Welcome!
How to create auniform loginexperience usingFederated Identity RoyCornelissenIT Architect,Info SupportMarcelde VriesTechno...
Your app Demo’sProblem Solutions
Problem statementYou want to secure your back endYour app needs to authenticate before it can access services in yourbacke...
Enterprise IdP’sMicrosoft Active Directory&Active Directory FederationServices(ADFS)Social IdP’sIdentity Providers (IdP)
What does an IdP do?Authenticate against something you know or haveE.g. a password, a smart card, Biometric informationIt ...
What does your app need to do?It needs to do something with the claimsprovided by the IdPE.g. do a lookup on “nameidentifi...
Possible solutionsIntegrate your app with all different providers out thereRequires trust relationship with each (cloud) i...
You can add any WS-Federation or Open IDcompliant IdP such as a corporate ADFSAccess Control Service (ACS)You integrate wi...
ACS TerminologySTSSecurity Token ServiceAny party that can issue an authentication tokenIdentity Provider (IdP)Party that ...
SAML & Cookie based authentication versus SimpleWeb Tokens and HTTP header based authenticationSAML or SWT?You can use SAM...
Call a service with SWTWhen using rest service, you can simply add a customheader to your request (HttpClient, WebClient)W...
Call a service with SAML Token(cookie based)When using rest service, you need to add the cookie tothe cookie collection in...
Your (web) services (RP)Identity Providers (IdP)redirectACS (STS)AuthenticateGet IdP listAccess the serviceredirectGet tok...
ISKE Events App
Mobile App ACSGetIdentityProviders()Identity ProviderRequest to login pageMap claimsRealmpageACS TokenCookie(containingACS...
SignInWebViewDelegateSignInViewControllerSignInController ACSJSONIdentityProviderDiscoveryClientRelying PartyACS namespace...
LoginViewWebViewWebBrowserAccessControlServiceSignIn controlACSJSONIdentityProviderDiscoveryClientRelying PartyACS namespa...
SignInActivitySignInWebViewIdentityProviderListActivitySignInController ACSJSONIdentityProviderDiscoveryClientRelying Part...
I want that! NOW!We’ll publish the code on CodePlexAnd depending on demand:Nuget package and Xamarin Store
Wait, what aboutWindows Azure Toolkit?It’s deprecatedReplacement does not provide thesame experienceOur code is a fork of ...
@roycornelissenroycornelissen.wordpress.comThank you!@marcelvblogs.infosupport.com/marcelvCome see us again,tomorrow at 1....
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries
Upcoming SlideShare
Loading in …5
×

Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries

3,084 views

Published on

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,084
On SlideShare
0
From Embeds
0
Number of Embeds
511
Actions
Shares
0
Downloads
61
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries

