http://www.thinktecture.com<br />Dominick Baier | thinktecture<br />dominick.baier@thinktecture.com<br />ASP.NET Single-Si...
und Dominick Baier<br />Unterstützung und Consulting von Software-Entwicklernund –Architektenim Windows- und .NET-Umfeld<b...
Agenda<br />What‘s Single Sign-On?<br />Howdoes HTTP basedauthenticationwork?<br />ASP.NET Forms Authentication<br />Proto...
Single Sign-On<br />The problem<br />many (historical) applications<br />username/passwordauthentication<br />different ac...
Single Sign-On v0.5<br />Unified useraccountdatastore<br />pre-requisiteformoving on<br />still separate sign-on processes...
Challenge/responsebasedauthentication<br />GET /default.aspx<br />401 / WWW-Authenticate<br />GET / WWW-Authorize …<br />
Redirect/cookiebasedauthentication<br />GET /default.aspx<br />302 -&gt; login.aspx<br />POST /login.aspx<br />Set-Cookie<...
ASP.NET Forms Authentication<br />www.domain.com<br />.domain.com<br />
Forms Authentication scenarios<br />www.domain.com/app1<br />www.domain.com/app2<br />app1.domain.com<br />app2.domain.com...
Forms Authentication drawbacks<br />ASP.NET encryptsandsignsauthenticationcookies<br />usesrandomkeybydefault<br />must se...
Forms Authentication non-scenarios<br />www.domain1.com<br />www.domain2.com<br />www.login.com<br />
„Third partyauthentication“ protocols<br />Protocolswithfocus on<br />factoring out andcentralizingauthenticationlogic<br ...
General idea<br />IdentityProvider<br />Trust<br />data exchange<br />1<br />2<br /> Client<br />Relying Party<br />
A lookinto a (SAML) token<br />&lt;saml:Assertion xmlns:saml=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;<br />  issu...
WS-Federation<br />2: GET /sts/auth.aspx<br />&lt;form method=&quot;POST&quot; action=&quot;http://app/default.aspx&quot;&...
„Geneva“ project<br />ADFS 2<br />Active Directory integratedidentityprovider<br />enterpriselevelmanagementfeatures<br />...
WS-Federation configuration<br />
Geneva extensionstoIPrincipal<br />interfaceIIdentity{<br />bool IsAuthenticated { get; }<br />string AuthenticationType {...
Claim<br />publicclassClaim<br />{<br />    publicvirtualstring ClaimType { get; }<br />publicvirtualstringValue { get; }<...
Identity provider<br />Normal ASP.NET application<br />Token issuancelogicimplemented in a SecurityTokenServicederivedclas...
SecurityTokenService<br />public class MyTokenService : SecurityTokenService<br />{<br />  protected override Scope GetSco...
Dangersof Single Sign-On<br />Identity Provider becomesattractivetargetforattacks<br />phishing, spoofing<br />use SSL (an...
Summary<br />Single Sign-On cansimplifytheuserexperience<br />The lesscredentials a human hasto manage, thebetter<br />ASP...
Resources<br />„Developingmore-secure ASP.NET Applications“<br />http://tinyurl.com/AspNetSecurity<br />OpenIDfor .NET<br ...
Contactme…<br />dominick.baier@thinktecture.com<br />http://www.leastprivilege.com<br />
Upcoming SlideShare
Loading in...5
×

ASP.NET Single Sign On

5,994

Published on

Talk from BASTA Conference 2009

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,994
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

