Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates www.davidchappell.com.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates www.davidchappell.com."— Presentation transcript:

1 Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates www.davidchappell.com

2 Session Objectives Provide a basic understanding of Microsoft’s identity technologies for application developers Give a clear sense of how they fit together today and when to use each one Explain why claims-based applications matter

3 Identity Basics Identity Within a Windows Forest Identity Between a Forest and Other Identity Scopes Identity for Internet Applications Synchronizing Identity Information Agenda

4 Identity Basics

5 What is Identity? An identity is a set of information about some entity, such as a user Users often have multiple identities An application can use this information in various ways, such as: Authentication: Does this information really describe the user who presented it? Authorization: What does the application let this user do? Personalization: How does the application interact with this user?

6 Token Claim 1... Claim 2 Claim 3 Claim n A token is a set of bytes that expresses information about an identity This information consists of one or more claims Each claim contains some information about the entity to which this token applies How an identity is represented on the wire Name Example Claims GroupAge

7 Kerberos ticket Commonly used for applications within a Windows forest Includes a user’s name and group identifiers Fixed format; extensions are difficult Username/password Commonly used for Internet applications Security Assertion Markup Language (SAML) token Can be used for applications within a Windows forest and Internet applications Open XML-based format; can contain any claims

8 Identity Providers and Token Sources An identity provider is an authority that makes claims about an entity Common identity providers today: On your company’s network: Your employer On the Internet: Most often, you An identity provider can rely on a token source It’s software that actually issues tokens

9 Application Client Identity Provider 1) Acquire token TokenToken 2) Send token TokenToken Token Source

10 Domain-based applications: Accept only a single token format with a fixed set of claims Example: A Windows application that accepts only Kerberos tickets The most common approach today Claims-based applications: Can potentially accept multiple token formats with varying sets of claims Example: A Windows application that accepts SAML tokens containing various claims The direction for the future

11 Identity within a Windows Forest

12 Identity In a Single Identity Scope A Windows forest defines an identity scope The forest can be viewed as having a single identity provider, e.g., the organization the forest belongs to Tokens issued within a forest can be used with any application in the forest

13 Token Sources Within a Forest For domain-based applications: Active Directory (AD) Domain Services Formerly called just Active Directory Token: Kerberos ticket For claims-based applications: Active Directory Federation Services (ADFS) Token: SAML token

14 3) Extract claims from token and authenticate Windows Domain ApplicationClient 4) (Optional) Use claims to look up information about user AD Domain Services Windows 1) Acquire token KerberosTicket 2) Send token KerberosTicket Token Source

15 Focused on supporting claims-based applications, allowing: The user to supply the application directly with the information it needs as claims Accepting identities defined in another scope: identity federation A standard part of Windows Server 2003 R2 And Windows Server 2008 ADFS currently supports only browser clients ADFS 2.0 is scheduled to support other options

16 AD Domain Services 1) Access application and get redirected to ADFS server Windows Domain Application Windows Server 2003 R2 2) Authenticate and request token for application Kerberos Ticket ADFS Server Token Source 4) Send token to application SAML Token ADFS Acquiring and using a token in the same forest Web Browser 3) Receive token for application SAML Token ADFS Agent

17 NT Token applications Remain unaware that ADFS is used The ADFS agent makes everything look normal Existing applications can work unchanged with ADFS Claims-aware applications Written to use specific claims Use an ADFS-provided namespace to access claims in the SAML token Require configuring the ADFS Account Server to insert those claims in the token

18 A claim can identify a user A claim can convey group or role membership A claim can convey personalization information Such as the user’s display name A claim can grant the right to do something Such as access particular information or invoke specific methods A claim can constrain the right to do something Such as indicating the user’s purchasing limit

19 Identity between a Forest and Other Identity Scopes

20 Identity Across Identity Scopes Describing the problem A user in one Windows forest must access a Web application in another Windows forest A user in a non-Windows scope must access a Web application in a Windows forest (or vice-versa)

21 Identity Across Identity Scopes Some possible solutions One option: duplicate accounts Requires separate login, extra administration A better approach: identity federation One scope accepts identities provided by the other No duplicate accounts Single sign-on for users ADFS allows identity federation for Web applications The ADFS protocol exchanges are defined by WS-Federation, which is also supported by IBM, Oracle, and others

22 1) Access application and get redirected to resource server Application ADFS Agent Windows Server 2003 R2 ADFS Resource Server Token Source Account Domain (Windows or Other) Resource Domain (Windows ) 3) Authenticate and request token for resource server Token WS-Federation- Compatible Account Server (ADFS or Other) Token Source ADFS Acquiring and using a token across scopes (1) 2) Request SAML token for application and get redirected to account server SAML Token for Resource Server 4) Receive token for resource server Web Browser

