How to Tackle the Single Sign-On Challenge in 2012

3,492 views

Published on

My slide deck for the ITCamp 2012 Conference (www.itcamp.ro).

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,492
On SlideShare
0
From Embeds
0
Number of Embeds
79
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

How to Tackle the Single Sign-On Challenge in 2012

  1. 1. Tackling the Single Sign-On Challenge Mihai Nadăș Windows Azure MVP Yonder CTO @mihainadas mihainadas.com@ itcampro # itcamp12 Premium conference on Microsoft technologies
  2. 2. Private &ITCamp 2012 sponsors Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  3. 3. Private &About myself Public Cloud• mihainadas.com• @mihainadas• Passionate about technology, background in the .NET World• Windows Azure MVP• Driving Yonder’s appetite for innovation@ itcampro # itcamp12 Premium conference on Microsoft technologies
  4. 4. Private &On security and the future Public Cloud • As the world becomes more interconnected, security becomes a more important topic • Holland, 2012 – VCD’s SaaS solution exposed publically information about its user’s medical history We spend our time searching for security and hate it when we get it. -John Steinbeck@ itcampro # itcamp12 Premium conference on Microsoft technologies
  5. 5. Private &Passwords and implementations Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  6. 6. Private &OWASP’s Top 5 Public Cloud1. Injection2. Cross Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross Site Request Forgery@ itcampro # itcamp12 Premium conference on Microsoft technologies
  7. 7. Private &OWASP’s Top 5 Public Cloud1. Injection2. Cross Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross Site Request Forgery@ itcampro # itcamp12 Premium conference on Microsoft technologies
  8. 8. Private &Agenda Public Cloud• Claims-Based Identity and Access Control• The Single Sign-On Challenge and Benefits• Windows Azure Access Control Service• Q&A@ itcampro # itcamp12 Premium conference on Microsoft technologies
  9. 9. The problem with Identity and Access Control in the Enterprise ENOUGH TALKING, LET’S DEMO!@ itcampro # itcamp12 Premium conference on Microsoft technologies
  10. 10. Private &What you’ll see? Public Cloud• A fictious case study of an enterprise called Adatum• The whiteboard diagram showing the situation of the auth/auth problem pre- claims• DEMO@ itcampro # itcamp12 Premium conference on Microsoft technologies
  11. 11. Private &Adatum Infrastructure Pre-Claims Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  12. 12. The problem with Identity and Access Control in the Enterprise DEMO@ itcampro # itcamp12 Premium conference on Microsoft technologies
  13. 13. Private &What’s the problem? Public Cloud• Users of a-Expense need user/password• The IT staff have to sync roles between authentication systems• a-Order can’t be accessed from the Internet• No Single Sign-On aka „Credentials Hell”@ itcampro # itcamp12 Premium conference on Microsoft technologies
  14. 14. Private &What’s the problem? Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  15. 15. Private &Be the consultant and please Adatum! Public Cloud• Adatum’s requirements – Single Sign-On (SSO) Capabilities – Enable Adatum employees to access corporate applications from the Internet (no VPN) – Plan for the future (cloud, new apps)• What is your solution?@ itcampro # itcamp12 Premium conference on Microsoft technologies
  16. 16. Private &Introducing Claims-Based Identiy Public Cloud• Control the digital experience based on things that are said about one party by the other• A party can be – web site, web service, person, government, organization@ itcampro # itcamp12 Premium conference on Microsoft technologies
  17. 17. Private &Claims are not new! Public Cloud• Mainframes asked about user/password and passed „claims” about them to applications – uid, gid – sudo su• As systems became interconnected we needed ways to identify parties across multiple computers• Specialized services appeared – NTML, Kerberos (Windows Integrated Authentication) – Public Key Infrastructure (PKI) – Security Assertion Markup Lanaguage (SAML)@ itcampro # itcamp12 Premium conference on Microsoft technologies
  18. 18. Private &The Claims-Based ID Framework Public Cloud• Two major components 1. A single, general notion of claims 2. Concept of issuer / authority• Terminology 1. Application (Relying Party, Service Provider) 2. User (Subject, Principal) 3. Issuer (Security Token Service, Identity Provider) 4. Rich Client (Active Client) 5. Browser (Passive Client)@ itcampro # itcamp12 Premium conference on Microsoft technologies
  19. 19. Private &Claim-Based ID in Real World Public Cloud Traveler Check-In Counter Airport Agents 1 Show ID or Passport Give Boarding Card 2 Show Boarding Card to Gain 3 Access@ itcampro # itcamp12 Premium conference on Microsoft technologies
  20. 20. Private &Claim-Based ID in Real World Public Cloud Traveler Check-In Counter Airport Agents User Issuer Application 1 Show ID or Passport Authentication Credentials Give Boarding Card 2 Claims Authorization Show Boarding Card to Gain 3 Access@ itcampro # itcamp12 Premium conference on Microsoft technologies
  21. 21. Private &What are the benefits? Public Cloud• Simplified authentication logic• Decoupled authentication from authorization• Eliminate redundancy@ itcampro # itcamp12 Premium conference on Microsoft technologies
