Programming Windows® Identity Foundation

Vittorio Bertocci

PUBLISHED BYMicrosoft PressA Division of Microsoft CorporationOne Microsoft WayRedmond, Washington 98052-6399

Copyright © 2011 by Vittorio Bertocci

All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.

Library of Congress Control Number: 2010933007

Printed and bound in the United States of America.

Distributed in Canada by H.B. Fenn and Company Ltd.

A CIP catalogue record for this book is available from the British Library.

Microsoft Press books are available through booksellers and distributors worldwide. For further infor mation about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to mspinput@microsoft.com.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.

Acquisitions Editor: Ben RyanDevelopmental Editor: Devon MusgraveProject Editor: Rosemary CapertonEditorial Production: Waypoint Press (www.waypointpress.com)Technical Reviewer: Peter Kron; Technical Review services provided by Content Master, a member of CM Group, Ltd.Cover: Tom Draper Design

Body Part No. X17-09958

To Iwona, moja kochanie

v

Contents at a Glance

Part I WindowsIdentityFoundationforEverybody 1 Claims-Based Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Core ASP .NET Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Part II WindowsIdentityFoundationforIdentityDevelopers

3 WIF Processing Pipeline in ASP .NET . . . . . . . . . . . . . . . . . . . . . . . . 51 4 Advanced ASP .NET Programming . . . . . . . . . . . . . . . . . . . . . . . . . 95 5 WIF and WCF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 6 WIF and Windows Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 7 The Road Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

vii

Table of ContentsForeword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Part I WindowsIdentityFoundationforEverybody 1 Claims-Based Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

What Is Claims-Based Identity? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Traditional Approaches to Authentication . . . . . . . . . . . . . . . . . . . . . . . . 4Decoupling Applications from the Mechanics of Identity and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

WIF Programming Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15An API for Claims-Based Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16WIF’s Essential Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16IClaimsIdentity and IClaimsPrincipal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2 Core ASP .NET Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Externalizing Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

WIF Basic Anatomy: What You Get Out of the Box . . . . . . . . . . . . . . . . 24Our First Example: Outsourcing Web Site Authentication to an STS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Authorization and Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33ASP .NET Roles and Authorization Compatibility . . . . . . . . . . . . . . . . . . 36Claims and Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37A First Look at <microsoft .identityModel> . . . . . . . . . . . . . . . . . . . . . . . 39Basic Claims-Based Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/

What do you think of this book? We want to hear from you!

viii Table of Contents

Part II WindowsIdentityFoundationforIdentityDevelopers

3 WIF Processing Pipeline in ASP .NET . . . . . . . . . . . . . . . . . . . . . . . . 51Using Windows Identity Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52WS-Federation: Protocol, Tokens, Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . 54

WS-Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55The Web Browser Sign-in Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57A Closer Look to Security Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Metadata Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

How WIF Implements WS-Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72The WIF Sign-in Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

WIF Configuration and Main Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82A Second Look at <microsoft .identityModel> . . . . . . . . . . . . . . . . . . . . 82Notable Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

4 Advanced ASP .NET Programming . . . . . . . . . . . . . . . . . . . . . . . . . 95More About Externalizing Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Identity Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Federation Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99The WIF STS Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Single Sign-on, Single Sign-out, and Sessions . . . . . . . . . . . . . . . . . . . . . . . . 112Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Single Sign-out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115More About Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Transforming Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Pass-Through Claims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Modifying Claims and Injecting New Claims . . . . . . . . . . . . . . . . . . . . 135Home Realm Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Step-up Authentication, Multiple Credential Types, and Similar Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Table of Contents ix

Claims Processing at the RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Authentication and Claims Processing . . . . . . . . . . . . . . . . . . . . . . . . . 142

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

5 WIF and WCF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145The Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Passive vs . Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Canonical Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Custom TokenHandlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Object Model and Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Client-Side Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Delegation and Trusted Subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Taking Control of Token Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

6 WIF and Windows Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185The Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Packages and Config Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187The WIF Runtime Assembly and Windows Azure . . . . . . . . . . . . . . . . 188Windows Azure and X .509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 188

Web Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Endpoint Identity and Trust Management . . . . . . . . . . . . . . . . . . . . . . 192

WCF Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Service Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Tracing and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

WIF and ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Custom STS in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Dynamic Metadata Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205RP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

x Table of Contents

7 The Road Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215New Scenarios and Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

ASP .NET MVC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Silverlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223SAML Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Web Identities and REST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/

What do you think of this book? We want to hear from you!

xi

ForewordAfewyearsago,IwassittingatatableplayingagameofpokerwithafewcolleaguesfromMicrosoftwhohadallbeeninvolvedatvarioustimesinthedevelopmentofWebServicesEnhancementsforMicrosoft.NET(WSE).DonBox,MarkFussell,KirillGavrylyuk,andIplayedthehandswhileshowmanextraordinaireDougPurdyengageduswithlivelybanterandmorethanafewquestionsabouttheproduct—allofthisinfrontofthecamerasattheMSDNstudios.

Wehadeachselectedapersonfromthefieldtoplayfor;someonewhomweeachthoughthadmadeasignificantcontributiontothesuccessofWSEbuthadn’tbeenadirectmemberoftheproductteamitself.Ifwewon,thenournomineewouldgetaprize,atokenofourappreciationfortheworkthatheorshehaddone.MyselectionwasaguycalledVittorioBertocciwhowasworkingforMicrosoftinItalyatthetime.I’dnevermetVittorio,norevenseenaphotoofhim,buthewasaprolificposteronourinternaldiscussionlist,clearlyunderstoodthekeysecurityconceptsfortheproductincludingtheWS-*protocols,andhadevencraftedanextensiontoenableReliableMessagingdespitesomeofthecrudeextensibilitywehadinplaceatthetime.Vittoriowassomeoneworthplayingforbut,unfortunately,Ididn’twin.

Timepassed,theWindowsCommunicationFoundation(WCF)supersededWSE,andImovedtobecometheArchitectfortheIdentityandAccessteamtaskedwithbuildingaSecurityTokenServiceforWindowsServer.Oneday,outoftheblue,Igotane-mailfromVittoriotosaythathe’dmovedtoRedmondtotakeonaPlatformEvangelistroleandaskingifwecouldmeetup.OfcourseIsaidyes,butwhatIcouldn’thaveanticipatedwasthatmaneofjet-blackhair....

Vittoriowasdeeplyinterestedintheworkthatweweredoingtoenableaclaims-basedprogrammingmodelfor.NET,ontopofwhichweplannedtobuildthesecondversionofoursecuritytokenservice.Overtime,theseideasbecamethe“Geneva”waveofproductsandwerefinallybirthedastheWindowsIdentityFoundationandActiveDirectoryFederationServices2.0.

Throughoutseveralyearsofproductdevelopment,Vittoriobecamenotonlyaremarkablespokespersonfortheproductsbutakeysourceoffeedbackonourwork,bothfromthecustomersandpartnersthathemetwithandfromhisowndirecteffortstousetheproduct.Hewasinstrumentalinencouragingme,andtheproductteam,totakeonthelast-minutetaskofmakingWIFruninWindowsAzurejustintimeforPDC2009andtheproductrelease.WatchingVittoriopresentasessiononWIFisapleasure—hisdepthofknowledgeandhiscreativepresentationskillsallowhimtodeliverthemessageonanincreasinglyimportanttopicdespitethefactthatitistoofrequentlytaintedwiththedrynessofthe“security”label.

xii Foreword

Withinthepagesofthisbook,you’lllearnhowtousetheWindowsIdentityFoundationfromsomeonewhoisnotonlyagreatteacherbutisalsodeeplyfamiliarwiththeconceptsbe-hindthetechnologyitselfandwhohasworkeddirectlywiththeproductteam,andmyselfpersonally,onaveryclosebasisoverthecourseofthelastfourtofiveyears.

Vittoriotakesyouthroughtheterminologyandkeyconcepts,andexplainstheintegrationofWIFwithASP.NET,WindowsCommunicationFoundation,andWindowsAzure,culminat-inginaspeculativelookaheadatthescenariosthattheproductmighttackleinafuturerelease.Iencourageyou,thereader,tothinkdeeplyabouttheconceptshereandhowyouwillmanageidentityintheapplicationsthatyougoontobuild;it’satopicthatisbecomingincreasinglyimportanttobothenterprisesandtheWebcommunity.

Finally,IwanttothankVittorioforhisenthusiasm,support,andtirelessenergyovertheyears.Ihavebutonefinalrequestofhim:pleasegetahaircut.

Hervey WilsonArchitect, AppFabric Access Control Service

Microsoft, RedmondJuly 2010

xiii

AcknowledgmentsYou create the world of the dream. We bring the subject into that dream and fill it with their subconscious.

—Cobb in “Inception”, Christopher Nolan, 2010

Sometimeago,afriendaskedmewhatthepointwasofwritingabookwhenIalreadyhaveawell-readblog.Therearemanyexcellentanswerstothatquestion,fromtheextrareachthatabookhastotheadvantagesofreadingwithouthavingtoconstantlyfighttheop-portunitycostsofnotfollowingalink.Myfavoriteanswer,however,isthatwhereasablogisaone-manoperation,abookistheresultofthecontributionofmanypeopleanditsvalueforthereaderisproportionallyhigher.Itmightbemynameonthecover,buttherealityisthatIstandontheshouldersofmanyfinepeople,whoIwanttoacknowledgehere.I’vebeenworkingwithidentityforthelast8yearsorso,interactingwithanincredibleamountofpeople;hence,IamprettysureI’llforgetsomebody.Iapologizeinadvance.

PeterKronisaPrincipalSoftwareDeveloperEngineerontheWIFteam,andtheofficialtechnicaleditorofthisbook.Withouthispatience,thoroughness,anddeepknowledgeofWIF,thiswouldhavebeenamuchinferiorbook.

HerveyWilsonistheArchitectoftheAccessControlservice.HeledtheWebServicesEnhancements(WSE)team,andhehappenstobetheonewhoenvisionedWindowsIdentityFoundation.I’vebeenworkingwithHerveysince2002,wellbeforeImovedtoRedmond.Atthetime,IwasstillusinghisWSEforsecuringsolutionsforItaliancustomers.IfyoubelievewhatMalcomGladwellsaysinhisbookOutliers: The Story of Success(Little,BrownandCo.,2008),thatyouneed10,000hoursofpracticeforbecomingrealgoodatsomething,nobodycontributedmorethanHerveytomyprofessionalgrowthinthefieldofIdentity.Iamveryhonoredheagreedtowritetheforewordforthisbook.Thanks,man!

ThecrewatMicrosoftPresshasbeenoutstanding,choppingintomanageablechunksmylong“Itanglish”sentenceswithoutchangingthemeaningandworkingaroundmyabysmaldelaysandcrazyschedule.(Inthelastyearalone,Ihandedaboardingpasstosmilingladies55times.)Specifically,thanksgotoBenRyanandGerryO’Brienforhavingtrustinmeandthebook,toDevonMusgraveforbootstrappingtheproject,andtoRosemaryCapertonforrunningtheproject.SteveSagmanofWaypointPressledafantasticproductionteam:RogerLeBlancasCopyEditor,ThomasSpeechesasProofreader,andAudreyMarrasIllustrator.SpecialthankstoAudreyforworkingonreallychallengingillustrations:youcanpullouttheneedlesfrommydollnow!

