Introduction to Windows Identity Foundation

Jax ArcSig3/22/2011

Keith Tingle

About MeKeith Tingle

http://keith-tingle.com/blogkktingle@gmail.com

Lender Processing Serviceshttp://www.lpsvcs.com

What is WIF?Simplifies the programming model of:

WS-Trust Smart Clients a.k.a Active Clients

WS-Federation Browsers a.k.a. Passive Clients

SAMLMakes it relatively easy to implement

Federated AuthenticationDelegationSingle Sign On

What is WIF? (cont’d)Extends the .NET model of identity to claimsTooling in Visual Studio

Project templates for claims-aware apps & STS‘Add STS Reference’FedUtil.exe

ASP.NET controlsLogin Status Control

Handles Single Sign Out

Federated AuthenticationWhat does it mean?

Offload responsibility for authentication to the STS Delete your login.aspx! Reduces the amount of security code App is agnostic to authentication method

Based on the concept of Relying Party & Trust Public Key Infrastructure is the glue that holds

everything together! Relying Party installs the STS certificate and ‘trusts’ it Metadata is standardized (FederatedMetaData.xml)

Active Directory is AnalogousBUT

Only works in the boundaries of a DomainMachines must be joined to a domain

What about machines in the DMZ? What about the Cloud?

Clients must be on the domainMachines typically run Windows

What about OS X, Linux? What about iOS, Android?

What is an STS?Identity STS (‘IdP’)

Authenticates usersSupports * authentication methods

Windows Authentication User / Name Password X509 Client Certificates

Issues SAML tokens that contain claims Signed & possibly encrypted

OptionsRoll your ownADFS 2.0

SecurityTokenService

RelyingParty

12

SAMLToken

3

Federated Authentication

Trust

Review of Claims Jargon‘Passive’ client versus ‘Active’ client

Passive clients are browsers.Active clients = Stand alone applications w/ access to

a SOAP stack, e.g. a .NET console application.‘Relying Party’ or ‘RP’

An application that trusts the tokens issued by an STSA ‘Trust’

A key exchange between an RP and an STS‘Identity Provider’ or ‘IdP’

STS that authenticates a users identity ADFS 2.0 can serve as an IdP for AD User Stores

Identity in .NETRepresentation of identity

public interface IIdentity{ string AuthenticationType { get; } bool IsAuthenticated { get; } string Name { get; }}

FormsIdentity : IIdentity ‘ktingle’WindowsIdentity : IIdentity ‘NTLM\ktingle’x509Identity : IIdentity ‘CN=KeithTingle, 54ED5443D…’

Identity in .NET w/ ClaimsExtended to claims

public interface IClaimsIdentity : IIdentity{ ClaimCollection Claims {get;}}

public class Claim {

// Properties public virtual string ClaimType { get; } public virtual string Issuer { get; } public virtual IClaimsIdentity Subject { get; } public virtual string Value { get; }

}

Federated Authentication Demo w/ WIF

WIF PackagingTwo packages

WIF Runtime Minimum of .NET FX 3.5 Install the runtime on your servers Clients do not need WIF Runtime unless you develop a smart client that

utilizes the WIF extensions for client apps. Passive clients Vanilla WCF 3.5 supports

Most scenarios will have these features used in delegation scenarios Separate .NET 3.5 & .NET 4.0 downloads

WIF SDK Visual Studio 2010 Project Templates FedUtil.exe utility User Controls

SignIn Status Do *not* underestimate the value of these controls!

Active Directory Federation Services 2.0Requires Windows Server 2008Supports HA configurations

Federation farms & proxyADFS 1.0 (not 2.0) comes on the Windows Server

2008 installation media.ADFS 2.0 is complete rewrite of ADFS 1.0

Built on WIF Available as a download only (http://bit.ly/ePLV4s)

ADFS 1.0 will serve as IdP for Active Directory Lightweight Directory Services (a.k.a. ADAM)

ADFS 2.0 will only serve as an IdP for Active Directory

SharePoint 2010Rewritten security model on top of WIF

All intra-farm security is claims basedSupports

Federated Authentication Trusted Identity Provider

Must use Powershell to create a providerIClaimsIdentity available to custom

Quick SharePoint 2010 Demo

When to consider Claims?When do we consider using claims?

Single Sign On ScenariosHeterogeneous user stores

Corporate AD AD Lightweight Directory Services External Systems SQL, XML

Heterogeneous authentication methods Username / Password Kerberos / NTLM X509 Certificates

Delegation

Claims-based Identity GotchasDistinguish between application claims and

enterprise claimsName, E-Mail, AgeUploader, Editor

Getting StartedStarterSTS & Starter RP

http://startersts.codeplex.comDeployed as an ASP.NET web siteUses ‘standard’ ASP.NET membership & role

providersWIF templates for a custom STS are very

basicCreating an STS from scratch is a major

undertaking, consider out the box alternatives

Additional ResourcesA Guide to Claims-based Identity and Access

Controlhttp://tinyurl.com/claimsguide

Exploring Claims-based Identityhttp://msdn.microsoft.com/en-us/magazine/cc1

63366.aspx

The End

User Store

STSRSTRequest for

Security Token

RSTRRequest for Security

Token Response

Security Token Service

SAML Token

Relying Party Endpoi

nt

WS-Trust Enabled Web Service Client

Trust

The Public Key InfrastructureThe PKI is the foundation for trust and establishing identity on the

InternetBuilt on top of asymmetrical encryption algorithms

Symmetric Encryption Algorithms – Both the sender and recipient of the message share a secret key.

Asymmetric Encryption Algorithms – The sender and the receiver create asymmetrical key pairs, and exchange the public keys with one another.

A key pair – the two keys are related mathematically but it essentially impossible to derive one key from the other.

Public Key – Distributed anywherePrivate Key – A compromised private key should result in a

‘revocation’ of the corresponding certificate. Revocation is formal concept There are protocols (CRLs, OCSP)