Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen...
-
Upload
xamarin -
Category
Technology
-
view
2.597 -
download
0
description
Transcript of Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen...
![Page 1: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/1.jpg)
Welcome!
![Page 2: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/2.jpg)
How to create a uniform login experience using Federated Identity
Roy CornelissenIT Architect,Info Support
Marcel de VriesTechnology Manager
@marcelv
XamarinEvolve2013
Roy CornelissenIT Architect
@roycornelissen
![Page 3: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/3.jpg)
![Page 4: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/4.jpg)
![Page 5: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/5.jpg)
![Page 6: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/6.jpg)
![Page 7: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/7.jpg)
![Page 8: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/8.jpg)
![Page 9: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/9.jpg)
Your app Demo’s
Problem Solutions
![Page 10: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/10.jpg)
Problem statement
You want to secure your back end
Your app needs to authenticate before it can access services in your backend
How are you going to identify the user at the backend?Roll your own username/password
That’s so 1996….
You already have cloud identities on Facebook, Google, Microsoft, Yahoo!Why not leverage on those?
So what are our options to integrate with these identity providers?
![Page 11: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/11.jpg)
Enterprise IdP’s
Microsoft Active Directory &
Active Directory Federation Services(ADFS)
Social IdP’s
Identity Providers (IdP)
![Page 12: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/12.jpg)
What does an IdP do?
Authenticate against something you know or haveE.g. a password, a smart card, Biometric information
It hands out tokensTokens contain claims
E.g. your name, email address, age or role
We can “chain” IdP’sEach IdP can augment the claim set and with that provide additional claims to the party that uses the token
![Page 13: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/13.jpg)
What does your app need to do?It needs to do something with the claims provided by the IdP
E.g. do a lookup on “nameidentifier” claim and selectively provide access to application resources
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
So an IdP provides an authenticated identity and some claims about that identity
Your app needs to do smart things to authorizethe user based on those claims
![Page 14: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/14.jpg)
Possible solutions
Integrate your app with all different providers out thereRequires trust relationship with each (cloud) identity provider
Requires you to implement the integration with each provider, using their selected protocol
E.g. OAuth, WS Federation, SAML/P, OpenID, etc.
Every time you want to support a new provider, you need to add that integration to your app
Use Windows Azure Active DirectoryUse the Access Control Service (ACS)
![Page 15: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/15.jpg)
You can add any WS-Federation or Open ID compliant IdP such as a corporate ADFS
Access Control Service (ACS)
You integrate with ACS
ACS handles integration with others:Facebook, Yahoo, Windows ID, Google ID, …
![Page 16: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/16.jpg)
![Page 17: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/17.jpg)
ACS Terminology
STSSecurity Token ServiceAny party that can issue an authentication token
Identity Provider (IdP)Party that maintains the user identity, e.g. Windows Live, Google, Yahoo, etc.
Relying PartyThis is the party relying on some IdP to hand over a set of claims about who that identity is, i.e. your app
Windows live -> Unique idGoogle -> Email Address
![Page 18: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/18.jpg)
SAML & Cookie based authentication versus Simple Web Tokens and HTTP header based authentication
SAML or SWT?
You can use SAML or SWT
What are the tradeoffs?
It depends on your services
![Page 19: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/19.jpg)
Call a service with SWTWhen using rest service, you can simply add a custom header to your request (HttpClient, WebClient)
When using WCF & SOAP, you need to add a custom header to the request
string headerValue = string.Format("WRAP access_token=\"{0}\"", token);client.Headers.Add("Authorization", headerValue);
using (var ctx = new OperationContextScope(proxy.InnerChannel)){HttpRequestMessageProperty httpRequestProperty = new HttpRequestMessageProperty();httpRequestProperty.Headers[HttpRequestHeader.Authorization] =
String.Format("WRAP access_token=\"{0}\"", token);OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] =
httpRequestProperty;}
![Page 20: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/20.jpg)
Call a service with SAML Token(cookie based)
When using rest service, you need to add the cookie to the cookie collection in the header of request
For SOAP using WCF stack simply use CookieContainer
CookieCollection coll = App.AuthenticationCookieContainer;WebClient webrequest = new WebClient();String cookiestring ="" ;foreach (Cookie cookie in coll){ if (count++ > 0){cookiestring += "; ";}
cookiestring += cookie.Name + "=" + cookie.Value;}webrequest.Headers[HttpRequestHeader.Cookie] = cookiestring;
EventsServices.EventsDomainServicesoapClient proxy = newEventsServices.EventsDomainServicesoapClient(); proxy.CookieContainer = App.AuthenticationCookieContainer;
![Page 21: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/21.jpg)
Your (web) services (RP)
Identity Providers (IdP)
redirect
ACS (STS)
Authenticate
Get IdP list
Access the service
redirect
Get token/cookie
WIF
< soap/> { json }
Conceptual model
.aspx
Cookie
![Page 22: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/22.jpg)
![Page 23: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/23.jpg)
![Page 24: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/24.jpg)
ISKE Events App
![Page 25: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/25.jpg)
Mobile App ACS
GetIdentityProviders()
Identity Provider
Request to login page
Map claims
Realm page
ACS Token
Cookie (containingACS token)
Request (with cookie)
IDP Token
Login
Your Service
Depending on ACS config for SWT or SAML you get a header or a cookie
Authentication flow
![Page 26: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/26.jpg)
![Page 27: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/27.jpg)
SignInWebViewDelegate
SignInViewController
SignInController ACSJSON
IdentityProviderDiscoveryClient
Relying Party
ACS namespaceRealmHttpCookieContainer
Identity Provider
![Page 28: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/28.jpg)
LoginView
WebView
WebBrowser
AccessControlServiceSignIn control
ACSJSON
IdentityProviderDiscoveryClient
Relying Party
ACS namespaceRealmHttpCookieContainer
Identity Provider
![Page 29: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/29.jpg)
SignInActivity
SignInWebView
IdentityProviderListActivity
SignInController ACSJSON
IdentityProviderDiscoveryClient
Relying Party
[navigate]
ACS namespaceRealmHttpCookieContainer
Identity Provider
![Page 30: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/30.jpg)
I want that! NOW!
We’ll publish the code on CodePlex
And depending on demand:
Nuget package and Xamarin Store
![Page 31: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/31.jpg)
Wait, what about
Windows Azure Toolkit?
It’s deprecated
Replacement does not provide the
same experience
Our code is a fork of the original
AND works on multiple platforms!
![Page 32: Create a Uniform Login Experience with a Centralized Cloud Authentication System, Roy Cornelissen and Marcel de Vries](https://reader033.fdocuments.in/reader033/viewer/2022052820/5489a3e1b47959ec0c8b59fd/html5/thumbnails/32.jpg)
@roycornelissenroycornelissen.wordpress.com
Thank [email protected]/marcelv
Come see us again,
tomorrow at 1.30 PM