StuartKwan,GroupProgramManagerforWIF,andConradBayer,GMfortheIdentityandAccessdivision,havebeengreatpartnersandsupportedthisprojectfromtheverystart.

xiv Acknowledgments

Ididmostofthewritingatnight,onweekends,andduringvacationtime,butattimesthebookdidimpactmydayjob.JamesConardandNeilHutson,SeniorDirectorsintheDeveloperandPlatformEvangelismgroupandmydirectmanagementchain,havebeenverypatientandsupportiveoftheeffort.

JustineSmithandBrjannBrekkan,fromtheBusinessGroupoftheIdentityandAccessDivision,havebeenincrediblyhelpfulonactivitiesthatultimatelyhadanimpactonthesamplecodediscussedhere.

ToddWest,atthetimewiththeWIFtestteam,isoneofthemostgiftedWebservicesdevelopersI’veevermet.MostoftheguidanceregardingWIFandWindowsAzureinthisbookandoutthereistheresultofhiswork.

MygoodfriendCalebBaker,ProgramManagerontheWIFteam,isanever-endingsourceofinsightsandusefuldiscussions.HeisalsotheowneroftheWIFandSilverlightintegration.TheSilverlightcodesamplesareallbasedonhiswork.

TogetherwithHervey,theoriginalWSEteammergedwithWIFtoo.Ihadachancetotaptheirbrainscountlesstimes.ThankstoSiddShenoy,GovindRamanathan,VickMukherjee,HongMeiGe,andKeithBallinger.

TheentireWIFteamcontributedtothisbook.HereI’llcallafewpeopleouttogiveyouafeelingforthequalityoftheirwork.DanielWuwasofgreathelponsessions;BrentSchmaltzwaskeyforhelpingmeunderstandtheinnerworkingsofWIFandWCF;VaniNoriandVickdevisedthewayofusingWIFwithMVC;JunaidTisekarwaskeyforstartingtheworkwithWIFandOAuth2.0;ShiungYongwasinstrumentalinfiguringoutsomepartsoftheWIFpipelineintheearlydaysofWIF.

Manyothersintheidentityproductteamcontributedthroughtheyears:thankstoJanAlexander,VijayGajjala,ArunNanda,MarcGoodner,MikeJones,CraigWittenberg,DonSchmidt,RuchiBhargava,SeshaMani,MattSteele,andSamDevasahayam.

MyteammatesintheWindowsAzureplatformevangelismteamplayedakeyroleinkeepingmeonmytoes,andthey’resimplyawesometohangoutwith.ThankstoRyanDunn,DavidAiken,NigelWatling,andZachOwen.Pleasedeleteallthepicturesyousaved!

TheguysatSouthworks,thecompanythathelpedmewithpracticallyalltheidentitysamplesandlabsinthelasttwoyears,arefantastictoworkwith.ManythankstoMatiasWoloski,PabloDamiani,TimOsborn,JohnnyHalife,andmanyothers.

ConversationsaboutidentitywithGianpaoloCarraroandEugenioPacewereextremelyvaluable,especiallytheonesrelatedtotheP&Pguideonclaims-basedidentityledbyEugenio.

Acknowledgments xv

DonovanFollettehasbeentheADFSevangelistforalongtime,sharingwithmethepainsandthejoysoftheclaims-basedidentityrenaissanceatPDC08.EvenifnowheisallcozyinhisnewOfficerole,Icannotforgethisincrediblecontributiontobringingidentitytothecommunity.

Ofcourse,wewouldnotbeevendiscussingthisifKimCameronhadnotdriventheconversationontheidentitymetasystemandclaims-basedidentitywiththeentireindustry.Thankyou,Kim!

Mywife,IwonaBialynicka-Birula,deservesspecialthanks.Sheacceptedandsupportedthiscrazyinitiativenomatterwhat,whetheritmeantskippingbeachtimewhileinMauiorcopingwithinsuranceagentsandcontractorsafterourhousegotflooded.Withouther,notonlywouldyounotbeholdingthisbookinyourhands,Idon’tknowwhatIwoulddo….Thankyou,darling.Ipromise:nomorebooksforsometime!

Finally,Iwanttothankyou:thereadersofmyblog,whofollowedfaithfullymyramblingsforsevenyearswithoutaskingtoooftenabouttheweirdblogname;theparticipantsoftheWIFworkshopsinBelgium,UK,Germany,Singapore,Melbourne,andRedmond,whoputupsonicelywithmy“sexy”accent;andtheattendeesofthemanysessionsIgaveateventsallovertheworldinthelastfiveyears.Withoutyourquestions,yourcritiques,yourcomments,yourcompliments,andyourlongingforunderstanding,IwouldhaveneverfoundthemotivationtodothisandtheotherthingsIdoforevangelizingidentity.Thisbookisforyou.

xvii

IntroductionIthasbeensaidthateveryprobleminComputerSciencecanbesolvedbyaddingalevelofindirection.

Youdon’thavetogofartofindexamplesofsuccessfulapplicationsofthatprinciple.Beforetheintroductionoftheconceptofdriver,programshadtoberewritteneverytimeonechangedsomethingassimpleasthemonitor.BeforetheintroductionofTCP/IP,programstargetingatokenringnetworkenvironmenthadtoberewrittenifthenetworkprotocolchanged.DriversandTCP/IPhelpedtofreeapplicationdevelopersfromtheneedtoworryaboutunnecessarydetails,presentingthemwithagenericfaçadewhileleavingthenitty-grittydetailstotheunderlyinginfrastructure.Inadditiontomakingthedeveloperprofessionahappierone,theapproachledtomorerobustandlong-livedsoftwareforthebenefitofeverybody.

Forvarioushistoricalreasons,authenticationandidentitymanagementpracticesneverreallyfollowedthesamerouteofmonitorsandnetworkcards.Adding“authentication”toyoursoftwaretodaystilllargelymeansmessingwiththecodeoftheapplicationitself,writinglogicthattakescareindetailoflowleveltaskssuchasverifyingusernameandpasswordsagainstanaccountstore,jugglingwithX509certificatesorsimilar.Whenyouaresparedfromhandlingthingsatsuchlowlevel,whichusuallymeansthatyoutookastrongdependencyonyourinfrastructureandyourapplicationwillbeunmovablewithoutsubstantialrewriting:justlikeaprogramfromthepre-driversera.

Asyouwilllearninthefirstchaptersofthisbook,claims-basedidentityischangingallthis.

Withoutgoingtoomuchintodetails,claimsarethemeanstoaddthatextralevelofindirectionthateludedtheidentityworldsofar.Theintroductionofopenprotocolsenjoyingwideindustryconsensus&support,theconvergetowardtheideaofameta-systemforidentity,thesuccessofmetadataformatswhichcanautomatemanytediousanderror-pronetaskscreatedtheperfectstormthatgeneratedthepracticescollectivelyknownasclaims-basedidentity.Claimsarepavingthewayforidentityandaccessmanagementtobepushedoutsideofapplicationsanddownintheinfrastructure,freeingdevelopersfromtheneedtohandleitexplicitlywhileenhancingsolutionswithwelcomeextraadvantages(suchascross-platforminteroperabilityoutofthebox).

Ihavespentfullfouryearsworkingalmostexclusivelyonclaims-basedarchitectureswithcustomersandproductteamshereinRedmond;themodelissound,anditinvariablydeliverssignificantimprovementsagainstanyotherauthenticationsystem.However,untilrecently,actuallyimplementingsystemsaccordingtothemodelwasapainfulexperience,sinceitrequiredwritinglargeamountsofcustomcodethatwouldhandleprotocols,cryptography,andsimilarlowlevelaspects.

xviii Introduction

Thisallchangedwhen,inOctober2008,Microsoftannouncedthe“Geneva”waveofclaims-awarebetaproducts:amongthosetherewasWindowsIdentityFoundation,theprotagonistofthebookyouareholding,whichwasfinallyreleasedinNovember2009.

WindowsIdentityFoundation(WIF)isMicrosoft’sstackforclaims-basedidentityprogramming.Itisanewfoundationaltechnologywhichhelps.NETdeveloperstotakeadvantageoftheclaimsbasedapproachforhandingauthentication,authorization,custom-izationandingeneralanyidentity-relatedtaskwithouttheneedtowriteanylow-levelcode.

Truetotheclaims-basedidentitypromise,youcandecidetouseWIFtoexternalizeallidentityandaccesscontrollogicfromyourapplications:VisualStudiowillmakeitabreeze,andyouwillnotberequiredtoknowanydetailabouttheunderlyingsecurityprotocols.Ifyouwanttotakefinercontroloftheauthenticationandauthorizationprocess,however,WIFoffersyouapowerfulandflexibleprogrammingmodelthatwillgiveyoucompleteaccesstoallaspectsoftheidentitymanagementpipeline.

ThisbookwillshowyouhowtouseWindowsIdentityFoundationforhandlingauthentication,authorizationandidentity-drivencustomizationofyour.NETapplications.

Althoughthetextwilloftenbetask-oriented,especiallyforthenovicepartofthebook,theultimategoalwillalwaysbetohelpyouunderstandingtheclaimsbasedapproachandthepatternthatismostappropriatefortheproblemathand.

WhoIsThisBookFor?PartIofthebookisfortheASP.NETdeveloperwhowantstotakeadvantageofclaims-basedidentitywithouthavingtobecomeasecurityexpert.Althoughtherearenorequirementsaboutpre-existingsecurityknowledge,youdoneedtohavehands-onASP.NETprogram-mingknowledgetoproficientlyreadPartI.

InPartIIIshiftgearprettydramatically,assumingthatyouareanexperienced.NETdeveloperwhoknowsaboutASP.NETpipeline,Formsauthentication,X.509certificates,LINQsyntaxandthelike.Ioftentrytoaddsidebarswhichintroducethetopicifyouknowlittleaboutitbutyouwanttofollowthetextanyway,butrealityisthatwithoutconcrete,hands-onknowledgeofthe.NETFramework(andspecificallyC#)PartIIcouldbehardtonavigate.Ialsoassumethatyouaremotivatedtoinvestenergyonunderstandingthe“why”sofidentityandsecurity.

Identityisanenablingtechnology,whichisneverfoundinisolationbutalwaysasacomponentandenhancementofothertechnologiesandscenarios.ThisbookdiscusseshowtoapplyWIFwithavarietyoftechnologiesandproducts,andofcoursecannotaffordprovidingintroductionsforeverything:inordertobeabletoapplytheguidanceinthevariouschaptersyou’llneedtobeproficientinthecorrespondingtechnology.Thegoodnewsisthatthechaptersarereasonablydecoupledfromeachother,sothatyoudon’tneed

Introduction xix

tobeaWCFexpertforappreciatingthechaptersaboutASP.NET.Chapter3andChapter4requireyoutobefamiliarwithASP.NETanditsextensibilitymodel.Chapter5isforexperi-encedWCFdevelopers.Chapter6requiresyoutobefamiliarwithWindowsAzureanditsprogrammingmodel.Chapter7sweepsonanumberofdifferenttechnologies,includingSilverlightandASP.NETMVCFramework,andexpectsyoutobeateasewithterminologyandusage.