ASP.NET Single Sign On

  1. 1. http://www.thinktecture.com<br />Dominick Baier | thinktecture<br />dominick.baier@thinktecture.com<br />ASP.NET Single-Sign-On<br />
  2. 2. und Dominick Baier<br />Unterstützung und Consulting von Software-Entwicklernund –Architektenim Windows- und .NET-Umfeld<br />Entwickler-Coaching und –Mentoring<br />Architektur-Consulting und –Prototyping<br />Architektur- und Code-Reviews<br />Fokus auf verteilteAnwendungen, Service-Orientierung, Workflows, Cloud Computing, Interoperabilität, Security, End-to-End-Lösungen<br />Windows Server, .NET, WCF, WF, MSMQ, .NET Services, Windows Azure<br />http://www.thinktecture.com<br />http://www.leastprivilege.com<br />dominick.baier@thinktecture.com<br />2<br />
  3. 3. Agenda<br />What‘s Single Sign-On?<br />Howdoes HTTP basedauthenticationwork?<br />ASP.NET Forms Authentication<br />Protocolsforthirdpartyauthentication<br />Microsoft „Geneva“ Framework for ASP.NET<br />Dangersof Single Sign-On<br />
  4. 4. Single Sign-On<br />The problem<br />many (historical) applications<br />username/passwordauthentication<br />different accountstores<br />The desire<br />noneedfor separate accounts<br />at least same credentialfor all apps<br />onlysign-in once (a day)<br />
  5. 5. Single Sign-On v0.5<br />Unified useraccountdatastore<br />pre-requisiteformoving on<br />still separate sign-on processes<br />
  6. 6. Challenge/responsebasedauthentication<br />GET /default.aspx<br />401 / WWW-Authenticate<br />GET / WWW-Authorize …<br />
  7. 7. Redirect/cookiebasedauthentication<br />GET /default.aspx<br />302 -&gt; login.aspx<br />POST /login.aspx<br />Set-Cookie<br />
  8. 8. ASP.NET Forms Authentication<br />www.domain.com<br />.domain.com<br />
  9. 9. Forms Authentication scenarios<br />www.domain.com/app1<br />www.domain.com/app2<br />app1.domain.com<br />app2.domain.com<br />
  10. 10. Forms Authentication drawbacks<br />ASP.NET encryptsandsignsauthenticationcookies<br />usesrandomkeybydefault<br />must set a sharedkey in all applications<br />Authentication logic must beduplicated<br />Forms Authentication does not supportredirects outside ofthecurrentapplication<br />Cookie domainsare limited<br />applications in different domainscannot „federate“<br />
  11. 11. Forms Authentication non-scenarios<br />www.domain1.com<br />www.domain2.com<br />www.login.com<br />
  12. 12. „Third partyauthentication“ protocols<br />Protocolswithfocus on<br />factoring out andcentralizingauthenticationlogic<br />transmittingauthenticationtokensoverdomainsboundaries<br />Severalpopularstandards<br />OpenID<br />SAML 2.0p<br />WS-Federation<br />
  13. 13. General idea<br />IdentityProvider<br />Trust<br />data exchange<br />1<br />2<br /> Client<br />Relying Party<br />
  14. 14. A lookinto a (SAML) token<br />&lt;saml:Assertion xmlns:saml=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;<br /> issuer=&quot;http://www.login.com&quot;&gt;<br /> &lt;Signature xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot; /&gt;<br />&lt;/saml:Assertion&gt;<br /> &lt;saml:Conditions&gt;<br />NotBefore, NotOnOrAfter, ApplicationName<br /> &lt;/saml:Conditions&gt;<br /> &lt;saml:AttributeStatement&gt;<br /> &lt;/saml:AttributeStatement&gt;<br />&lt;saml:AttributeAttributeName=&quot;name&quot;&gt;<br />dominick<br />&lt;/saml:Attribute&gt;<br />&lt;saml:AttributeAttributeName=&quot;email&quot;&gt;<br />dbaier@leastprivilege.com<br />&lt;/saml:Attribute&gt;<br />