  1. 1. Welcome!
  2. 2. How to create auniform loginexperience usingFederated Identity RoyCornelissenIT Architect,Info SupportMarcelde VriesTechnologyManager@marcelvXamarinEvolve2013RoyCornelissenITArchitect@roycornelissen
  3. 3. Your app Demo’sProblem Solutions
  4. 4. Problem statementYou want to secure your back endYour app needs to authenticate before it can access services in yourbackendHow are you going to identify the user at the backend?Roll your own username/passwordThat’s so 1996….You already have cloud identities on Facebook, Google, Microsoft, Yahoo!Why not leverage on those?So what are our options to integrate with these identity providers?
  5. 5. Enterprise IdP’sMicrosoft Active Directory&Active Directory FederationServices(ADFS)Social IdP’sIdentity Providers (IdP)
  6. 6. What does an IdP do?Authenticate against something you know or haveE.g. a password, a smart card, Biometric informationIt hands out tokensTokens contain claimsE.g. your name, email address, age or roleWe can “chain” IdP’sEach IdP can augment the claim set and with that provideadditional claims to the party that uses the token
  7. 7. What does your app need to do?It needs to do something with the claimsprovided by the IdPE.g. do a lookup on “nameidentifier” claim andselectively provide access to application resourceshttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierSo an IdP provides an authenticated identity andsome claims about that identityYour app needs to do smart things to authorizethe user based on those claims
  8. 8. Possible solutionsIntegrate your app with all different providers out thereRequires trust relationship with each (cloud) identity providerRequires you to implement the integration with each provider,using their selected protocolE.g. OAuth, WS Federation, SAML/P, OpenID, etc.Every time you want to support a new provider, you need toadd that integration to your appUse Windows Azure Active DirectoryUse the Access Control Service (ACS)
  9. 9. You can add any WS-Federation or Open IDcompliant IdP such as a corporate ADFSAccess Control Service (ACS)You integrate with ACSACS handles integration with others:Facebook, Yahoo, Windows ID, Google ID, …
  10. 10. ACS TerminologySTSSecurity Token ServiceAny party that can issue an authentication tokenIdentity Provider (IdP)Party that maintains the user identity, e.g. Windows Live,Google, Yahoo, etc.Relying PartyThis is the party relying on some IdP to hand over a set ofclaims about who that identity is, i.e. your appWindows live -> Unique idGoogle -> Email Address
  11. 11. SAML & Cookie based authentication versus SimpleWeb Tokens and HTTP header based authenticationSAML or SWT?You can use SAML or SWTWhat are the tradeoffs?It depends on your services
  12. 12. Call a service with SWTWhen using rest service, you can simply add a customheader to your request (HttpClient, WebClient)When using WCF & SOAP, you need to add a customheader to the requeststring headerValue = string.Format("WRAP access_token="{0}"", token);client.Headers.Add("Authorization", headerValue);using (var ctx = new OperationContextScope(proxy.InnerChannel)){HttpRequestMessageProperty httpRequestProperty = new HttpRequestMessageProperty();httpRequestProperty.Headers[HttpRequestHeader.Authorization] =String.Format("WRAP access_token="{0}"", token);OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] =httpRequestProperty;}
  13. 13. Call a service with SAML Token(cookie based)When using rest service, you need to add the cookie tothe cookie collection in the header of requestFor SOAP using WCF stack simply use CookieContainerCookieCollection coll = App.AuthenticationCookieContainer;WebClient webrequest = new WebClient();String cookiestring ="" ;foreach (Cookie cookie in coll){ if (count++ > 0){cookiestring += "; ";}cookiestring += cookie.Name + "=" + cookie.Value;}webrequest.Headers[HttpRequestHeader.Cookie] = cookiestring;EventsServices.EventsDomainServicesoapClient proxy = newEventsServices.EventsDomainServicesoapClient();proxy.CookieContainer = App.AuthenticationCookieContainer;
  14. 14. Your (web) services (RP)Identity Providers (IdP)redirectACS (STS)AuthenticateGet IdP listAccess the serviceredirectGet token/cookieWIF< soap/> { json }Conceptual model.aspxCookie
  15. 15. ISKE Events App
  16. 16. Mobile App ACSGetIdentityProviders()Identity ProviderRequest to login pageMap claimsRealmpageACS TokenCookie(containingACS token)Request (with cookie)IDP TokenLoginYourServiceDepending on ACSconfig for SWT or SAMLyou get a header or acookieAuthentication flow
  17. 17. SignInWebViewDelegateSignInViewControllerSignInController ACSJSONIdentityProviderDiscoveryClientRelying PartyACS namespaceRealmHttpCookieContainerIdentityProvider
  18. 18. LoginViewWebViewWebBrowserAccessControlServiceSignIn controlACSJSONIdentityProviderDiscoveryClientRelying PartyACS namespaceRealmHttpCookieContainerIdentityProvider
  19. 19. SignInActivitySignInWebViewIdentityProviderListActivitySignInController ACSJSONIdentityProviderDiscoveryClientRelying Party[navigate]ACS namespaceRealmHttpCookieContainerIdentityProvider
  20. 20. I want that! NOW!We’ll publish the code on CodePlexAnd depending on demand:Nuget package and Xamarin Store
  21. 21. Wait, what aboutWindows Azure Toolkit?It’s deprecatedReplacement does not provide thesame experienceOur code is a fork of the originalAND works on multiple platforms!
  22. 22. @roycornelissenroycornelissen.wordpress.comThank you!@marcelvblogs.infosupport.com/marcelvCome see us again,tomorrow at 1.30 PM

×