Thebottomlineisthatinordertofullytakeadvantageofthebookyouneedtobeanexpert.NETandWebdeveloper.Ontheotherhand,thebookcontainsalotofarchitecturalpatternsandexplanationswhichcouldeasilybeappliedtoproductsonotherplatforms:henceifyouareanarchitectthatcanstomachpatternsexplanationsintertwinedwithcodecommentary,chancesarethatyou’llfindthisbookagoodreferenceonhowclaims-basedidentitysolvesvariouscanonicalproblemsintheidentityandaccessspace.

SystemRequirementsYou’llneedthefollowingsoftwareandhardwaretobuildandrunthecodesamplesforthisbook:

■ Microsoft®Windows7;WindowsServer2003ServicePack2;WindowsServer2008R2;WindowsServer2008ServicePack2;WindowsVista

■ WindowsIdentityFoundation1.0runtime

■ WindowsIdentityFoundationSDK4.0

■ Microsoft®InternetInformationServices(IIS)7.5,7.0or6.0

■ Microsoft®.NETFramework4.0

■ VisualStudio2010

■ 1.6-GHzPentiumorcompatibleprocessor

■ 1GBRAMforx86

■ 2GBRAMforx64

■ Anadditional512MBRAMifrunninginavirtualmachine

■ DirectX9–capablevideocardthatrunsat1024×768orhigherdisplayresolution

■ 5400-RPMharddrive(with3GBofavailableharddiskspace)

■ DVD-ROMdrive

■ Microsoftmouseorcompatiblepointingdevice

■ Approximately78MBofavailableharddiskspacetoinstallthecodesamples

xx Introduction

NotethattheWIFruntimeandtheWIFSDK3.5arecompatiblewithVisualStudio2008andthe.NETFramework3.5SP2.TheMarch2010versionoftheIdentityTrainingKitcontainsmostofthesamplesofthebookinaformthatiscompatiblewithVS2008andthe.NETFramework3.5,howeverpleasenotethatthecodeinthetextreferstoVS2010andtherearesmalldifferenceshereandthere.

CodeSamplesThecodesamplesforthisbookareavailablefordownloadhere:

http://www.microsoftpressstore.com/title/9780735627185.

Clickthedownloadlinkandfollowtheinstructionstosavethecodesamplestoyourlocalharddrive.

ThecodesamplesusedinthisbookaremostlyfromtheIdentityDeveloperTrainingKit,acollectionofhands-onlabs,presentations,andinstructionalvideos,whichismeanttohelpdeveloperslearnMicrosoft’sidentitytechnologies.Itisaself-extracting.EXE.Everylabhasitsownsetup,whichwilltakecareofmostprerequisitesforyou.PleasefollowtheinstructionsontheWelcomepage.

ProducingtheIdentityDeveloperTrainingKitisoneofthethingsIdoduringmydayjob.WhereasinthebookIhighlightcodesnippetstohelpyouunderstandthetechnology,intheIdentityDeveloperTrainingKitdocumentationIgivestep-by-stepinstructions.FeelfreetocombinethetwoapproachesasyourampupyourknowledgeofWindowsIdentityFoundation.

TheIdentityDeveloperTrainingKitisalivingdeliverable;everytimethereisanewver-sionofaproductIupdateitaccordingly.However,Iwanttomakesurethatthecodesamplesreferencedinthebookwillnotbreak.Forthatreason,Iamincludinginthebookcodesamplearchivethecurrentversionofthetrainingkit,June2010,whichwillalwaysbeavailable,evenifIkeepupdatingthetrainingkitinitsoriginaldownloadlocation.

ErrataandBookSupportWe’vemadeeveryefforttoensuretheaccuracyofthisbookanditscompanioncontent.Ifyoudofindanerror,pleasereportitonourMicrosoftPresssite.

1.

2. IntheSearchbox,enterthebook’sISBNortitle.

3. Selectyourbookfromthesearchresults.

4.

5. ClickView/SubmitErrata.

Gotowww.microsoftpressstore.com.

On your book’s catalog page, find the Errata & Updates tab

Introduction xxi

You’llfindadditionalinformationandservicesforyourbookonitscatalogpage.Ifyouneedadditionalsupport,pleasee-mailMicrosoftPressBookSupportatmspinput@microsoft.com.

PleasenotethatproductsupportforMicrosoftsoftwareisnotofferedthroughtheaddressesabove.

WeWanttoHearfromYouAtMicrosoftPress,yoursatisfactionisourtoppriority,andyourfeedbackourmostvaluableasset.Pleasetelluswhatyouthinkofthisbookat:

http://www.microsoft.com/learning/booksurvey

Thesurveyisshort,andwereadeveryoneofyourcommentsandideas.Thanksinadvanceforyourinput!

StayinTouchLet’skeeptheconversationgoing!We’reonTwitter:http://twitter.com/MicrosoftPress.

3

Chapter1

Claims-Based IdentityIn this chapter:What Is Claims-Based Identity? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3WIF Programming Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

MicrosoftWindowsIdentityFoundation(WIF)enablesyoutoapplytheprinciplesofclaims-basedidentitywhensecuringyourMicrosoft.NETapplication.Claims-basedidentityissoimportantthatIwanttomakesureyouunderstanditwellbeforeIformallyintroduceWindowsIdentityFoundation.

Claims-basedidentityisanaturalwayofdealingwithidentityandaccesscontrol.However,theoldwaysofdoingthisarewellestablished,sobeforedelvingintothenewapproach,it’susefultodescribeandchallengetheclassicassumptionsaboutauthenticationandauthoriza-tion.Onceyouhaveaclearunderstandingofsomeoftheissueswithtraditionalapproaches,I’llintroducethebasicprinciplesofclaims-basedidentity—I’llsayenoughtoenableyoutoproficientlyuseWindowsIdentityFoundationforthemostcommonscenarios.Thischaptercontainssomesimplificationsthatwillgetyougoingwithoutoverloadingyouwithinfor-mation.Foramorethoroughcoverageofthesubject,refertoPartII,“WindowsIdentityFoundationforIdentityDevelopers.”

Finally,we’lltakeourinitiallookathowWIFimplementsthemechanismsofclaims-basedidentityandhowyou,thedeveloper,canaccessthemainelementsexposedbyitsobjectmodel.

Afterreadingthischapter,you’llbeabletodescribehowclaims-basedidentityworksandhowtotakeadvantageofitinsolutionstocommonproblems.Furthermore,you’llbeabletodefineWindowsIdentityFoundationandrecognizeitsmainelements.

WhatIsClaims-BasedIdentity?

Note Ifyoualreadyknowaboutclaims,feelfreetoskipaheadtothe“WIFProgrammingModel”section.Ifyouareinabighurry,Iofferyouthefollowingsummaryofthissectionbeforeyouskiptothenextsection:Claims-basedidentityallowsyoutooutsourceidentityandaccessmanagementtoexternalentities.

4 Part I Windows Identity Foundation for Everybody

Theproblemofrecognizingpeopleandgrantingaccessrightstothemisoneoftheoldestinthehistoryofcomputerscience,andithasitsrootsinidentityandaccessproblemsweallexperienceeverydayaswegothroughourlives.

Althoughwecanclassifyalmostallthesolutionstotheprobleminrelativelyfewcategories,anincrediblenumberofsolutionstailoredspecificallytosolvethisorthatproblemexists.Fromtheinnumerablewaysofhandlingusernamesandpasswordstothemostexotichardware-basedcryptographysolutions,thepanoramaofidentityandaccessmeth-odscreatesasequenceofsystemsthatarealmostnevercompatible,eachwithdifferentadvantages,disadvantages,tradeoffs,andsoon.

Fromthedeveloperperspective,thisstatusquoisbadnews:thisdiversityforcesyoutocontinuallyrelearnhowtodothesamethingwithdifferentAPIs,exposesyoutodetailsofthesecuritymechanismsthatyou’drathernotberesponsiblefor,andsubjectsyoutosoftwarethatisbrittleanddifficulttomaintain.

Whatyouneedisawaytosecureyourapplicationswithouthavingtoworkdirectlyatthesecuritymechanismlevel:anabstractionlayer,whichwouldallowyoutoexpressyoursecu-rityrequirements(the“what”)withoutgettingcaughtinthespecificsofhowtomakethathappen(the“how”).IfyourspecialtyisdesigninguserexperiencesforMicrosoftASP.NET,youshouldbeallowedtofocusyoureffortonthataspectofthesolutionandnotbeforcedtobecomeanexpertinsecurity(beyondthebasic,secure-codingbestpractices,ofcourse—alldevelopersneedtoknowthose).

If you need a good reference on secure coding best practices, I highly recommend WritingSecureCode,SecondEdition, by Michael Howard and David LeBlanc (Microsoft Press, 2002).

Whatwecollectivelycall“claims-basedidentity”providesthatlayerofabstractionandhelpsyouavoidtheshortcomingsoftraditionalsolutions.Claims-basedidentitymakesitpossibletohavetechnologiessuchasWindowsIdentityFoundation,whichenablesyoutosecuresystemswithoutbeingrequiredtounderstandthefinedetailsofthesecuritymechanismsinvolved.

Traditional Approaches to AuthenticationBeforewegoanyfurther,letmebeabsolutelyclearonakeypoint:thisbookdoesnotsuggestthattraditionalapproachestoauthenticationandauthorizationarenotsecureorsomehowbadper se.Infact,theyusuallydoverywellinsolvingtheproblemtheyhavebeendesignedtotackle.Theissuesarisewhenyouhavetodealwithchangesoryouneeddiffer-entsystemstoworktogether.Becauseasinglesystemcan’tsolveallproblems,youareoftenforcedtore-performthesametaskwithdifferentAPIstoaccommodateevensmallchangesinyourrequirements.

Chapter 1 Claims-Based Identity 5

It’sbeyondthescopeofthisbooktogiveanexhaustivelistofauthenticationsystemsandtheircharacteristics;fortunately,thatwon’tbenecessaryformakingourpoint.InthissectionI’llbrieflyexaminethebuilt-inmechanismsofferedbythe.NETFrameworkandprovidesomeexamplesofhowtheymightnotalwaysofferacompletesolution.

IPrincipal and IIdentityManagingidentityandaccessrequiresyoutoacquireinformationaboutthecurrentusersothatyoucanmakeinformeddecisionsabouttheuser’sidentityclaimsandwhatactionsbytheusershouldbeallowedordenied.

Ina.NETapplicationtheuserinthecurrentcontextisrepresentedbyanIIdentity,asimpleinterfacethatprovidesbasicinformationabouttheuserandhowtheuserwasauthenticated:

public interface IIdentity { // Properties string AuthenticationType { get; } bool IsAuthenticated { get; } string Name { get; } }

IIdentitylivesinsideIPrincipal,anotherinterfacethatcontainsmoreinformationabouttheuser(suchaswhetherhebelongstoacertainsecuritygroup)thatcanbeusedinauthorizationdecisions:

public interface IPrinicipal { // Methods bool IsInRole(string role); // Properties IIdentity Identity { get; } }

YoucanalwaysreachthecurrentIPrincipalinthecodeofyour.NETapplication:inASP.NET,youwillfinditinHttpContext.Current.User,andingeneral,you’llfinditinThread.CurrentPrincipal.

