdP AD webapp 2 webapp 1 smart card or username+password

14 14 Protocols Browser IdP webapp tk Active Client IdP service tk 33 WIF Web applications passive protocol – WS-Federation Services active protocol – WS-Trust WIF

15 Secure Assertion Markup Language Signed by provider (issuer) (Optionally) Encrypted to consumer Subject confirmation Bearer (passive protocols) Holder-of-Key (active protocols) Audience restrictions (avoid reusage) Statements (claims) Authentication, Authorization and Attributes 15 SAML Tokens Certificate configuration

16 Purpose: automatic configuration Published by both consumers and providers Signed XML documents containing Endpoint addresses Claims and token types required and offered Certificates … 16 Federation Metadata

17 Contents.NET Class Library (Microsoft.IdentityModel.dll) Visual Studio AddIns Purpose Identity Consumers Identity Providers Client helpers – client channels for WCF 17 Windows Identity Foundation Unified model for both ASP.NET and WCF

18 Class model for identity representation Claims consumption pipeline Token validation Identity transformation Authorization decisions Claims issuance pipeline 18 WIF Essentials

19 Claims Class Model 19

20 WIF Consumer Pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer 20

21 WIF Consumer Pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer Token Handler Token Resolver Serialized Token Claims Identities Token ref 21

22 WIF Consumer Pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer Token Handler Token Resolver Serialized Token Claims Identities Token ref 22

23 WIF Consumer Pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer Token Handler Token Resolver Issuer Name Registry Issuer Name Registry Serialized Token Claims Identities Token Issuer Token Issuer Name Token ref 23

24 WIF Consumer Pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer Token Handler Token Resolver Issuer Name Registry Issuer Name Registry Serialized Token Claims Identities Token Issuer Token Issuer Name Token ref 24

25 WIF Consumer Pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer Token Handler Token Resolver Issuer Name Registry Serialized Token Claims Identities Claims Authentication Manager Claims Authentication Manager Claims Principal Claims Principal Token Issuer Token Issuer Name Token ref public override IClaimsPrincipal Authenticate( string endpointUri, IClaimsPrincipal incomingPrincipal) { if (incomingPrincipal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && { incomingPrincipal.Identities[0].Claims.Add( new Claim(ClaimTypes.Role, "IssueMgr)); } return incomingPrincipal; } public override IClaimsPrincipal Authenticate( string endpointUri, IClaimsPrincipal incomingPrincipal) { if (incomingPrincipal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && { incomingPrincipal.Identities[0].Claims.Add( new Claim(ClaimTypes.Role, "IssueMgr)); } return incomingPrincipal; } 25

26 WIF Consumer Pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer Token Handler Token Resolver Issuer Name Registry Serialized Token Claims Identities Claims Authentication Manager Claims Authorization Manager Claims Authorization Manager Claims Principal Claims Principal Authorization Context boolean Token Issuer Token Issuer Name Token ref public override bool CheckAccess(AuthorizationContext context) { var resource = new Uri(context.Resource.First().Value); if(resource.AbsolutePath.Equals("/demo.rp/issues.aspx")) { return context.Principal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("IssueMgr")); } return true; } public override bool CheckAccess(AuthorizationContext context) { var resource = new Uri(context.Resource.First().Value); if(resource.AbsolutePath.Equals("/demo.rp/issues.aspx")) { return context.Principal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("IssueMgr")); } return true; } [ClaimsPrincipalPermission( SecurityAction.Demand, Operation = "Get", Resource = "ViewIssues")] private void ViewIssues(){ … } [ClaimsPrincipalPermission( SecurityAction.Demand, Operation = "Get", Resource = "ViewIssues")] private void ViewIssues(){ … } 26

27 WIF Consumer Pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer Token Handler Token Resolver Issuer Name Registry Serialized Token Claims Identities Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal boolean Token Issuer Token Issuer Name Token ref 27

28 WIF Consumer Pipeline (ASP.NET) ASP.NET Host Adaptation Layer Token Handler Token Resolver Issuer Name Registry Serialized Token Claims Identities Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal boolean Token Issuer Token Issuer Name Token ref ClaimsAuthorization Module ClaimsAuthorization Module ClaimsPrincipal HttpModule ClaimsPrincipal HttpModule WSFederationPassive AuthenticationModule WSFederationPassive AuthenticationModule SessionAuthentication Module SessionAuthentication Module 28

29 ASP.NET Integration AuthenticateRequest Post AuthenticateRequest AuthorizeRequestEndRequest Any Authentication Module ClaimsPrincipal HttpModule ClaimsAuthorization Module Any Authentication Module SessionAuthentication Module Using a legacy authentication mechanism e.g. Forms authentication 29

30 ASP.NET Integration AuthenticateRequest Post AuthenticateRequest AuthorizeRequestEndRequest WSFedAuthentication Module ClaimsAuthorization Module WSFedAuthentication Module WSFedAuthentication Module WSFedAuthentication Module WSFedAuthentication Module SessionAuthentication Module SessionAuthentication Module Using federated authentication WS-Federation 30

31 WS-Federation Authn Module (FAM) ? Authenticate FAM EndRequest IdP FAM Authenticate HTTP request HTTP request with fed. request message HTTP redirect with fed. response message HTTP redirect with fed. request message HTTP request with fed. response message ? Authorize ? Authorize RP Security Token Handler 31

32 WSFederationAuthenticationModule OnAuthorizationFailed RedirectingToIdentityProvider SecurityTokenReceived SecurityTokenValidated … SessionAuthenticationModule SessionSecurityTokenCreated SessionSecurityTokenReceived … 32 Module Pipeline Events