23 ADFS Agent Windows Server 2003 R2 ADFS Resource Server Token Source WS-Federation- Compatible Account Server (ADFS or Other) Account Domain (Windows or Other ) Resource Domain (Windows ) Token Source 6) Receive token for application SAML Token for Application 7) Send token to application SAML Token for Application 5) Request token for application SAML Token for Resource Server ADFS Acquiring and using a token across scopes (2) Application

24 Identity for Internet Applications

25 Identity on the Internet Most Web applications use Username/Password today Pros: Easy to implement Easy for users to access apps from different machines Cons: Easy to steal and reuse: phishing

26 Identity on the Internet A claims-based alternative Windows CardSpace allows a claims-based view of identity It offers two choices: Using identities issued by CardSpace’s self-issued provider Uses SAML tokens with a standard set of claims Provides a more secure alternative to username/password Using identities issued by a managed identity provider Can use any kind of token with any claims Allows any organization to act as an identity provider Each application indicates the tokens and identity providers it will work with

27 Internet 3) Extract claims (username and password) from token 2) Send username/ password token Token Windows Windows Domain 4) Look up user, authenticate, and (optionally) find other information Application Identity Provider 1) Provide username and password Client

28 Identity Provider Application Windows Windows Domain Internet 2) Send CardSpace self-issued token SAML Token 3) Extract claims (PPID, etc.) from token 4) Look up user and find other information Store 1) Acquire CardSpace self- issued token SAML Token Windows CardSpace Self- Issued Provider Token Source Client

29

30 Application Windows Windows Domain Internet 2) Send token TokenToken Client 3) Extract claims from token 4) Look up user and find other information Store 1) Acquire tokenTokenToken Managed Identity Provider 1... Managed Identity Provider N Security Token Service (STS) Security Token Service (STS)

31 CardSpace is first applied on the Internet But the technology isn’t limited to this It can also potentially be used: Within a single identity scope, e.g., a Windows forest Across scopes, e.g., for federation To help do this, ADFS 2.0 will include a managed identity provider CardSpace allows a user-centric approach to identity

32 Synchronizing Identity Information

33 Mapping Between Identity Stores Identity information is often stored in several different places Keeping this information synchronized is sometimes required Identity Lifecycle Manager (ILM) 2007 can do this It’s the successor to Microsoft Identity Integration Server (MIIS) 2003 It can be used within or between organizations

34 AD Domain Services Identity Store AD Lightweight Directory Services IdentityStore Novell eDirectory IdentityStore IBM Mainframe Application IdentityStore SAP IdentityStore Microsoft Exchange Server IdentityStore SQL Server IdentityStore Identity Lifecycle Manager 2007 If … Then … Rules Actions

35 Architect for identity Be wary of domain-based applications Applications that accept only a Kerberos ticket or only a username/password can be problematic When possible, create claims-based applications using: ADFS for Windows forests and for cross-scope identity federation Windows CardSpace for the Internet Consider ILM for synchronizing identity data

36 About the Speaker David Chappell is Principal of Chappell & Associates (www.davidchappell.com) in San Francisco, California. Through his speaking, writing, and consulting, he helps IT professionals understand, use, and make better decisions about enterprise software. David has been the keynote speaker for dozens of conferences and events in the U.S., Europe, Asia, Latin America, and Australia. His popular seminars have been attended by tens of thousands of developers, architects, and decision makers in forty countries. David’s books have been published in ten languages and used regularly in courses at MIT, ETH Zurich, and many other universities. He is Series Editor for Addison-Wesley’s award-winning Independent Technology Guides, and he has been a regular columnist for several publications. In his consulting practice, David has helped clients such as Hewlett- Packard, IBM, Microsoft, Stanford University, and Target Corporation adopt new technologies, market new products, train their sales staffs, and create business plans. David’s comments have appeared in The New York Times, CNN.com, and various other publications. Earlier in his career, he wrote software for supercomputers, chaired a U.S. national standardization working group, and played keyboards with the Peabody-award-winning Children’s Radio Theater. David holds a B.S. in Economics and an M.S. in Computer Science, both from the University of Wisconsin-Madison.

Download ppt "Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates www.davidchappell.com."

Similar presentations

Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…

1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…
Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.

Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Microsoft and BPM: A Perspective David Chappell Chappell & Associates www.davidchappell.com Copyright © 2006 David Chappell.

Microsoft and BPM: A Perspective David Chappell Chappell & Associates Copyright © 2006 David Chappell.
David Chappell Chappell & Associates www.davidchappell.com Workflow in Windows SharePoint: Technology for Web 2.0? Copyright © 2007 David Chappell.

David Chappell Chappell & Associates Workflow in Windows SharePoint: Technology for Web 2.0? Copyright © 2007 David Chappell.
David Chappell Chappell & Associates www.davidchappell.com.

David Chappell Chappell & Associates
Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland

Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Similar presentations

Ads by Google