IPrincipalandIIdentity,astheyexistoutofthebox,doprovidesomegooddecouplingfromhowtheauthenticationactuallyhappened.Theydonotforceyoutodealwiththedetailsofhowthesystemcametoknowhowtheinformationabouttheuserwasacquired.Ifyourusersareallowedtoperformacertainactiononlyiftheyareadministrators,youcanwriteThread.CurrentPrincipal.IsInRole(“Administrators”)withouthavingtochangeyourcodeaccordingtotheauthenticationmethod.TheframeworkusesdifferentextensionsofIPrincipal—WindowsPrincipal,GenericPrincipal,oryourowncustomclass—toaccom-modatethespecificmechanism,andyoucanalwayscastfromIPrincipaltooneofthose

6 Part I Windows Identity Foundation for Everybody

classesifyouneedtoaccesstheextrafunctionalitiestheyprovide.However,ingeneral,usingIPrincipaldirectlymakesyourcodemoreresilienttochanges.

Unfortunately,theprecedingdiscussionisjustatinypartofwhatyouneedtoknowabout.NETsecurityifyouwanttoimplementarealsystem.

Populating IPrincipalMostoftheinformationyouneedtoknowabouttheuserisinIPrincipal,buthowdoyougetthatinformationinthere?ThevaluesinIPrincipalaretheresultofasuccessfulauthentication:beforebeingabletotakeadvantageoftheapproach,youhavetoworryaboutmakingtheauthenticationstephappen.Thatiswherethingsmightstartgettingconfusingifyoudon’twanttoinvestalotinsecurityknow-how.

WhenIjoinedMicrosoftin2001,mybackgroundwasmainlyinscientificvisualizationandwithSiliconGraphics;IknewnothingaboutMicrosofttechnologies.OneofthefirstprojectsIworkedonwasaline-of-businessapplicationforacustomer’sintranet.TodayIcansayI’vehadmyfairshareofexperiencewith.NETandauthentication,butIcanstillrecalltheconfu-sionIexperiencedbackthen.Let’stakealookatsomeconcreteexamplesofusingIPrincipal.

UpuntilthereleaseofMicrosoftVisualStudio2008,ifyoucreatedaWebsitefromthetemplate,thedefaultauthenticationmodewasWindows.ThatmeansthattheapplicationexpectsInternetInformationServices(IIS)totakecareofauthenticatingtheuser.However,ifyouinspecttheIPrincipalinsuchanapplicationyouwillfinditlargelyempty.ThisisbecausetheWebapplicationhasanonymousauthenticationenabledinIISbydefault,sonoattempttoauthenticatetheuserismade.Thisisthefirstbreachintheabstraction:youhavetoleaveyourdevelopmentenvironment,gototheIISconsole,disableanonymousauthentication,andexplicitlyenableWindowsauthentication.(Youcoulddothisdirectlybymodifyingtheweb.configfileoftheapplicationinMicrosoftVisualStudio,butgoingthroughIISisstillthemostcommonapproachinmyexperience.)

AfteryouadjusttheIISauthenticationtypes,you’regoodtogo,atleastaslongasyouremainwithintheboundariesoftheintranet.Ifyouaredevelopingonyourdomain-joinedlaptopandyoudecidetoburnsomemidnightoilathomeworkingonyourapplication,don’tbesurprisedifyourcallstoIsInRolenowfail.Withoutthenetworkinfrastructurereadilyavailable,thenamesofthegroupstowhichtheuserbelongscannotberesolved.Asyoucanimagine,thesamethinghappensiftheapplicationismovedtoahoster,tothecloud,oringeneralawayfromyourcompany’snetworkenvironment.

Infact,you’llencounterpreciousfewcasesinwhichyouenjoytheluxuryofhavingauthenticationtakencareofbytheinfrastructure.Iftheusersyouwanttoauthenticateliveoutsideofyourdirectory,youarenormallyforcedtotakethematterintoyourownhandsanduseauthenticationAPIs.ThatusuallymeansconfiguringyourASP.NETapplicationtouse

Chapter 1 Claims-Based Identity 7

Formsauthentication,perhapscreatingandpopulatingausersandrolesstoreaccordingtotheschemaimposedbysqlMembershipProvider,implementingyourownMembershipProviderifyourscenariocannotfitwhatisavailableoutofthebox,andsoon.

There’smore:noteverythingcanbesolvedbyprovidingacustomuserstore.Often,yourusersarealreadyprovisionedinanexistingstorebutthatstoreisnotunderyourdirectcontrol.(Thinkaboutemployeesofbusinesspartners,suppliers,andcustomers.)Storedupli-cationissometimesanoption,butitnormallybringsmoreproblemsthantheonesitsolves.ASP.NETprovidesmechanismsforextendingFormsauthenticationtothosecases,buttheyrequireyoutolearnevenmoresecurityand,aboveall,theyarenotguaranteedtoworkwithotherplatforms.

Ifyou’vedealtwithsecurityissuesinthepast,youcancertainlyrelatetowhatI’vejustdescribed.Ifyouhaven’t,don’tworryifyoudidn’tunderstandeverythinginthelastcoupleofparagraphs.Youcanstillunderstandthatyouneedtolearnalottoaddauthenticationcapabilitiestoyourapplication,despiteASP.NETprovidingyouwithhelperclasses,tooling,andmodels.Ifyou’renotinterestedinbecomingasecurityexpert,youwouldprobablyratherspendyourtimeandenergyonsomethingelse.

Here’sonelastnotebeforemovingon.WhenusingFormsauthentication,youdoneedtowriteextracodefortakingcareofauthentication,butintheendyoucanstillusetheIPrincipalabstraction.(Theuser’sinformationiscopiedfromaFormsIdentityobjectintoaGenericPrincipal.)Thismightinduceyoutothinkthatallyouneedisbettertoolingtohandleauthenticationandthattheabstractionisalreadytherightone.You’reontherighttrack,butthisisnotthecaseifyoustickwiththecurrentideaofauthentication.Imagineacaseinwhichyouwantauthenticationtohappenusingradicallydifferentcredentials,suchasaclientSecureSocketsLayer(SSL)certificate,butthosecredentialsdonotmaptoexistingWindowsusers.Inthetraditionalcase,youhavetodirectlyinspecttherequestfortheincomingX.509certificateandlearnnewconcepts(subject,thumbprint,andsoon)toperformthesametaskyoualreadyknowhowtodowithotherAPIs.

TheproblemhereisnotwithhowASP.NEThandlesauthentication:itissystemic,andyou’dhavethesameissueswithanyothergeneral-purposetechnology.Bytheway,ifyouconsiderhowtohandleidentityandaccesswithMicrosoftWindowsCommunicationFoundation(WCF),youhavetolearnyetanothermodel,onethatislargelyincompatiblewithwhatwehaveseensofarandwithitsownrangeofAPIsandexceptions.

Whenyoucanrelyoninfrastructure,likeintheWindowsAuthenticationexample,youdofine:mostdetailsarehandledbyWindows,andallthat’sleftforyouisdecidingwhattodowiththeuserinformation.Whenyoucan’trelyontheinfrastructure,asinthegenericcase,youcanobserveaconsistentissueacrossallcases:youareburdenedwiththeresponsibil-ityofdrivingthemechanicsofauthentication,andthatoftenmeansdealingwithcomplexissues.AsI’vealreadystressed,thegamutofallauthenticationoptionsiswide,diverse,and

8 Part I Windows Identity Foundation for Everybody

constantlyevolving.Toolingcanhelpyouonlysofar,anditisdoomedtobeobsoleteassoonasanewauthenticationschemeemerges.

Whatshoulddevelopersdo?ArewedoomedtooperateinaninfinitearmsracebetweenauthenticationsystemsandtheAPIssupportingthem?

Decoupling Applications from the Mechanics of Identity and AccessOnceuponatime,developerswereforcedtohandlehardwarecomponentsdirectlyintheirapplications.Ifyouwantedtoprintaline,youneededtoknowhowtomakethathappenwiththespecifichardwareoftheprintermodelinuseintheenvironmentofyourcustomer.

Thosedaysarefortunatelylonggone.Today’ssoftwaretakesadvantageoftheavailablehardwareviadevice drivers.Adevicedriverisaprogramthatactsasanintermediarybe-tweenagivendeviceandthesoftwarethatwantstouseit.Alldrivershaveonelogical layer,whichexposesagenericrepresentationofthedeviceandthefunctionalitiesthatarecommontothedeviceclassandrevealsnodetailsaboutthespecifichardwareofagivendevice.Thelogicallayeristhelayerwithwhichthehigherlevelsoftwareinteracts—forexample,“printthisstring.”Thedrivercontainsaphysical layertoo,whichistailoredtothespecifichardwareofagivendevice.Thephysicallayertakescareoftranslatingthehigh-levelcommandsfromthelogicallayertothehardware-specificinstructionsrequiredbytheexactdevicemodelbeingused—forexample,“putthisbytearrayinthatregister,”“addthefollowingdelimiter,”“pushthefollowinginstructionsinthestack,”andsoforth.

Ifyouwanttoprintfromyour.NETapplication,youjustcallsomemethodonPrintDocument,whichwilleventuallytakeadvantageofthelocaldriversandmakethathappenforyou.Whocaresaboutwhichprintermodelwillactuallybeavailableatruntime?

Doesn’tthisscenariosoundawfullyfamiliar?Managinghardwaredirectlyfromapplicationsissimilartotheproblemofdealingwithauthenticationandauthorizationfromapplications’code:therearetoomany(difficult!)detailstohandle,andresultsaretooinflexibleandvul-nerabletochanges.Thehardwareproblemwassolvedbytheintroductionofdevicedrivers;thereisreasontobelievethatasimilarapproachcansolvetheaccessmanagementproblem,too.

Althoughanoperatingsystemprovidesanenvironmentconducivetothecreationofathrivingdriverecosystem,theidentityandaccessproblemspacepresentsitsownchallenges—forexample,authenticationtechnologiesandprotocolsbelongtomanydif-ferentowners,thewaysinwhichresourcesandservicesareaccessedisconstantlychangingandisfragmentedinmanydifferentsegments,differentusesimplydramaticallydifferentusabilityandsecurityrequirements,usersanddataareoftensealedininaccessiblesilos,and

Chapter 1 Claims-Based Identity 9

soon.Thechancesofalevelofindirectionspontaneouslyemergingfromthatchaosarepracticallyzero.