  15. 15. WS-Federation<br />2: GET /sts/auth.aspx<br />&lt;form method=&quot;POST&quot; action=&quot;http://app/default.aspx&quot;&gt;<br /> &lt;inputname=&quot;wresult&quot; value=&quot;[token]&quot; /&gt;<br /> …<br />&lt;script &gt;<br />window.setTimeout(&apos;document.forms[0].submit()&apos;, 0);<br /> &lt;/script&gt;<br />&lt;/form&gt;<br />1: GET /default.aspx<br />3: POST /default.aspx<br />
  16. 16. „Geneva“ project<br />ADFS 2<br />Active Directory integratedidentityprovider<br />enterpriselevelmanagementfeatures<br />Windows Identity Foundation (WIF)<br />extensionsto .NET identity & authorizationinfrastructure<br />direct ASP.NET & WCF integration<br />supportswritingrelyingparties & identityprovider<br />tokenhandlingtoolkit<br />http://www.microsoft.com/geneva<br />
  17. 17. WS-Federation configuration<br />
  18. 18. Geneva extensionstoIPrincipal<br />interfaceIIdentity{<br />bool IsAuthenticated { get; }<br />string AuthenticationType { get; }<br />string Name { get; }<br />}<br />interfaceIPrincipal{<br /> IIdentity Identity { get; }<br />bool IsInRole(string roleName);<br />}<br />interfaceIClaimsIdentity:IIdentity<br />{<br />ClaimCollectionClaims {get; }<br />stringNameClaimType {get; }<br />stringRoleClaimType{get; }<br />}<br />interfaceIClaimsPrincipal:IPrincipal<br />{<br />ClaimsIdentityCollectionIdentities{get; }<br />}<br />
  19. 19. Claim<br />publicclassClaim<br />{<br /> publicvirtualstring ClaimType { get; }<br />publicvirtualstringValue { get; }<br /> <br />publicvirtualstring Issuer { get; }<br /> // rest omitted<br />}<br />
  20. 20. Identity provider<br />Normal ASP.NET application<br />Token issuancelogicimplemented in a SecurityTokenServicederivedclass<br />Token servicehosted on .aspxpageusing a web control<br />SecurityTokenService<br />&lt;idfx:FederatedPassiveTokenService /&gt;<br />issue.aspx<br />issue.aspx?wa=wsignin1.0…<br />HTTP Form POST<br />
  21. 21. SecurityTokenService<br />public class MyTokenService : SecurityTokenService<br />{<br /> protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request)<br /> {<br /> // parse request.AppliesTo(and return encryption cert)<br /> }<br /> <br /> public override IClaimsIdentity GetOutputClaimsIdentity( Scope scope, IClaimsPrincipal principal, RequestSecurityToken request)<br /> {<br /> // retrieve claims from store and return them as IClaimsIdentity<br /> }<br />}<br />
  22. 22. Dangersof Single Sign-On<br />Identity Provider becomesattractivetargetforattacks<br />phishing, spoofing<br />use SSL (andtokenlevelencryption)<br />Users getaccesstoseveralapplicationswith a singlecredential<br />thiscredential must besecured<br />Cross Site Request Forgerybecomes a bigissue<br />
  23. 23. Summary<br />Single Sign-On cansimplifytheuserexperience<br />The lesscredentials a human hasto manage, thebetter<br />ASP.NET has limited built-in support<br />Special protocolsneededtoenableadvancedscenarios<br />Geneva isMicrosoft‘slibraryforfederationwith ASP.NET<br />Single Sign-On also hassomeissues<br />
  24. 24. Resources<br />„Developingmore-secure ASP.NET Applications“<br />http://tinyurl.com/AspNetSecurity<br />OpenIDfor .NET<br />http://code.google.com/p/dotnetopenid/<br />Thinktecture Starter STS<br />StarterSTS.codeplex.com<br />Geneva Framework Whitepaper<br />http://tinyurl.com/GenevaWhitepaper<br />Cross Site Request Forgery (CSRF)<br />http://www.owasp.org/index.php/Cross-Site_Request_Forgery<br />AntiCSRF<br />http://AntiCSRF.codeplex.com/<br />
  25. 25. Contactme…<br />dominick.baier@thinktecture.com<br />http://www.leastprivilege.com<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×