  22. 22. Private &Implementing Claims-Based Identity Public Cloud• What you need? – An App (Web Service, Web Site, Mobile App, etc.) – An Issuer – Claims-Based Identity Magic• What are the steps? 1. Setup an Issuer 2. Configure the Issuer to know abou the App 3. Add logic to the App to support claims 4. Configure the App to trust the Issuer@ itcampro # itcamp12 Premium conference on Microsoft technologies
  23. 23. Private &Claims-Based Identity Lifecycle Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  24. 24. Private &What’s WIF? Public Cloud• Windows Identity Foundation• Framework for building identity-aware applications• Provides APIs for building ASP.NET or WCF based security token services• Tools for building claims-aware and federation capable applications• Now part of .NET Framework 4.5@ itcampro # itcamp12 Premium conference on Microsoft technologies
  25. 25. Solving Adatum’s problem using Claims-Based Identity ENOUGH TALKING, LET’S DEMO!@ itcampro # itcamp12 Premium conference on Microsoft technologies
  26. 26. Private &Adatum Infrastructure Post-Claims Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  27. 27. Private &Technologies at work Public Cloud• Windows Identity Foundation• Active Directory Federation Services@ itcampro # itcamp12 Premium conference on Microsoft technologies
  28. 28. Solving Adatum’s problem using Claims-Based Identity DEMO@ itcampro # itcamp12 Premium conference on Microsoft technologies
  29. 29. Private &What about Smart Clients? Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  30. 30. Private &Going beyond Identity Providers Public Cloud• Welcome Federated Providers!• Powerful way to provide SSO cross-domains@ itcampro # itcamp12 Premium conference on Microsoft technologies
  31. 31. Private &Adatum meets Litware Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  32. 32. Windows Azure ACCESS CONTROL SERVICE@ itcampro # itcamp12 Premium conference on Microsoft technologies
  33. 33. Private &Shortly Public Cloud• A feature of Windows Azure Active Directory• Outsourcing Authentication (no need to write code)• Works with .NET, PHP, Python, Java and Ruby• Out-of-the-box support for a variety of identify providers• Integrates with on-premises Active Directory@ itcampro # itcamp12 Premium conference on Microsoft technologies
  34. 34. Private &Benefits Public Cloud• Open industry standards – Protocols: OAuth 2.0, WS-Trust, WS-Federation – Token formats: SAML 1.1/2.0 and Simple Web Token• $1,99 / 100.000 transactions@ itcampro # itcamp12 Premium conference on Microsoft technologies
  35. 35. Private &Identity Providers Public Cloud• Built-in support for – Windows Live ID – Facebook – Google – Yahoo! – WS-Federation Identity Providers• Programatic configuration for – WS-Trust based (AD FS 2.0) – OpenID based@ itcampro # itcamp12 Premium conference on Microsoft technologies
  36. 36. Private &Relying Party Applications Public Cloud• An application that relies on claims• Implements federated authentication using ACS• Trusts the ACS namespace• Can be configured manually or programatically through ACS Management Service@ itcampro # itcamp12 Premium conference on Microsoft technologies
  37. 37. Private &ACS Architecture Public Cloud@ itcampro # itcamp12 Premium conference on Microsoft technologies
  38. 38. Private &ACS - Protocol Handling Public Cloud• ACS does heavy lifting for handling protocols – WS-Federation – WS-Trust – OpenID – OAuth 2.0, OAuth WRAP – Facebook Graph• ACS issues normalized tokens – SAML – SWT@ itcampro # itcamp12 Premium conference on Microsoft technologies
  39. 39. Windows Azure ACS ENOUGH TALKING, LET’S DEMO!@ itcampro # itcamp12 Premium conference on Microsoft technologies
  40. 40. Private &Goals Public Cloud1. Configure your application to outsource authentication to ACS2. Configure ACS to include the identity providers you want to leverage3. Configure ACS to process incoming identities and add new claims4. Modify your application to consume claims from ACS and drive authorization decisions5. Customize the default authentication user experience provided by ACS@ itcampro # itcamp12 Premium conference on Microsoft technologies
  41. 41. Private &Requirements Public Cloud• Windows Vista SP2, Windows Server 2008 SP2, Windows Server 2008 R2, or Windows 7 (32-bits or 64-bits)• Internet Information Services (IIS) 7.0• .NET Framework 4• Visual Studio 2010• Windows Identity Foundation Runtime• Windows Identity Foundation SDK@ itcampro # itcamp12 Premium conference on Microsoft technologies
  42. 42. Windows Azure ACS DEMO@ itcampro # itcamp12 Premium conference on Microsoft technologies
  43. 43. Private &Summary Public Cloud• A feature of Windows Azure Active Directory• Outsourcing Auth and Auth (no need to write code)• Works with .NET, PHP, Python, Java and Ruby• Out-of-the-box support for identify providers like Windows Live ID, Google, Yahoo! and Facebook• Integrates with on-premises Active Directory@ itcampro # itcamp12 Premium conference on Microsoft technologies
  44. 44. Private &References Public Cloud • Windows Azure Training Kit • claimsid.codeplex.com@ itcampro # itcamp12 Premium conference on Microsoft technologies
  45. 45. Private &Check Out AzureWorks.ro Public Cloud www.azureworks.ro@ itcampro # itcamp12 Premium conference on Microsoft technologies
  46. 46. meetwindowsazure.com@ itcampro # itcamp12 Premium conference on Microsoft technologies
  47. 47. Q&A@ itcampro # itcamp12 Premium conference on Microsoft technologies

×