Withtheinflationarygrowthofdistributedsystemsandonlinebusinesses,inthelastfewyearstheincreasingneedforinteroperableprotocolsthatcouldteardownthewallsbetweensilosbecameclear.ThebigplayersintheITindustrygottogetherandagreedonasetofcommonprotocolsthatwouldsupportinteroperablecommunicationsacrossdifferentplatforms.SomeexamplesofthoseprotocolsareSOAP,WS-Security,WS-Trust,WS-Federation,SecurityAssertionMarkupLanguage(SAML),andinmorerecenttimes,OpenID,OAuth,andotheropenprotocols.Don’tworryifyoudon’trecognizesomeoranyofthosenames.Whatisimportanthereisthattheemergenceofcommonprotocols,combinedwiththeextraattentionthatthesecurityaspectscommandedintheirredaction,finallycreatedtheconditionsforintroducingthemissinglogicallayerinidentityandaccessmanagement.Itisthatextralayerthatwillmakeitpossibletoisolateapplicationsandtheirdevelopersfromthegorydetailsofauthenticationandauthorizationmechanics.Inthispart,Iamnotgoingtogointothedetailsofwhatthoseprotocolsareorhowtheywork;instead,Iwillconcentrateonthescenariosthattheyenableandhowtotakeadvantageofthem.

Nowthatyou’vegainedsomeperspectiveonwhytoday’sapproachesarelessthanideal,itistimetofocusonhowyoucanmovebeyondthem.

Authentication and Authorization in Real LifeImaginingwhatshouldbeinthelogicallayerofaprinterdriveriseasy.Afterall,youhaveagoodideaofwhataprinterissupposedtodoandhowyou’dliketotakeadvantageofitinyourcode.Nowthatyouknowitispossibletocreatealogicallayerforidentity,doyouknowwhatitshouldlooklike?WhichkindofAPIshouldyouoffertodevelopers?

Wehavebeenhandlinglow-leveldetailsforsolongthatitmaybehardtoseethebiggerpicture.Ausefulexerciseistostepbackandspendamomentanalyzinghowidentityisactuallyusedforauthorizationintherealworld,andseeifwhatyoulearncanbeofhelpindesigningyournewidentitylayer.Let’slookataneasyexample.

Imagineyouaregoingtoamovietheatertoseeadocumentaryfilm.Considerthefollowingfacts:

1. Thedocumentarycontainsscenesthatarenotsuitableforayoungandimpression-ableaudience;therefore,theclerkattheboxofficeasksyouforapictureIDsothathecanverifywhetheryouareoldenoughtowatchthefilm.Youreachforyourwalletandextractyourdriver’slicense,andinsodoingyourealizethatitisexpired.

2. Resignedtomissingthefirstshow,youwalktoanearbyofficeoftheDepartmentofLicensing(DOL).AttheDOL,youhandoveryourolddriver’slicenseandasktogetanewone.

10 Part I Windows Identity Foundation for Everybody

3. Theclerktakesagoodlookatyoutoseewhetheryoulooklikethephotoonrecord.Perhapsheasksyoutoreadafewlettersfromaneyetestchart.Whenhe’ssatisfiedthatyouarewhoyouclaimtobe,hehandsyouyournewdriver’slicense.

4. Yougobacktothemovietheaterandpresentyournewdriver’slicensetotheclerk.Theclerk,nowsatisfiedthatyouareoldenoughtowatchthemovie,issuesyouaticketforthenextshow.

Figure1-1showsadiagramofthetransactionjustdescribed.

FIGURE1-1Oneidentitytransactiontakingplaceinreallife

Thisiscertainlynotrocketscience.Wegothroughsimilarinteractionsallthetime,fromwhenweboardaplanetowhenwedealwithourinsurancecompanies.Yet,thestorycontainspreciouscluesabouthowwecanaddourmissingidentitylayer.

Let’sconsiderthingsfromtheperspectiveofthebox-officeclerk.Theclerkregulatesaccesstothemovie,actuallyauthorizing(orblocking)viewersfromacquiringaticket.Thequestionthattheclerkneedstoansweris,“IsthispersonolderthanX?”Herecomestheinterestingpart:thebox-officeclerkdoesnotverifyyouragedirectly.Howcouldhe?Instead,hereliesontheverificationthatsomebodyelsealreadydid.Inthiscase,theDOLcertifiedyourbirthdateinitsdriver’slicensedocument.Thebox-officeclerktruststheDOLtotellthetruthaboutyourage.TheDOLisarecognizedgovernmentinstitution,andithasasolidbusinessneedtoknowaperson’scorrectagebecauseitisrelevanttothatperson’sabilitytodrive.Theoutcomeoftheinteractionwouldbedifferentifyoupresentedthebox-officeclerkastickynoteonwhichyouscribbledyourage.Insuchatransaction,youarenotatrustworthysource.(Unlesstheclerkknowsyoupersonally,hemustassumebiasonyourpart—thatis,youcouldlieinordertogetintothemovietheater.)

Chapter 1 Claims-Based Identity 11

Notethatinthisscenarioyoupresentedadriver’slicenseasproofofage,butfromtheclerk’spointofviewnotmuchwouldhavechangedifyouhadusedyourpassportoranyotherdocumentas long as the institution issuing it is known and trusted by the box office clerk.

Onelastthoughtbeforedrawingourparalleltosoftware:thebox-officeclerkdoesnotknowwhichproceduretheDOLclerkfollowedforissuingyouadriver’slicense,howtheDOLverifiedyouridentity,whichthingsheverified,andhowheverifiedthem.HedoesnotneedtoknowthesethingsbecauseoncehedecideshetruststheDOLtocertifyagecorrectly,he’llbelieveinwhateverbirthdateappearsonavaliddriver’slicensewiththepictureofthebearer.

Let’ssummarizeourobservationsinthisscenario:

■ Thebox-officeclerkdoesnotverifythecustomer’sagedirectly,butreliesonatrustedparty(theDOL)todosoandfindstheresultinadocument(thedriver’slicense).

■ Thebox-officeclerkisnottiedtoaparticulardocumentformatorsource.Aslongastheissueristrustedandtheformatisrecognized,theclerkwillacceptthedocument.

■ Thebox-officeclerkdoesnotknoworcareaboutthedetailsofhowthecustomerhasbeenidentifiedbythedocumentissuer.

Thissoundsquiteefficient.Infact,similartransactionshavebeensuccessfullytakingplaceforthelastfewthousandyearsofcivilization.It’shightimethatwelearnhowtotakeadvantageofsuchtransactionsinoursoftwaresolutionsaswell.

Claims-Based Identity: A Logical Layer for IdentityThetransactiondescribedintheprecedingsection,includingthevariousrolesthattheactorsplayedinit,canbegeneralizedinoneofthemostuniversalpatternsinidentityandaccessandformsthebasisofclaims-basedidentity.Thepatterndoesnotimposeanyspecifictech-nology,althoughitdoesassumethepresenceofcertaincapabilities,anditcontainsalltheindicationsyouneedfordefiningyourlogicalidentitylayer.

Let’strytoextractfromthestoryagenericpatterndescribingagenericauthenticationandauthorizationsystem.Paycloseattentionforthenextfewparagraphs.Onceyouunderstandthispattern,itisyoursforever.Itwillprovideyouwiththekeyfordealingwithmostofthescenariosyouencounterinimplementingidentity-basedtransactions.

Entities Figure1-2showsthemainentitiesthatplayaroleinmostidentity-basedtransactions.

12 Part I Windows Identity Foundation for Everybody

Relying PartySubject

SecurityToken

Claim

Identity Provider

FIGURE1-2 Themainentitiesinclaims-basedidentity

Let’ssaythatoursystemincludesauser,whichinliteratureisoftenreferredtoasasubject,andtheapplicationtheuserwantstoaccess.Inourearlierexample,thesubjectwasthemoviegoer;inthegeneralcase,asubjectcanbeprettymuchanythingthatneedstobeidentified,fromanactualusertotheapplicationidentitiesofunattendedprocesses.

TheapplicationcanbeaWebsite,aWebservice,oringeneralanysoftwarethathasaneedtoauthenticateandauthorizeusers.Inidentityjargon,itiscalledarelying party,oftenabbreviatedasRP.Inourearlierexample,theRPisthecombinationofthebox-officeclerkandmovietheater.

Thesystemmightincludeoneormoreidentity providers(IPs).AnIPisanentitythatknowsaboutsubjects.Itknowshowtoauthenticatethem,liketheDOLintheexampleknewhowtocomparethecustomer’sfacetoitspicturearchives;itknowsfactsaboutthecustomer,liketheDOLknowsaboutthebirthdateofeverylicenseddriverinitsregion.Anidentitypro-viderisanabstractrole,butitrequiresconcretecomponents:directories,userrepositories,andauthenticationsystemsareallexamplesofpartsoftenusedbyanidentityprovidertoperformitsfunction.

WeassumethatasubjecthasstandardwaysofauthenticatingwithanIPandreceivinginreturnthenecessaryuserinformation(likethebirthdateintheexample)foraspecificidentitytransaction.Wecallthatuserinformationclaims.

Themagicalword“claim”finallycomesout.A claim is a statement about a subject made by an entity.Thestatementcanbeliterallyanythingthatcanbeassociatedwithasubject,fromattributessuchasbirthdatetothefactthatthesubjectbelongstoacertainsecuritygroup.Aclaimisdistinctfromasimpleattributebythefactthataclaimisalwaysassociatedwiththeentitythatissuedit.Thisisanimportantdistinction:itprovidesyouwithacriterionfordecid-ingifyouwanttobelievethattheassertionappliestothesubject.Recalltheexampleofthebirthdateprintedonthedriver’slicenseversusabirthdatescribbledonastickynote:theclerkbelievestheformerbutnotthelatterbecauseoftheentitiesbackingtheassertion.

Chapter 1 Claims-Based Identity 13

Claimstravelacrossthenodesofdistributedsystemsinsecurity tokens,whichareXMLorbinaryfragmentsconstructedaccordingtosomesecuritystandard.Tokensaredigitallysigned,whichmeansthattheycannotbetamperedwithandthattheycanalwaysbetracedbacktotheIPthatissuedthem(whichprovidesanicemechanismforassociatingtokencontentwithitsissuer,asrequiredbythedefinitionofclaims).

Flow Claimsarethecurrencyofidentitysystems:theyarewhatdescribethesubjectinthecurrentcontext,whattheIPproduces,andwhattheRPconsumes.Here’showthetransactionunfolds.

Wellbeforeyourtransactionstarts,theRPpublishesadocument,oftencalledapolicy,inwhichitadvertisesitssecurityrequirements:thingssuchaswhichsecurityprotocolstheRPunderstandsandsimilarinformation.Thisisanalogoustotheboxofficehangingupasignthatsays,“Bereadytoshowyourdriver’slicenseoryourpassporttotheclerk.”ThemostimportantpartoftheRPpolicyisthelistoftheidentityprovidersittrusts.Thisisequivalenttoanothersignattheboxofficespecifying,“Drivers’licensesfromU.S.statesonly;passportsfromSchengenTreatycountriesonly.”

Again,beforethetransactionstarts,theIPpublishesananalogouspolicydocumentthatadvertisesitsownsecurityrequirements.ThisdocumentprovidesinstructionsonhowtoasktheIPtoissueasecuritytoken.Inliterature,youwilloftenfindthatIPsoffertheirtokenissuanceservicesviaaspecialflavorofWebservices,calledSTS(SecurityTokenService).You’llreadmore(MUCHmore)aboutSTSthroughoutthebook.

