1. Jax ArcSig 3/22/2011 Keith Tingle

2. About Me Keith Tingle http://keith-tingle.com/blog kktingle@gmail.com Lender Processing Services http://www.lpsvcs.com

3. What is WIF? Simplifies the programming model of: WS-Trust Smart Clients a.k.a Active Clients WS-Federation Browsers a.k.a. Passive Clients SAML Makes it relatively easy to implement Federated Authentication Delegation Single Sign On

4. What is WIF? (cont’d) Extends the.NET model of identity to claims Tooling in Visual Studio Project templates for claims-aware apps & STS ‘Add STS Reference’ FedUtil.exe ASP.NET controls Login Status Control Handles Single Sign Out

5. Federated Authentication What does it mean? Offload responsibility for authentication to the STS Delete your login.aspx! Reduces the amount of security code App is agnostic to authentication method Based on the concept of Relying Party & Trust Public Key Infrastructure is the glue that holds everything together! Relying Party installs the STS certificate and ‘trusts’ it Metadata is standardized (FederatedMetaData.xml)

6. Active Directory is Analogous BUT Only works in the boundaries of a Domain Machines must be joined to a domain What about machines in the DMZ? What about the Cloud? Clients must be on the domain Machines typically run Windows What about OS X, Linux? What about iOS, Android?

7. What is an STS? Identity STS (‘IdP’) Authenticates users Supports * authentication methods Windows Authentication User / Name Password X509 Client Certificates Issues SAML tokens that contain claims Signed & possibly encrypted Options Roll your own ADFS 2.0

8. Security Token Service Relying Party 1 2 SAML Token 3 Federated Authentication Trust

9. Review of Claims Jargon ‘Passive’ client versus ‘Active’ client Passive clients are browsers. Active clients = Stand alone applications w/ access to a SOAP stack, e.g. a.NET console application. ‘Relying Party’ or ‘RP’ An application that trusts the tokens issued by an STS A ‘Trust’ A key exchange between an RP and an STS ‘Identity Provider’ or ‘IdP’ STS that authenticates a users identity ADFS 2.0 can serve as an IdP for AD User Stores

10. Identity in.NET Representation of identity public interface IIdentity { string AuthenticationType { get; } bool IsAuthenticated { get; } string Name { get; } } FormsIdentity : IIdentity‘ktingle’ WindowsIdentity : IIdentity‘NTLM\ktingle’ x509Identity : IIdentity‘CN=KeithTingle, 54ED5443D…’

11. Identity in.NET w/ Claims Extended to claims public interface IClaimsIdentity : IIdentity { ClaimCollection Claims {get;} } public class Claim { // Properties public virtual string ClaimType { get; } public virtual string Issuer { get; } public virtual IClaimsIdentity Subject { get; } public virtual string Value { get; } }

12. Federated Authentication Demo w/ WIF

13. WIF Packaging Two packages WIF Runtime Minimum of.NET FX 3.5 Install the runtime on your servers Clients do not need WIF Runtime unless you develop a smart client that utilizes the WIF extensions for client apps. Passive clients Vanilla WCF 3.5 supports Most scenarios will have these features used in delegation scenarios Separate.NET 3.5 &.NET 4.0 downloads WIF SDK Visual Studio 2010 Project Templates FedUtil.exe utility User Controls SignIn Status Do *not* underestimate the value of these controls!

14. Active Directory Federation Services 2.0 Requires Windows Server 2008 Supports HA configurations Federation farms & proxy ADFS 1.0 (not 2.0) comes on the Windows Server 2008 installation media. ADFS 2.0 is complete rewrite of ADFS 1.0 Built on WIF Available as a download only (http://bit.ly/ePLV4s)http://bit.ly/ePLV4s ADFS 1.0 will serve as IdP for Active Directory Lightweight Directory Services (a.k.a. ADAM) ADFS 2.0 will only serve as an IdP for Active Directory

15. SharePoint 2010 Rewritten security model on top of WIF All intra-farm security is claims based Supports Federated Authentication Trusted Identity Provider Must use Powershell to create a provider IClaimsIdentity available to custom

16. Quick SharePoint 2010 Demo

17. When to consider Claims? When do we consider using claims? Single Sign On Scenarios Heterogeneous user stores Corporate AD AD Lightweight Directory Services External Systems SQL, XML Heterogeneous authentication methods Username / Password Kerberos / NTLM X509 Certificates Delegation

18. Claims-based Identity Gotchas Distinguish between application claims and enterprise claims Name, E-Mail, Age Uploader, Editor

19. Getting Started StarterSTS & Starter RP http://startersts.codeplex.com Deployed as an ASP.NET web site Uses ‘standard’ ASP.NET membership & role providers WIF templates for a custom STS are very basic Creating an STS from scratch is a major undertaking, consider out the box alternatives

20. Additional Resources A Guide to Claims-based Identity and Access Control http://tinyurl.com/claimsguide Exploring Claims-based Identity http://msdn.microsoft.com/en- us/magazine/cc163366.aspx http://msdn.microsoft.com/en- us/magazine/cc163366.aspx

21. The End

22. User Store STS RST Request for Security Token RSTR Request for Security Token Response Security Token Service SAML Token Relying Party Endpoin t WS-Trust Enabled Web Service Client Trust

23. The Public Key Infrastructure The PKI is the foundation for trust and establishing identity on the Internet Built on top of asymmetrical encryption algorithms Symmetric Encryption Algorithms – Both the sender and recipient of the message share a secret key. Asymmetric Encryption Algorithms – The sender and the receiver create asymmetrical key pairs, and exchange the public keys with one another. A key pair – the two keys are related mathematically but it essentially impossible to derive one key from the other. Public Key – Distributed anywhere Private Key – A compromised private key should result in a ‘revocation’ of the corresponding certificate. Revocation is formal concept There are protocols (CRLs, OCSP)