ASP.NET Single Sign On
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

ASP.NET Single Sign On

  • 6,481 views
Uploaded on

Talk from BASTA Conference 2009

Talk from BASTA Conference 2009

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,481
On Slideshare
6,479
From Embeds
2
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 2

http://www.slideshare.net 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. http://www.thinktecture.com
    Dominick Baier | thinktecture
    dominick.baier@thinktecture.com
    ASP.NET Single-Sign-On
  • 2. und Dominick Baier
    Unterstützung und Consulting von Software-Entwicklernund –Architektenim Windows- und .NET-Umfeld
    Entwickler-Coaching und –Mentoring
    Architektur-Consulting und –Prototyping
    Architektur- und Code-Reviews
    Fokus auf verteilteAnwendungen, Service-Orientierung, Workflows, Cloud Computing, Interoperabilität, Security, End-to-End-Lösungen
    Windows Server, .NET, WCF, WF, MSMQ, .NET Services, Windows Azure
    http://www.thinktecture.com
    http://www.leastprivilege.com
    dominick.baier@thinktecture.com
    2
  • 3. Agenda
    What‘s Single Sign-On?
    Howdoes HTTP basedauthenticationwork?
    ASP.NET Forms Authentication
    Protocolsforthirdpartyauthentication
    Microsoft „Geneva“ Framework for ASP.NET
    Dangersof Single Sign-On
  • 4. Single Sign-On
    The problem
    many (historical) applications
    username/passwordauthentication
    different accountstores
    The desire
    noneedfor separate accounts
    at least same credentialfor all apps
    onlysign-in once (a day)
  • 5. Single Sign-On v0.5
    Unified useraccountdatastore
    pre-requisiteformoving on
    still separate sign-on processes
  • 6. Challenge/responsebasedauthentication
    GET /default.aspx
    401 / WWW-Authenticate
    GET / WWW-Authorize …
  • 7. Redirect/cookiebasedauthentication
    GET /default.aspx
    302 -> login.aspx
    POST /login.aspx
    Set-Cookie
  • 8. ASP.NET Forms Authentication
    www.domain.com
    .domain.com
  • 9. Forms Authentication scenarios
    www.domain.com/app1
    www.domain.com/app2
    app1.domain.com
    app2.domain.com
  • 10. Forms Authentication drawbacks
    ASP.NET encryptsandsignsauthenticationcookies
    usesrandomkeybydefault
    must set a sharedkey in all applications
    Authentication logic must beduplicated
    Forms Authentication does not supportredirects outside ofthecurrentapplication
    Cookie domainsare limited
    applications in different domainscannot „federate“
  • 11. Forms Authentication non-scenarios
    www.domain1.com
    www.domain2.com
    www.login.com
  • 12. „Third partyauthentication“ protocols
    Protocolswithfocus on
    factoring out andcentralizingauthenticationlogic
    transmittingauthenticationtokensoverdomainsboundaries
    Severalpopularstandards
    OpenID
    SAML 2.0p
    WS-Federation
  • 13. General idea
    IdentityProvider
    Trust
    data exchange
    1
    2
    Client
    Relying Party
  • 14. A lookinto a (SAML) token
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    issuer="http://www.login.com">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" />
    </saml:Assertion>
    <saml:Conditions>
    NotBefore, NotOnOrAfter, ApplicationName
    </saml:Conditions>
    <saml:AttributeStatement>
    </saml:AttributeStatement>
    <saml:AttributeAttributeName="name">
    dominick
    </saml:Attribute>
    <saml:AttributeAttributeName="email">
    dbaier@leastprivilege.com
    </saml:Attribute>
  • 15. WS-Federation
    2: GET /sts/auth.aspx
    <form method="POST" action="http://app/default.aspx">
    <inputname="wresult" value="[token]" />

    <script >
    window.setTimeout('document.forms[0].submit()', 0);
    </script>
    </form>
    1: GET /default.aspx
    3: POST /default.aspx
  • 16. „Geneva“ project
    ADFS 2
    Active Directory integratedidentityprovider
    enterpriselevelmanagementfeatures
    Windows Identity Foundation (WIF)
    extensionsto .NET identity & authorizationinfrastructure
    direct ASP.NET & WCF integration
    supportswritingrelyingparties & identityprovider
    tokenhandlingtoolkit
    http://www.microsoft.com/geneva
  • 17. WS-Federation configuration
  • 18. Geneva extensionstoIPrincipal
    interfaceIIdentity{
    bool IsAuthenticated { get; }
    string AuthenticationType { get; }
    string Name { get; }
    }
    interfaceIPrincipal{
    IIdentity Identity { get; }
    bool IsInRole(string roleName);
    }
    interfaceIClaimsIdentity:IIdentity
    {
    ClaimCollectionClaims {get; }
    stringNameClaimType {get; }
    stringRoleClaimType{get; }
    }
    interfaceIClaimsPrincipal:IPrincipal
    {
    ClaimsIdentityCollectionIdentities{get; }
    }
  • 19. Claim
    publicclassClaim
    {
    publicvirtualstring ClaimType { get; }
    publicvirtualstringValue { get; }
     
    publicvirtualstring Issuer { get; }
    // rest omitted
    }
  • 20. Identity provider
    Normal ASP.NET application
    Token issuancelogicimplemented in a SecurityTokenServicederivedclass
    Token servicehosted on .aspxpageusing a web control
    SecurityTokenService
    <idfx:FederatedPassiveTokenService />
    issue.aspx
    issue.aspx?wa=wsignin1.0…
    HTTP Form POST
  • 21. SecurityTokenService
    public class MyTokenService : SecurityTokenService
    {
    protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request)
    {
    // parse request.AppliesTo(and return encryption cert)
    }
     
    public override IClaimsIdentity GetOutputClaimsIdentity( Scope scope, IClaimsPrincipal principal, RequestSecurityToken request)
    {
    // retrieve claims from store and return them as IClaimsIdentity
    }
    }
  • 22. Dangersof Single Sign-On
    Identity Provider becomesattractivetargetforattacks
    phishing, spoofing
    use SSL (andtokenlevelencryption)
    Users getaccesstoseveralapplicationswith a singlecredential
    thiscredential must besecured
    Cross Site Request Forgerybecomes a bigissue
  • 23. Summary
    Single Sign-On cansimplifytheuserexperience
    The lesscredentials a human hasto manage, thebetter
    ASP.NET has limited built-in support
    Special protocolsneededtoenableadvancedscenarios
    Geneva isMicrosoft‘slibraryforfederationwith ASP.NET
    Single Sign-On also hassomeissues
  • 24. Resources
    „Developingmore-secure ASP.NET Applications“
    http://tinyurl.com/AspNetSecurity
    OpenIDfor .NET
    http://code.google.com/p/dotnetopenid/
    Thinktecture Starter STS
    StarterSTS.codeplex.com
    Geneva Framework Whitepaper
    http://tinyurl.com/GenevaWhitepaper
    Cross Site Request Forgery (CSRF)
    http://www.owasp.org/index.php/Cross-Site_Request_Forgery
    AntiCSRF
    http://AntiCSRF.codeplex.com/
  • 25. Contactme…
    dominick.baier@thinktecture.com
    http://www.leastprivilege.com