Figure1-3summarizesthestepsofthecanonicalidentitytransaction.

Identity Provider

Relying PartySubject

SecurityToken

2

3

14

STSPolicy

Policy

5

FIGURE1-3 Theflowofthecanonicaltransactioninclaims-basedidentity

Here’sadescriptionofthatflow:

14 Part I Windows Identity Foundation for Everybody

1. ThesubjectwantstoaccesstheRPapplication.Itdoesthatviaanagentofsomesort(abrowser,arichclient,andsoon).ThesubjectbeginsbyreadingtheRPpolicy.Insodoing,itlearnswhichidentityproviderstheRPtrusts,whichkindofclaimsarerequired,andwhichsecurityprotocolsshouldbeused.

2. ThesubjectchoosesoneoftheIPsthattheRPtrustandinspectsitspolicytofindoutwhichsecurityprotocolisrequired.ThenitsendsarequesttotheIPtoissueatokenthatmatchestheRPrequirements.ThisprocessistheequivalentofgoingtotheDOLandaskingforadocumentcontainingabirthdate.Insodoing,thesubjectisrequiredtoprovidesomecredentialsinordertoberecognizedbytheIP.ThedetailsoftheprotocolusedaredescribedintheIPpolicy.

3. TheIPprocessestherequest;ifitfindstherequesttobesatisfactory,itretrievesthevaluesoftherequestedclaims,sendingthembacktothesubjectintheformofasecuritytoken.

4. ThesubjectreceivesthesecuritytokenfromtheIPandsendsittogetherwithhisfirstrequesttotheRPapplication.

5. TheRPapplicationexaminestheincomingtokenandverifiesthatitmatchesalltherequirements(comingfromonetrustedIP,intheexpectedformat,nothavingbeentamperedwith,containingtherightsetofclaims,andsoon).Ifeverythinglooksasexpected,theRPgrantsaccesstothesubject.

ThissequenceofstepscoulddescribeauserbuyingsomethingonlineandpresentingtotheWebmerchantacreditscorefromafinancialinstitution;itcoulddescribetheuserofaWindowsPresentationFoundation(WPF)applicationaccessingaWebserviceonthelocalintranetbypresentingagroupmembershipclaimissuedfromthedomaincontroller;itcoulddescribeprettymuchanyidentitytransactionifyouassignthesubject,RP,andIProlesintherightway.

The abstraction layer we were searching for Thepatternwe’vebeendiscussingdescribesagenericidentitytransaction.Withoutgoingintodetailabouttheactualprotocolsandtech-nologiesinvolved,wecansaythatitjustmakesassumptionsaboutwhatcapabilitiesthosetechnologiesshouldhave,suchasthecapabilityofexposingpolicies.

Themodelisprofoundlydifferentfromwhatwehaveobservedinclassicapproaches:whereasatraditionalapplicationtakescareofauthenticationmoreorlessdirectly,heretheRPoutsourcesitentirelytoathirdparty,theidentityprovider.Thedetailsofhowauthenti-cationhappensarenolongeraconcernoftheapplicationdeveloper;allyouneedtodoisconfigureyourapplicationtoredirectuserstotheintendedidentityprovidersandbeabletoprocessthesecuritytokenstheyissue.Althoughyoucanusemanydifferentprotocolsforobtainingandusingasecuritytoken,theabstractideaofclaimsandsecuritytokensis

Chapter 1 Claims-Based Identity 15

nonspecificenoughtoallowyoutocreateagenericprogrammingmodelforrepresentingusersandtheoutcomeofauthenticationoperationswithoutexceptions.

Thosechangesinperspectivefinallyeliminatethesystemicflawthatpreventedusfromeradicatingfromtheapplicationcodetheexplicithandlingofidentitywithoutrelyingondemandinginfrastructure.Allthat’slefttodoisforplatformanddevelopertoolsproviderstotakeadvantageoftheclaims-basedidentitymodelintheirproducts.

Note Themodelisextremelyexpressive.Infact,youcaneasilyuseitforrepresentingtraditionalscenariostoo.IftheIPandtheRParethesameentity,youarebacktothecaseinwhichtheapplicationitselftakescareofhandlingauthentication.Theimportantdifferenceintheimplementationisthatbothcodeandarchitecturewillshowthatthisisjustaspecialcaseofamoregenericscenario.Therefore,thedecouplingwillberespectedandchangeswillbeaccommodatedgracefully.

WIFProgrammingModelMicrosofthasbeenamongthemostenthusiasticpromotersoftheclaims-basedidentitymodel.Itshouldcomeasnosurprisethatithasalsobeenoneofthefirsttointegrateitinitsproductofferings.Forexample,ActiveDirectoryFederationServices2(ADFS2)isaWindowsServerrolethat,amongotherthings,enablesyourActiveDirectoryinstancetoactasanidentityproviderandissueclaimsforyouruseraccounts.

WindowsIdentityFoundation(WIF)isasetofclassesandtools,anextensiontothe.NETFramework,thatenablesyoutouseclaims-basedidentitywhendevelopingASP.NETorWCFapplications.Itisseamlesslyintegratedwiththecore.NETFrameworkclassesandinVisualStudiosothatyoucankeepusingthetoolsandtechniquesyouarefamiliarwithfordevelopingyourapplications,whilereapingtheadvantagesofthenewmodelwhenitcomestoidentity.

Inthissection,IwillintroducethebasicsofWindowsIdentityFoundation:howitexposesclaims-basedidentityprinciplestodevelopers,somefundamentalconsiderationsaboutitsstructure,andtheessentialprogrammingsurfaceeverydevelopershouldbeawareof.

16 Part I Windows Identity Foundation for Everybody

An API for Claims-Based IdentityIntheprevioussection,youlearnedaboutclaims-basedidentity.Ifyouhadtoexposeitasaprogrammingmodelsothatanapplicationdevelopercouldtakeadvantageofit,whatrequirementswouldyoufollow?Hereismywishlist:

■ Makeclaimsavailabletothedeveloperinaclear,consistent,andprotocol-independentfashion.

■ Takecareofall(ornearlyall)authentication,authorization,andprotocolhandlingoutsideofthecodeoftheapplication,awayfromtheeyesofthedeveloper.

■ Minimizetheneedtochangethecodewhenchangesatdeploymenttimeoccur.Driveasmuchoftheapplication’sbehavioraspossibleviaconfiguration.

■ Provideawaytoeasilyconfigureapplicationstorelyonexternalidentityprovidersforauthentication.

■ Provideawayforapplicationstoeasilyadvertisetheirrequirementsviapolicy.

■ Organizeeverythinginapluggablearchitecturethatcansupportmultipleprotocolsandisolatethedeveloperfromthedetailsofthedeployment(onpremisesandcloud,ASP.NETandWCF,andsoon).

■ Respectasmuchaspossibleexistingcodeandpractices,maximizingtheamountofoldcodethatwillstillworkinthenewmodelwhileofferingincrementaladvantageswiththenewAPIs.

Asyou’llseetimeandtimeagainthroughoutthebook,WIFsatisfiesallthesecriteria.

WIF’s Essential BehaviorEarlierinthetext,IwrotethatPartIofthebookwillshowyouhowtotakeadvantageofWIFinyourapplicationswithouttheneedtobecomeasecurityexpert,andIintendtokeepthatpromise.HereI’llstartwithasimplifieddescriptionofhowWIFworks,coveringtheessentialpointsforallowingyoutousetheproduct.PartIwillbeaboutASP.NETapplications,andI’llstickwithdiscussingscenariosthatcanbetackledbyusingWIFtoolingalone.I’llomitthedetailsthathavenoimmediateuse.YoucanrefertoPartIIofthebookifyouwanttoknowthewholestory.

WIFallowsyoutoexternalizeauthenticationandauthorizationbyconfiguringyourapplicationtorelyonanidentityprovidertoperformsomeorallthosefunctionsforyou.Howdoesitdothatinpractice?

Figure1-4showsasimplifieddiagramofhowWIFhandlesauthenticationintheASP.NETcase.

Chapter 1 Claims-Based Identity 17

Identity Provider

ApplicationSubject

2

31

5

4

WIF

ClaimsBrowser

STS

FIGURE1-4 AsimplifieddiagramofhowWindowsIdentityFoundationtakescareofhandlingauthenticationforanASP.NETapplication

Theideaisextremelysimpleandcloselymimicsthecanonicalclaims-basedidentitypattern:

1. WIFsitsinfrontofyourapplicationintheASP.NETpipeline.Whenanunauthenticateduserrequestsapage,itredirectsthebrowsertotheidentityproviderpages.

2. HeretheIPauthenticatestheuserinwhateverwayitchooses(perhapsbyshowingapagewithusernameandpassword,usingKerberos,orinsomeotherway).Thenitmanufacturesatokenwiththerequiredclaimsandsendsitback.

3. ThebrowserpoststhetokenitgotfromtheIPtotheapplication,whereWIFagaininterceptstherequest.

4. Ifthetokensatisfiestherequirementsoftheapplication(thatis,itcomesfromtherightIP,containstherightclaims,andsoon),theuserisconsideredauthenticated.WIFthendropsacookie,andasessionisestablished.

5. Theclaimsintheincomingtokenaremadeavailabletotheapplicationcode,andthecontrolispassedtotheapplication.

Aslongasthesessioncookieisvalid,thesubsequentrequestswon’tneedtogothroughthesameflowbecausetheuserwillbeconsideredtobeauthenticated.

Youarenotsupposedtoknowityet,buttheprecedingflowunfoldsaccordingtotheWS-Federationprotocolspecification:mostofthemagicisdonebytwoHTTPmodules:WSFederationAuthenticationModule(WSFAM)andSessionAuthenticationModule.

18 Part I Windows Identity Foundation for Everybody

ThewholetrickofusingWIFinyourapplicationboilsdowntothefollowingtasks:

1. ConfiguretheapplicationsothattheWIFHTTPmodulessitintheASP.NETpipelineinfrontofit.

2. ConfiguretheWIFmodulessothattheyrefertotheintendedIPs,usetherightprotocols,protecttheplannedresourcesoftheapplication,andingeneralenforceallthedesiredapplicationpolicies.

3. Accessclaimvaluesfromtheapplicationcodewheneverthereisaneedintheapplicationlogictomakeadecisiondrivenbyuseridentityattributes.

Thegoodnewsisthatinmanycasessteps1and2canbeperformedviaVisualStudiotooling.Thereisahandywizardthatwalksyouthroughtheprocessofchoosinganidentityprovider,offersyouvariousoptions,andinformsyouaboutthekindofclaimsyoucangetabouttheuserfromthespecificIPyouarereferringto.Thewizardtranslatesalltheprefer-encesyouexpressedviapointandclickintheweb.configsettings.ThenexttimeyoupressF5,yourapplicationwillalreadyapplythenewauthenticationstrategy.Congratulations,yourapplicationisnowclaims-aware.

Thegoodnewskeepcoming;performingstep3issimpleandperfectlyinlinewithwhat.NETdevelopersarealreadyaccustomedtodoingwhenhandlinguserattributes.

