Windows Identity Foundation

1,883 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,883
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
48
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Windows Identity Foundation

  1. 1. Windows Identity Framework<br />An overview of digital identity and single sign on.<br />
  2. 2. Agenda<br /><ul><li>What problems are we trying to solve
  3. 3. Claims
  4. 4. Security Token Service (STS)
  5. 5. Active Directory Federation Services (ADFS 2.0)
  6. 6. Claims Aware Application
  7. 7. Windows Identity Foundation (WIF)
  8. 8. Passive Federation (Intranet Scenario)
  9. 9. Partner Federation
  10. 10. Demo</li></li></ul><li>What problems are we trying to solve?<br /><ul><li>One user store per application
  11. 11. The amount of identities users must relate to (roles, groups)
  12. 12. Increasing cost around administration and maintenance of user stores
  13. 13. Lack of control over user identities, both by user himself and the organizations
  14. 14. When someone quits, how many identities in how many systems must be deactivated ?
  15. 15. Single Sign-On</li></li></ul><li>Claims<br /><ul><li>Not limited in the same way as e.g. Windows Tokens (Kerberos)</li></ul> - Username<br /> - Groups<br /><ul><li>…or ASP.NET membership provider:</li></ul> - User<br /> - Roles<br /> - Profiles<br />
  16. 16. Claims (contd..)<br /><ul><li>Claims can carry more information about the user, roles, email, age…anything
  17. 17. Applications using Claims have one common model.
  18. 18. Anonymize users (IsOver18).
  19. 19. Can be accessed over internet as well as intranet.
  20. 20. Can work with browsers and web services.
  21. 21. The Name Claim and Role Claim is something that .NET understands today.: - HttpContext.Current.UserIPrincipal (IsInRole) - HttpContext.Current.User.IdentityIIdentity (Name, IsAuthenticated)</li></li></ul><li>Security Token Service (STS)<br /><ul><li>A centralized service for authentication outside the application (separation of concern)
  22. 22. Talks to other STSs with partner organization
  23. 23. Issues and transforms Claims</li></li></ul><li>Active Directory Federation Services (ADFS 2.0)<br /><ul><li>Microsoft STS
  24. 24. Integrated with Active Directory
  25. 25. Supports both active as well as passive clients
  26. 26. Can integrate with other WS-trust, and other STS’s
  27. 27. Supports SAML 1.1 and 2.0 Tokens.
  28. 28. Supports WS-Fed (1 and 2) and SAML 2.0 protocol (not 1.1)
  29. 29. Two flavors : Service and Proxy</li></li></ul><li>Claims Aware Application<br /><ul><li>The application makes authorization decisions based on the claims contained in the security token
  30. 30. No longer required to make authentication decisions
  31. 31. Same authorization logic for Application
  32. 32. Deployed on the Intranet or as a Cloud service
  33. 33. Receiving claims from its own organization’s users or users from trusted partners </li></li></ul><li>Windows Identity Foundation (WIF)<br /><ul><li>Provides a common programming model for claims.
  34. 34. Validates incoming security token parses claims that are inside.
  35. 35. Reduces complexity and necessary code to implement security in .NET apps. (no need to be a security expert)
  36. 36. Provides plumbing tools integrated into Visual studio to configure .NET apps to use Claims and STS’s
  37. 37. Works with WCF and ASP.NET applications.</li></li></ul><li>Passive Client (Intranet scenario)<br />User<br />Claims-aware app<br />ADFS STS<br />Active Directory<br />User<br />App trusts STS<br />Browse app<br />Not authenticated<br />Redirected to STS <br />Authenticate<br />Return Security Token<br />Query for user attributes<br />Send Token<br />ST<br />ST<br />Return pageand cookie<br />
  38. 38. Your<br />ADFS STS<br />YourClaims-aware app<br />Partner ActiveDirectory<br />Partner<br />ADFS STS & IP<br />Partner user<br />Browse app<br />Not authenticated<br />Redirect to your STS<br />Home realm discovery<br />Redirected to partner STS requesting ST for partner user<br />Authenticate<br />Return ST for consumption by your STS <br />Redirected to your STS <br />ST<br />ST<br />ST<br />ST<br />Process token<br />Return new ST <br />Send Token<br />Return pageand cookie<br />
  39. 39. DEMO<br />
  40. 40. Q&A<br />Manu Sharma<br /> Senior Software Developer<br />Manu.Sharma@blackline.com<br />More Info<br />http://msdn.microsoft.com/en-us/security/aa570351<br />
  41. 41. Thank You!<br />

×