Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology.

Published byReynold Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology."— Presentation transcript:

1

2 Keith Brown Cofounder pluralsight.com SIA312

3 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology and History Steps to get started Demos!

4 What is Identity, for this talk? It’s whatever helps you answer these questions Who are you? What are you allowed to do? How can I personalize my app for you? Photo used under Creative Commons from cd.harrisoncd.harrison

5 How do you Discover Identity Today? Windows enterprise apps Windows domain accounts, Kerberos Internet-facing ASP.NET apps SqlMembershipProvider, Forms auth OpenID You name it…

6 Identity can be Tough Windows authentication is easy Until someone outside your domain wants to play

7 Identity can be Tough User/password databases are costly and painful For developers For users Photo used under Creative Commons from maca.fotomaca.foto

8 Identity can be Tough Single sign on So many apps do their own thing It’s often tough to achieve SSO But users sure appreciate it

9 Identity can be Tough The age of cloud computing is upon us How do we deal with identity in the cloud?

10 Pressure is Mounting for Change There’s clearly a need for change Devs are tired of implementing identity in every app Users are tired of tracking 100’s of passwords Seems like the only ones winning are the phishers

11 Enter Federated Identity Adds a level of indirection Don’t worry about authenticating users in your app Let an identity provider (IdP) deal with that Single sign on follows naturally

12 Federated Identity in the Small Identity provider Expense Reporting App Expense Reporting App Time Tracking App Time Tracking App Accounting App Accounting App WS- Federation

13 Federation Between Realms Easy to expand reach to other realms Apps don’t need to be changed Supports partnerships across companies Enables cross-platform access

14 Federation Between Realms Expense Reporting App Expense Reporting App Time Tracking App Time Tracking App Accounting App Accounting App Identity provider Identity provider Identity provider Identity provider Realm A Realm B

15 What gets sent to the app? Application receives a security token Created, signed, encrypted by your IdP Contains claims your IdP makes about the user Photo used under Creative Commons from WayTruWayTru

16 This idea isn’t new Lots of history SAML, Liberty, OpenID, etc. Active Directory Federation Services v1.NET 3.0 (WCF + System.IdentityModel) CardSpace

17 Step 1: Establish Trust Establish trust with your issuer Generate a cert for your app (self-signed typical) Exchange certs with issuer Photo used under Creative Commons from MiikaMiika

18 Step 2: Configure your Provider What do you need to know about the user? Email Roles Shoe size etc...

19 Step 3: Accept Claims in your app Geneva Framework supplies plumbing Does crypto heavy lifting for you Presents claims via IClaimsIdentity

20 Claims in Geneva Framework IClaimsIdentity extends IIdentity, adding claims Collection of claims Name and Role claims for backwards compatibility May include delegate chain for ActAs scenarios

21 Claim in Geneva Framework Key properties of Claim include: ClaimType Value, ValueType Issuer Strings avoid deserialization complexities

22 Where do I get an Identity Provider? Identity providers can be built or purchased Geneva Server (free with Windows Server license).NET Access Control Service (cloud-based) Build your own with the Geneva Framework

23 Standards Involved SAML (Security Assertion Markup Language) XML vocabulary for “security assertions” SOAP query protocol for retrieving tokens (SSO) WS-Trust SOAP protocol for retrieving tokens of any type WS-Trust and SAML protocols not wire compatible WS-Federation SSO for web services (“active” clients) via WS-Trust SSO for web apps (“passive” clients, aka browsers) using HTTP techniques

24 Terminology Subject The user/entity being authenticated Relying Party Any app that relies on claims Issuer, Security Token Service (STS) Authority that issues tokens STS often loosely equated to “issuer” STS is key abstraction for issuer in Geneva Fx You must derive a class from SecurityTokenService to supply claims-issuance logic

25 Terminology App (Relying Party) Issuer STS Issuer (identity provider) Issuer (identity provider) STS Subject and Requesto r App (Relying Party) trust

26 WS-Trust request security token response Web Service Issuer STS request (includes token) Service decrypts SAML token and discovers claims made by issuer

27 WS-Trust Q&A Requestor discovers address/binding of issuer May be hardcoded into client config May be discovered at runtime via WS-Mex and WS- Policy Requestor proves ownership of token SAML subject confirmation == “holder-of-key” Requestor signs security header with proof key Similar in spirit to Kerberos

28 WS-Fed (passive) part 1 Issuer Web App Initial HTTP request Web page HTTP redirect

29 WS-Fed (passive) part 2 Issuer Web App Web page authenticate SAML token POST SAML token auto-POST via form & javascript App decrypts SAML token and discovers claims made by issuer

30 WS-Fed (passive) Q&A Requestor proves ownership of token SAML subject confirmation method is “bearer” HTTPS required to foil eavesdroppers How is a logon session maintained? The SAML token POST’ed to your site is like an initial login for a user Use traditional web login techniques (cookies, typically) to start a session

31 Claims-based identity and Federation

32

33 www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.

34 Complete an evaluation on CommNet and enter to win! Required Slide

35 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide

Download ppt "Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology."

Similar presentations

 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.

Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.
Feature: Purchase Requisitions - Requester © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Feature: Purchase Requisitions - Requester © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.

Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,

Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.

 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.

Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.

 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.
Nikola Dudar Program Manager Microsoft Corporation Session Code: DTL 311.

Nikola Dudar Program Manager Microsoft Corporation Session Code: DTL 311.
Session 1.

Session 1.
Built by Developers for Developers…. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Built by Developers for Developers…. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
John “JG” Chirapurath Director, Identity & Security BG Microsoft SIA-205 Business Ready Security.

John “JG” Chirapurath Director, Identity & Security BG Microsoft SIA-205 Business Ready Security.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Identity & Access Control in the Cloud Name Title Organization.

Identity & Access Control in the Cloud Name Title Organization.
Bhushan NeneGrzegorz Gogolowicz Principal ArchitectSenior ArchitectMicrosoft Session Code: DEV304.

Bhushan NeneGrzegorz Gogolowicz Principal ArchitectSenior ArchitectMicrosoft Session Code: DEV304.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
 Stuart Kwan Group Program Manager Microsoft Corporation  Caleb Baker Senior SDET Microsoft Corporation BB42.

 Stuart Kwan Group Program Manager Microsoft Corporation  Caleb Baker Senior SDET Microsoft Corporation BB42.

Dmitry Sotnikov New Product Research Manager Quest Software DTL404.

Dmitry Sotnikov New Product Research Manager Quest Software DTL404.

Similar presentations

Ads by Google