Your SlideShare is downloading. ×

ASP.NET Single Sign On

5,835
views

Published on

Talk from BASTA Conference 2009

Talk from BASTA Conference 2009


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,835
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. http://www.thinktecture.com
    Dominick Baier | thinktecture
    dominick.baier@thinktecture.com
    ASP.NET Single-Sign-On
  • 2. und Dominick Baier
    Unterstützung und Consulting von Software-Entwicklernund –Architektenim Windows- und .NET-Umfeld
    Entwickler-Coaching und –Mentoring
    Architektur-Consulting und –Prototyping
    Architektur- und Code-Reviews
    Fokus auf verteilteAnwendungen, Service-Orientierung, Workflows, Cloud Computing, Interoperabilität, Security, End-to-End-Lösungen
    Windows Server, .NET, WCF, WF, MSMQ, .NET Services, Windows Azure
    http://www.thinktecture.com
    http://www.leastprivilege.com
    dominick.baier@thinktecture.com
    2
  • 3. Agenda
    What‘s Single Sign-On?
    Howdoes HTTP basedauthenticationwork?
    ASP.NET Forms Authentication
    Protocolsforthirdpartyauthentication
    Microsoft „Geneva“ Framework for ASP.NET
    Dangersof Single Sign-On
  • 4. Single Sign-On
    The problem
    many (historical) applications
    username/passwordauthentication
    different accountstores
    The desire
    noneedfor separate accounts
    at least same credentialfor all apps
    onlysign-in once (a day)
  • 5. Single Sign-On v0.5
    Unified useraccountdatastore
    pre-requisiteformoving on
    still separate sign-on processes
  • 6. Challenge/responsebasedauthentication
    GET /default.aspx
    401 / WWW-Authenticate
    GET / WWW-Authorize …
  • 7. Redirect/cookiebasedauthentication
    GET /default.aspx
    302 -> login.aspx
    POST /login.aspx
    Set-Cookie
  • 8. ASP.NET Forms Authentication
    www.domain.com
    .domain.com
  • 9. Forms Authentication scenarios
    www.domain.com/app1
    www.domain.com/app2
    app1.domain.com
    app2.domain.com
  • 10. Forms Authentication drawbacks
    ASP.NET encryptsandsignsauthenticationcookies
    usesrandomkeybydefault
    must set a sharedkey in all applications
    Authentication logic must beduplicated
    Forms Authentication does not supportredirects outside ofthecurrentapplication
    Cookie domainsare limited
    applications in different domainscannot „federate“
  • 11. Forms Authentication non-scenarios
    www.domain1.com
    www.domain2.com
    www.login.com
  • 12. „Third partyauthentication“ protocols
    Protocolswithfocus on
    factoring out andcentralizingauthenticationlogic
    transmittingauthenticationtokensoverdomainsboundaries
    Severalpopularstandards
    OpenID
    SAML 2.0p
    WS-Federation
  • 13. General idea
    IdentityProvider
    Trust
    data exchange
    1
    2
    Client
    Relying Party
  • 14. A lookinto a (SAML) token
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    issuer="http://www.login.com">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" />
    </saml:Assertion>
    <saml:Conditions>
    NotBefore, NotOnOrAfter, ApplicationName
    </saml:Conditions>
    <saml:AttributeStatement>
    </saml:AttributeStatement>
    <saml:AttributeAttributeName="name">
    dominick
    </saml:Attribute>
    <saml:AttributeAttributeName="email">
    dbaier@leastprivilege.com
    </saml:Attribute>
  • 15. WS-Federation
    2: GET /sts/auth.aspx
    <form method="POST" action="http://app/default.aspx">
    <inputname="wresult" value="[token]" />

    <script >
    window.setTimeout('document.forms[0].submit()', 0);
    </script>
    </form>
    1: GET /default.aspx
    3: POST /default.aspx
  • 16. „Geneva“ project
    ADFS 2
    Active Directory integratedidentityprovider
    enterpriselevelmanagementfeatures
    Windows Identity Foundation (WIF)
    extensionsto .NET identity & authorizationinfrastructure
    direct ASP.NET & WCF integration
    supportswritingrelyingparties & identityprovider
    tokenhandlingtoolkit
    http://www.microsoft.com/geneva
  • 17. WS-Federation configuration
  • 18. Geneva extensionstoIPrincipal
    interfaceIIdentity{
    bool IsAuthenticated { get; }
    string AuthenticationType { get; }
    string Name { get; }
    }
    interfaceIPrincipal{
    IIdentity Identity { get; }
    bool IsInRole(string roleName);
    }
    interfaceIClaimsIdentity:IIdentity
    {
    ClaimCollectionClaims {get; }
    stringNameClaimType {get; }
    stringRoleClaimType{get; }
    }
    interfaceIClaimsPrincipal:IPrincipal
    {
    ClaimsIdentityCollectionIdentities{get; }
    }
  • 19. Claim
    publicclassClaim
    {
    publicvirtualstring ClaimType { get; }
    publicvirtualstringValue { get; }
     
    publicvirtualstring Issuer { get; }
    // rest omitted
    }
  • 20. Identity provider
    Normal ASP.NET application
    Token issuancelogicimplemented in a SecurityTokenServicederivedclass
    Token servicehosted on .aspxpageusing a web control
    SecurityTokenService
    <idfx:FederatedPassiveTokenService />
    issue.aspx
    issue.aspx?wa=wsignin1.0…
    HTTP Form POST
  • 21. SecurityTokenService
    public class MyTokenService : SecurityTokenService
    {
    protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request)
    {
    // parse request.AppliesTo(and return encryption cert)
    }
     
    public override IClaimsIdentity GetOutputClaimsIdentity( Scope scope, IClaimsPrincipal principal, RequestSecurityToken request)
    {
    // retrieve claims from store and return them as IClaimsIdentity
    }
    }
  • 22. Dangersof Single Sign-On
    Identity Provider becomesattractivetargetforattacks
    phishing, spoofing
    use SSL (andtokenlevelencryption)
    Users getaccesstoseveralapplicationswith a singlecredential
    thiscredential must besecured
    Cross Site Request Forgerybecomes a bigissue
  • 23. Summary
    Single Sign-On cansimplifytheuserexperience
    The lesscredentials a human hasto manage, thebetter
    ASP.NET has limited built-in support
    Special protocolsneededtoenableadvancedscenarios
    Geneva isMicrosoft‘slibraryforfederationwith ASP.NET
    Single Sign-On also hassomeissues
  • 24. Resources
    „Developingmore-secure ASP.NET Applications“
    http://tinyurl.com/AspNetSecurity
    OpenIDfor .NET
    http://code.google.com/p/dotnetopenid/
    Thinktecture Starter STS
    StarterSTS.codeplex.com
    Geneva Framework Whitepaper
    http://tinyurl.com/GenevaWhitepaper
    Cross Site Request Forgery (CSRF)
    http://www.owasp.org/index.php/Cross-Site_Request_Forgery
    AntiCSRF
    http://AntiCSRF.codeplex.com/
  • 25. Contactme…
    dominick.baier@thinktecture.com
    http://www.leastprivilege.com

×