IClaimsIdentity and IClaimsPrincipalRememberIIdentityandIPrincipalasameansofdecouplingtheapplicationcodefromtheauthenticationmethod?Itworkedprettywelluntilwefoundanauthenticationstyle(clientcertificates)thatbrokethemodel.Nowthatauthenticationisnolongeraconcernoftheapplication,wecanconfidentlyrevisittheapproachandapplyitforexposingnewinforma-tion(claims)byleveragingafamiliarmodel.

WIFprovidestwoextensionstoIIdentityandIPrincipal, IClaimsIdentityandIClaimsPrincipal,respectively—whichareusedtomaketheclaimsprocessedintheWIFpipelineavailabletotheapplicationcode.TheinstancesliveintheusualHttpContext.Current.UserpropertyinASP.NETapplications.YoucanusethemasiswiththeusualIIdentityandIPrincipalprogram-mingmodel,oryoucancastthemtothecorrectinterfaceandtakeadvantageofthenewfunctionalities.

Let’stakeaquicklookatthemembersofthenewinterfaces.Notethatthelistfornowisbynomeansexhaustiveandhighlightsonlypropertiesthatwillbeusefulinbasicscenarios.

Chapter 1 Claims-Based Identity 19

IClaimsPrincipalisdefinedasfollows:

public interface IClaimsPrincipal : IPrincipal { // ... // Properties ClaimsIdentityCollection Identities { get; } }

BecauseIClaimsPrincipalisanextensionofIPrincipal,alltheusualfunctionalities(suchasIsInRole)aresupported.Asyou’llseeinChapter2,“CoreASP.NETProgramming,”thisuse-fulpropertyextendstootherASP.NETfeaturesthattakeadvantageofIPrincipalroles—forexample,accessconditionsexpressedviathe<authorization>elementstillwork.

TheonlynoteworthynewsistheIdentitiescollection,whichisinfactalistofIClaimsIdentity.Let’stakealookatthedefinitionofIClaimsIdentity:

public interface IClaimsIdentity : IIdentity { // ... ClaimCollection Claims { get; } }

HereIstrippedoutmostoftheIClaimsIdentitymembers(becauseI’llhaveachancetointroducethemallasyouproceedthoughthebook),butIleftinthemostimportantone,thelistofclaimsassociatedwiththecurrentuser.WhatdoesaClaimlooklike?

public class Claim { // ... // Properties public virtual string ClaimType { get; } public virtual string Issuer { get; } public virtual IClaimsIdentity Subject { get; } public virtual string Value { get; } }

Onceagain,manymembershavebeenstrippedoutforthesakeofclarity.Thepropertiesshownareself-explanatory:

■ ClaimType Representsthetypeoftheclaim:birthdate,role,andgroupmembershipareallgoodexamples.WIFcomeswithanumberofconstantsrepresentingnamesofclaimtypesincommonuse;however,youcaneasilydefineyourowntypesifyouneedto.ThetypicalclaimtypeisrepresentedwithaURI.

■ Value Specifies,asyoucanimagine,thevalueoftheclaim.Itisalwaysastring,althoughitcanrepresentavalueofadifferentCLRtype.(Birthdateisagoodexample.)

20 Part I Windows Identity Foundation for Everybody

■ Issuer IndicatesthenameoftheIPthatissuedthecurrentclaim.

■ Subject PointstotheIClaimsIdentitytowhichthecurrentClaimbelongs,whichisarepresentationoftheidentityofthesubjecttowhichtheclaimrefersto.

Ifyouunderstandwhataclaimis,andifyouhaveanytypeofidentitycardinyourwallet,thepropertiesjustdescribedareintuitiveandeasytouse.Let’slookatoneeasyexample.

SupposethatyouareworkingononeapplicationthathasbeenconfiguredwithWIFtouseclaims-basedidentity.Let’ssaythatauthenticationtakesplaceattheverybeginningofthesession,sothatduringtheexecutionyoucanalwaysassumetheuserisauthenticated.Atacertainpointinyourcode,youneedtosendane-mailnotificationtoyouruser.Therefore,youneedtoretrievehere-mailaddress.Herethere’showyoudoitwithWIF:

IClaimsIdentity identity = Thread.CurrentPrincipal.Identity as IClaimsIdentity; string Email = (from c in identity.Claims where c.ClaimType == System.IdentityModel.Claims.ClaimTypes.Email select c.Value).SingleOrDefault();

ThefirstlineretrievesthecurrentIClaimsIdentityfromthecurrentprincipalofthethread,exactlyasitwouldifyouwantedtoworkwiththeclassic.NETIIdentity—theonlydifferenceisthedowncasttoIClaimsPrincipal.

ThesecondlineusesLINQforretrievingthee-mailaddressfromthecurrentclaimcollection.Thequeryisveryintuitive:yousearchforalltheclaimswhosetypecorrespondstothewell-knownEmailclaimtype,andyoureturnthevalueofthefirstoccurrenceyoufind.Forthee-mailcase,itisreasonabletoexpectthattherewillbeonlyoneoccurrenceinthecollection,However,thisisnottrueinthegeneralcase.JustthinkofhowmanygroupclaimswouldbegeneratedforanygivenWindowsuser;thus,thestandardwayofretrievingaclaimsvaluemusttakeintoaccountthattheremightbemultipleclaimsofthesametypeinthecurrentIClaimsIdentity.

Nothinginthecodeshownindicateswhichprotocolorcredentialtypeshavebeenusedforauthenticatingtheuser.Thatmeansyouarefreetomakeanychangesinthewayinwhichusersauthenticate,withouthavingtochangeanythinginyourcode.RelyingononeIPforhandlinguserauthenticationandusingopenprotocolsdeliverstrueseparationofconcerns;therefore,makingthosechangesisalsoveryeasy.

Relyingonclaimsforgettinginformationabouttheusermitigatestheneedformaintainingattributestores,wherethedatacanbecomestaleorbecompromised.Asyoucanobserve,thecodeshowninthissectiondoesnotcontainanycalltoalocaldatabasethatcouldbebrokenbyroutinechangesorthatcouldbecomeaproblemiftheapplicationismovedtoanexternalhostthatcannotaccesslocalresources.Intheageofthecloud,theimportanceofbeingabletomoveapplicationsaroundcannotbeoverestimated.

Chapter 1 Claims-Based Identity 21

Finally,thetwolinesofcodeshownearlierwillworkwithanykindof.NETprogram,ASP.NETorWCF.ThewayinwhichWIFsnapstothetwodifferenthostingmodelsandpipelinesisdifferent.IwilldescribehowitdoesthisindetailinPartII;however,fromtheperspectiveoftheapplicationdeveloper,nothingchanges.Thetoolingoperatesitsmagicforconfiguringtheapplicationtoexternalizeauthentication.AllyouneedtoknowishowtominetheresultswithaconsistentAPIwithoutworryingaboutunderlyingprotocols,hostingmodel,orlocation.

Itwouldappearthataddingoneextralayerofindirectionworked.WefinallyfoundanAPIthatcansecureyourapplicationswithoutforcingyoutotakecareofthedetails.

SummaryTraditionalapproachestoaddingidentityandaccessmanagementfunctionalitytoapplicationsallhavethesameissues:theyrequirethedevelopertotakemattersintohisownhands,callingforspecializedsecurityknowledge,ortheyheavilyrelyonthefeaturesoftheunderlyinginfrastructure.ThissituationhasledtoaproliferationofAPIsandtechniques,forcingdeveloperstocontinuallyre-learnhowtoperformthesametaskwithdifferentAPIs.Theresultingsoftwareisbrittle,difficulttomaintain,andresistanttochange.Inthischapter,Igavesomeconcreteexamplesofhowthissystemicflawintheapproachtoaddingidentityandaccessmanagementaffectsdevelopment,evendevelopmentin.NET.

Claims-basedidentityisanapproachthatchangesthewaywethinkaboutauthenticationandauthorization,addingalogicalrepresentationofidentitytransactionsandidentifyingtherolesthateveryentityplays.Byaddingthatfurtherlevelofindirection,claims-basedidentitycreatedthebasisforthedecouplingoftheprogrammingmodelandthedetailsofdeploy-timesystems.Inthechapter,Idescribedthebasicsofclaims-basedidentityandyoulearnedhowitcanbeusedtomodelawidevarietyofscenarios.

WindowsIdentityFoundationisonesetof.NETclassesandtoolsthathelpsdeveloperstosecureapplicationsbyfollowingtheprinciplesofclaims-basedidentity.Thischapterintro-ducedtheessentialprogrammingsurfaceexposedbyWIF,anditdemonstratedhowWIFdoesnotsufferfromtheissuesImentionedfortraditionalapproaches.

Inthenextchapter,IwillshowhowtotakeadvantageofWIFforperformingauthentication,authorizationandidentity-drivencustomizationinavarietyofcommonWebscenarios.

95

Chapter4

Advanced ASP .NET ProgrammingIn this chapter:More About Externalizing Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Single Sign-on, Single Sign-out, and Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Claims Processing at the RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Nowthatmosttechnicalitiesareoutoftheway,wecanfocusonintendedusageoftheproductforaddressingawiderrangeofscenarios.

ThischapterresumesthearchitecturalconsiderationsthatdrovePartIofthebook,“WindowsIdentityFoundationforEverybody,”bytacklingmorecomplexsituations.I’llassumeyouarenowfamiliarwiththeflowdescribedinChapter3,“WIFProcessingPipelineinASP.NET.”I’llgiveyouconcreteindicationsabouthowtocustomizethedefaultbehaviorofWindowsIdentityFoundation(WIF)toobtainthedesiredeffectforeverygivenscenario.

Usingclaims-basedidentityinyourapplicationis,forthemostpart,theartofchoosingwhotooutsourceauthenticationtoandprovidingjusttherightamountofinformationforinfluencingtheprocess.ThischapterwillnotexhaustallthepossiblewaysyoucancustomizeWIF—farfromit.However,itwillequipyouwiththeprinciplesyouneedtoconfidentlyexplorenewscenariosonyourown.

Thefirstsection,“MoreAboutExternalizingAuthentication,”takesadeeperlookattheentitiestowhichyoucanoutsourceauthenticationforyourapplication.I’llgobeyondthesimplificationsofferedsofar,introducingtheideaofmultipleprovidertypes.Alotofthediscussionwillbeatthearchitecturallevel,helpingyouwiththedesignchoicesinyoursolutions.However,hardcorecodersshouldnotfear!ThesectionalsodivesdeepintotheSecurityTokenService(STS)projecttemplatethatcomeswiththeWIFSDK.Althoughinrealscenariosyou’llrarelyneedtocreateacustomSTS,giventhatmoreoftenthannotyou’llrelyonoff-the-shelfproductssuchasActiveDirectoryFederationServices2.0(ADFS2.0),you’llfinditusefultoseeaconcreteexampleofhowthearchitecturalconsiderationsmentionedarereflectedincode.

The“SingleSign-on,SingleSign-out,andSessions”sectionexplorestechniquesthatreducetheneedforuserstoexplicitlyentertheircredentialswhenvisitingaffiliatedWebsitesand

96 Part II Windows Identity Foundation for Identity Developers

showshowtocleanupmultiplesessionsatonce.Onespecificcase,sessionswithslidingvalidity,istheoccasionforadeeperlookathowWIFhandlessessions.