33 FederatedPassiveSignIn FederatedPassiveSignInStatus 33 Controls

34 WCF already supported federation and claims System.IdentityModel.dll e.g. WS2007FederationHttpBinding binding, Claims class WIF Builds upon this previous support Changes the token processing model WCF and ASP.NET uniform model Adds client-side features (e.g. explicit token requests) 34 WCF Integration

35 FederatedServiceCredentials Derives from ServiceCredentials Static method ConfigureServiceHost(ServiceHostBase) “installs” WIF (the Host Adaptation Layer) Overrides WCF behavior, namely Configuration (e.g. username validation) Authorization policies Authentication manager 35 WCF Integration

36 WIF Consumer Pipeline (WCF) WCF Host Adaptation Layer Token Handler Token Resolver Issuer Name Registry Serialized Token Claims Identities Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal boolean Token Issuer Token Issuer Name Token ref ServiceAuthorization Manager ServiceAuthorization Manager SecurityTokenAuthenticator 36

37 Producer Model – host independence 37

38 Producer Model – issue pipeline Issue Pipeline ValidateRequest GetScope CreateSecurityTokenDescriptor GetSecurityTokenHandler GetIssuerName GetTokenLifetime GetProofToken GetOutputClaimsIdentity CreateToken GetDisplayToken GetResponse GetScope Creates the Scope Scope Signing and encrypting creds. reply to address GetOutputClaimsIdentity Creates the issued claims identity Defines the issued claims Other non-mandatory extensibility points ValidateRequest, … 38

39 Producer Model – ASP.NET protected void Page_Load(object sender, EventArgs e) { FederatedPassiveSecurityTokenServiceOperations.ProcessRequest( Page.Request, Page.User, new SimpleSecurityTokenService( new SimpleSecurityTokenServiceConfiguration()), Page.Response); } protected void Page_Load(object sender, EventArgs e) { FederatedPassiveSecurityTokenServiceOperations.ProcessRequest( Page.Request, Page.User, new SimpleSecurityTokenService( new SimpleSecurityTokenServiceConfiguration()), Page.Response); } 39

40 40 Producer Model - WCF ServiceHost Language="C#" Debug="true" Factory = "Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory,…" Service = "Demo.MIP.SimpleSecurityTokenServiceConfiguration" %> ServiceHost Language="C#" Debug="true" Factory = "Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory,…" Service = "Demo.MIP.SimpleSecurityTokenServiceConfiguration" %>

41 Producer Model – WCF integration 41

42 Identity and Access Control Management Claims Model Relevance WIF Class library for both identity providers and consumers Multiple hosts: ASP.NET and WCF 42 } finally {

43 Q & A 43

44 A sua opinião é importante! Complete o questionário de avaliação e devolva-o à saida.

45 45

46 46

47 ClaimsPrincipalHttpModule Hooks on the PostAuthenticateRequest event Translate, into the claims-model, the authentication performed by another module ClaimsAuthorizationModule Hooks on the AuthorizeRequest event If current user is authenticated, then calls the authorization manager Action = HTTP method, Resource = raw URL If authorization is denied, complete request with a 401 status code ASP.NET integration 47

48 ASP.NET integration WSFederationAuthenticationModule Hooks on the AuthenticateRequest If request is a sign-in federation message, process it Hooks on the PostAuthenticateRequest Behavior similar to the ClaimsAuthorizationModule Hooks on the EndRequest If response status code is 401 and request is not authenticated, then redirect to identity provider with a sign-in request message 48

49 ASP.NET integration SessionAuthenticationModule Hooks on the AuthenticateRequest event Try to read and validate session token from a cookie If successful, then sets the current principal with the session token info Uses a CookieHandler to read and write from cookies 49

50 Authorization Model - Enforcement Called automatically in the pipeline ASP.NET – In a HTTP Module (ClaimsAuthorizationModule) WCF – In the service dispatcher Called explicitly via permission demand Similar to PrincipalPermission and PrincipalPermissionAttribute ClaimsPrincipalPermission and ClaimsPrincipalPermissionAttribute 50

51 WIF consumer pipeline Host (e.g. ASP.NET, WCF) Host Adaptation Layer Token Handler Token Resolver Issuer Name Registry Serialized Token Claims Identities Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal boolean Token Issuer Token Issuer Name Token ref 51

52 A taxonomy of claims Primordial vs. Substantive claims Primordial – proof (e.g. shared secret) presentable by only one subject Substantive – produced by claims providers Claim types Static – properties of the subject National Identifier Number; Date-of-Birth Derived – derived from other claims Portuguese Citizen; Over-18 Membership – role or group membership, relation with other subject Administrator; Lead Developer; Purchase Officer Capability – authorization to something Can-emit-purchase-order; Can-admin-CI-server Contextual – information about the context Authentication method, location and time 52

53 Security Token Analogies National Identity Card Claims: Name, DoB, PoB, Address Subject binding: picture and signature Issuer binding: physical anti-tampering measures Consumer binding: omni-directional identity Train Ticket Claims: authorization to travel in a specific train/place Subject binding: holder, claim Issuer binding: physical anti-tampering measures, signature Consumer binding: authorization details 53

54 Authorization Model “Old” model (PrincipalPermission) PrincipalPermission constructed with the required identity names and/or roles Association between the permission and the users is hard-coded “New” model (ClaimsPrincipalPermission) ClaimsPrincipalPermission constructed with the resource and action characterization Association between the permission and the required identity is external 54


Download ppt "Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation ARC303 Pedro Félix CCISEL"

Similar presentations


Ads by Google