Liberating Identity using Windows Identity Foundation

4,426 views

Published on

This presentation was delivered by Simon Evans to the London Connected Systems User Group on 7th December 2010

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,426
On SlideShare
0
From Embeds
0
Number of Embeds
2,622
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Use existing tools and services wherever possible. But only if they fit seamlessly and don’t cause pain in the solutionBuild in a loosely coupled manner, code against contracts not implementations, build for testability, separate concerns, favour convention over configurationBut don’t over engineer – don’t provide endless configuration options, just in case. Build a simple solution that’s easy and painless to change if and when required. What’s the result – developing software simply and quickly. Reducing waste, reducing effort, reducing cost.
  • Use existing tools and services wherever possible. But only if they fit seamlessly and don’t cause pain in the solutionBuild in a loosely coupled manner, code against contracts not implementations, build for testability, separate concerns, favour convention over configurationBut don’t over engineer – don’t provide endless configuration options, just in case. Build a simple solution that’s easy and painless to change if and when required. What’s the result – developing software simply and quickly. Reducing waste, reducing effort, reducing cost.
  • Use existing tools and services wherever possible. But only if they fit seamlessly and don’t cause pain in the solutionBuild in a loosely coupled manner, code against contracts not implementations, build for testability, separate concerns, favour convention over configurationBut don’t over engineer – don’t provide endless configuration options, just in case. Build a simple solution that’s easy and painless to change if and when required. What’s the result – developing software simply and quickly. Reducing waste, reducing effort, reducing cost.
  • Use existing tools and services wherever possible. But only if they fit seamlessly and don’t cause pain in the solutionBuild in a loosely coupled manner, code against contracts not implementations, build for testability, separate concerns, favour convention over configurationBut don’t over engineer – don’t provide endless configuration options, just in case. Build a simple solution that’s easy and painless to change if and when required. What’s the result – developing software simply and quickly. Reducing waste, reducing effort, reducing cost.
  • Use existing tools and services wherever possible. But only if they fit seamlessly and don’t cause pain in the solutionBuild in a loosely coupled manner, code against contracts not implementations, build for testability, separate concerns, favour convention over configurationBut don’t over engineer – don’t provide endless configuration options, just in case. Build a simple solution that’s easy and painless to change if and when required. What’s the result – developing software simply and quickly. Reducing waste, reducing effort, reducing cost.
  • Liberating Identity using Windows Identity Foundation

    1. 1. Liberating Identity with WIFSimon Evans<br />London Connected Systems User Group<br />
    2. 2. IDENTITY MATTERS<br />And we’ve broken it<br />
    3. 3.
    4. 4.
    5. 5. Users are prisoners<br />
    6. 6. The consequences<br />Users have to remember lots of credentials<br />Administrators have to manage user accounts in lots of systems<br />User access cannot be traced<br />The “trusted subsystem” anti-pattern<br />Software blocks opportunity<br />Acquisition<br />Federation<br />
    7. 7. LIBERATING IDENTITY<br />Free your users<br />
    8. 8. Claims<br />
    9. 9. Example Claims<br />Firstname<br />Surname<br />Date of Birth<br />Post Code<br />Email Address<br />Company Name<br />Business Unit<br />Roles<br />
    10. 10. ACCESS CONTROL<br />Is RBACS dead?<br />
    11. 11. Anatomy of a Security Token<br />
    12. 12. Anatomy of a Security Token<br />Collection of Claims<br />Audience<br />Valid Dates<br />Issuer with digital signature<br />Encryption<br />Various formats (SAML 1.1, SAML 2.0, Custom…)<br />
    13. 13. Issuing Security Tokens<br />
    14. 14. Security Token Services (STS)<br />All Security Token Services issue tokens<br />Identity Provider Security Token Service (IP-STS)<br />Stores the identity information about a user<br />Somehow authenticates a user<br />Resource Security Token Service (R-STS)<br />Transforms claims from one format to another<br />Relies on at least one IP-STS<br />A Relying Party (RP) consumes security tokens issued from a trusted STS<br />
    15. 15. Security Token Services (STS)<br />
    16. 16. Security Token Services (STS)<br />
    17. 17. Establishing Trust<br />X.509<br />
    18. 18. The Identity Protocols<br />Browser based “Passive” clients<br />WS-Federation<br />SAML-P<br />Non-Browser based “Active” clients<br />SOAP<br />WS-Trust 1.3<br />REST<br />OAuth WRAP<br />OAuth 2.0<br />
    19. 19. Identity in the Microsoft Stack<br />Windows Identity Foundation (WIF)<br />Build Relying Parties using WS-Federation and WS-Trust<br />Build custom Security Token Services<br />StarterSTS<br />ADFS 2.0<br />On premise IP-STS or R-STS<br />Supports WS-Federation, WS-Trust, SAML-P<br />Windows Azure AppFabric Access Control Service (ACS)<br />R-STS in the cloud<br />Supports OAuth WRAP, WS-Federation, WS-Trust, OpenId, Google, Yahoo and Facebook<br />
    20. 20. Platform support for consuming claims<br />SharePoint 2010<br />WF4 Security Activity Pack<br />WIF provides support for:<br />WCF via custom bindings<br />ASP.NET via HTTP modules<br />WCF Data Services<br />
    21. 21. Identity Delegation<br />Removing the “Trusted Subsystem” anti-pattern<br />
    22. 22. WS-Trust 1.3 Delegation “Act-As”<br />
    23. 23. Contact Us<br />Simon Evans<br />simon.evans@emc.com<br />http://consultingblogs.emc.com/simonevans<br />http://twitter.com/simonevans<br />

    ×