The“Federation”sectiondissectsthepatternthatismostwidelyusedforhandlingaccessacrossmultipleorganizations.I’llcovermoreindepththeuseofSTSesforprocessingclaims,andwe’lltackletheproblemofdecidingwhoshouldauthenticatetheuserwhentherearemanyidentityproviders(IPs)tochoosefrom(somethingknownasthehome realm discovery problem).Thesolutionstothoseproblemscanbeeasilygeneralizedtoanysituationinwhichtherelyingparty(RP)—whichwasdiscussedinChapter3—needstocommunicateoptionstotheIP.I’lldemonstratethatwithanotherexample:theexplicitrequestforacertainauthenticationlevel.

The“ClaimsProcessingattheRP”sectionclosesthechapterbydescribinghowtouseWindowsIdentityFoundationforpreprocessingtheclaimsreceivedfromtheidentityprovider.I’llbrieflyrevisittheclaims-basedauthorizationflow—introducedinminimaltermsinChapter2,“CoreASP.NETprogramming.”ThenI’llshowyouhowtofilterandenrichtheIClaimsPrincipalbeforetheapplicationcodegainsaccesstoit.

Afteryoureadthischapter,you’llbeabletomakeinformeddecisionsabouttheidentitymanagementarchitectureofyoursolutions.You’llknowwhatittakestoimplementsuchdecisionsinASP.NET.You’llhaveconcreteexperienceusingtheWIFextensibilitymodelforsolvingarangeofclassicidentitymanagementscenarios.ThatexperiencewillhelpyoutodeviseyourownWIF-basedsolutions.Onceagain,I’llgiveyoupracticalcodeindicationsabouttheASP.NETcase,butthegeneralprinciplesintroducedherecanbeappliedmorebroadly,oftentotheWCFservicescaseandevenonnon-Microsoftplatforms.

MoreAboutExternalizingAuthenticationUntilnow,Ihavedescribedsituationsinwhichtheapplicationreliesononlyoneexternalentity—whatIdefinedastheidentity provider,orIP.Althoughthisisanaccuraterepresenta-tionofaparticularcommonscenario,thegeneralcasecanbeabitmorecomplicated.Notonlymightyouhavetoacceptidentitiesfrommultipleidentityproviders,identityprovidersarenottheonlyentitiesyoucanoutsourceauthenticationto!

Sofar,theroleplayedbytheentitywithinatransaction(theidentityprovider)hasbeenconflatedwiththeinstrumentusedtoperformthefunction(theSTS).Thepurposeofthissectionistohelpyoubetterunderstandtheseparationbetweenthetwobyprovidingmoredetailsaboutthenatureoftheidentityprovider,introducinganewroleknownasthefederation provider,andstudyinghowthosehigh-levelfunctionsreflectontheimplementationoftheassociatedSTS.

Chapter 4 Advanced ASP .NET Programming 97

Identity ProvidersBeinganidentityproviderisarole,ajobifyouwill.YouknowfromChapter1,“Claims-BasedIdentity,”thatanIP“knowsaboutsubjects.”Infact,allthethinkingbehindtheideaofIPisjustgoodserviceorientationappliedtoidentity.

Thestandardexampleofaconcreteidentityproviderisonebuiltontopofadirectory,justasADFS2.0isbuiltontopofActiveDirectory.Inthisscenario,there’sanentitythatiscapableofauthenticatingusersandmakingassertionsaboutthem,andallyouaredoingismakingthatcapabilityreusabletoawideraudiencebyslappingastandardfaçade(theSTS)infrontofit.TheuseofstandardswhenexposingtheSTSissimplyawayofmaximizingtheaudienceandincreasingreusability.Here’sanexample:AlthoughaSharePointinstanceonanintranetcantakeadvantageofActiveDirectoryauthenticationcapabilitiesdirectlyviaKerberos,thatisnotthecaseforaSharePointinstancelivingoutsidethecorporateboundariesandhostedbyadifferentcompany.ExposingtheauthenticationcapabilitiesofActiveDirectoryviaADFS2.0makesitpossibletoreuseidentitieswiththeSharePointinstanceinthesecondscenario,removingtheplatformandlocationconstraints.WIFisjustmachinerythatenablesyourapplicationtotakeadvantageofthesamemechanism.ItisworthwhiletopointoutthatSharePoint2010is,infact,basedonWIF.

Anotheradvantageofwrappingtheactualauthenticationbehindastandardinterfaceisthatyouarenowisolatedfromitsimplementationdetails.TheIPcouldbeafaçadeforadirectory,amembershipprovider–basedsite,oranentirelycustomsolutiononanarbitraryplatform;aslongasitsSTSexposestheauthenticationfunctionalitythroughstandards,applicationscanuseitwithouttiesordependenciesoutsideoftheestablishedcontract.Whocaresiftheconnectionstringtothemembershipdatabasechanges,orevenifthereisamembershipdatabaseinthefirstplace?AllyouneedtoknowistheaddressoftheSTSmetadata.

ThosecharacteristicsoftheIProletellyouquitealotaboutwhattoexpectregardingthestructureoftheSTSexposedbyoneIP.

Note Inliterature,you’lloftenfindthatoneSTSusedbyoneIPcanbedefinedasan“IP-STS.”Inashort,you’llseehowthiscansometimesbeusefulfordisambiguatingthefunctiontheSTSoffers.

IntheWS-FederationSign-inflow,describedinChapter3,yousawthatthedetailsofhowtheSTSauthenticatestherequestforsecuritytokensisaprivatematterbetweentheSTSandtheuser.NowyouknowthatsuchasystemhastobesomethingthatallowstheSTStolookupuserinformationfromsomestore—sothatitcanbeextractedandpackagedintheformofclaims.NotableexamplesaretheonesinwhichtheSTSleveragesthesameauthenticationmethodsoftheresourceitiswrapping.IftheIPisafaçadeforActiveDirectoryandtheuser

98 Part II Windows Identity Foundation for Identity Developers

isontheintranet,theSTSmightverywellbehostedononeASPXpagethatisconfiguredinInternetInformationServices(IIS)toleverageWindowsnativeauthentication.Ifthesourceisamembershipdatabase,theSTSsitewillbeprotectedviaamembershipprovider,andsoon.Theclaimvalue’sretrievallogicintheSTSwillusewhatevermonikertheauthenticationschemeoffersforlookingupclaimvalues,buttheauthenticationwilloftenbeperformedbytheinfrastructurehostingtheSTSratherthantheSTScodeitself.

NothingpreventsoneIPfromexposingmorethanoneSTSendpointtoaccommodatemultipleconsumptionmodels.Forexample,thesameIPmightbelisteningforKerberosauthenticatedrequestsfromtheintranetandX.509securedcallsonanendpointavailableontheInternet;theIPmightexposefurtherendpoints,bothforbrowser-basedrequestorsviaWS-FederationandSAMLPorforactiverequestorsviaWS-Trust;andsoon.ThisprocessoffersanotherinsightintohowoneIPisstructured:authenticationandclaimsissuancelogicshouldcommunicatebutremainseparatesothatmultipleSTSendpointsscenariosarehan-dledwithlittleornoduplication.Asyou’llseelaterinthesection,theWIFSTSprogrammingmodelisconsistentwiththatconsideration.

AnIPwillactivelymanagethelistoftheRPsitiswillingtoissueatokenfor.Thisisnotonlyamatterofensuringthatclaimsaretransmittedexclusivelytointendedrecipients,butalsoapracticalnecessity.Especiallyinthepassivecase,inwhichtokenrequestsareusuallysimple,theIPdecideswhatlistofclaimswillbeincludedinatokenaccordingtotheRPthetokenisbeingissuedfor.(“Passivecase”ismainlyanotherwaytosaythatyouuseabrowser.You’llknoweverythingaboutitafterreadingChapter5,“WIFandWCF.”)SuchalistisestablishedwhentheRPisprovisionedintheIP’sallowlist.JustlikeWIFenablesoneapplicationtoes-tablishatrustrelationshipwithanIPbyconsumingitsmetadataviatheFederationUtilityWizard,IPsoftwaresuchasADFS2.0includeswizardsthatcanconsumetheapplicationmetadataandautomaticallyprovisiontheRPentryinitsallowlist.

Note Incomputerscienceasinotherdisciplines,anallowlistisalistofentitiesthatareapprovedtodosomethingortoberecipientsofsomeaction.Forexample,ifyourcompanynetworkhasanallowlistofWebsites,thatmeansyoucanbrowseonlyonthosesitesandnoother.Conversely,havingablacklistofWebsitesmeansthatyoucanbrowseeverywherebutonthose.AnIPnormallymaintainsanallowlistofRPsitiswillingtoissueatokenfor:anyrequestforarecipientnotintheallowlistisrefused.TheADFS2.0UIdescribesthatasRelying Party Trust.Iamnotveryfondofthatuseof“trust,”whichinthiscontexthasaspecialmeaning(be-lievingthattheclaimsissuedbyagivenIPaboutasubjectaretrue),butyourmileagemayvary.

TheIPalsokeepstrackofthecertificateassociatedwiththeRP,bothforensuringthattheRPhasastrongendpointidentity(exposedviaHTTPS)andforencryptingthetokenwiththecorrectkeyifconfidentialityisrequired.

Chapter 4 Advanced ASP .NET Programming 99

NonauditingSTSTherearesituations,especiallyintheareaofe-government,inwhichtheuserwouldliketokeepprivatetheidentityoftheRPheisusing.Forexample,acitizenmightwanttouseatokenissuedbyagovernmentIPprovinghisage,butatthesametimehewouldliketomaintainhisprivacyaboutwhatkindofsites(forexample,liquormerchants)heisusingthetokenfor.

Technically,thescenarioispossible,althoughsettingupsuchfunctionalitywouldintroducesomelimitations.Forexample,notknowingtheidentityoftheRP,theIPwouldnotknowtheassociatedX.509certificateandthatwouldmakeitimpossibletoencrypttheissuedtoken.Also,someprotocolshandlethescenariobetterthanothers.AlthoughtheWS-Federationspecificationallowsforspecifyingwhichclaimsshouldbeincludedintherequestedtoken,mostimplementationsexpectthelistofclaimsrequiredbyoneRPtobeestablishedapriori,whichisofcourseofnohelpiftheidentityoftheRPisnotknown.ThingscanbealittleeasierwithWS-Trust,asyou’llseeinthenextchapter.

Inthebusinessworld,themostcommonscenariorequirestheIPtohaveapreexistingrelationshipwiththeRPbeforeissuingtokensforit;therefore,off-the-shelfproductssuchasADFS2.0normallymandateit.

Thescenariodescribedsofar—oneapplicationoutsourcingauthenticationtooneidentityprovider—iscommon,andnoneofthefurtherdetailsaboutIPsIgavehereinvalidateit.However,sometimestheplanetsdonotalignthewayyou’dlike,andforsomereasonsimpledirectoutsourcingtooneIPdoesnotsolvetheproblem.

Federation ProvidersLet’sconsiderforamomentthematterofhandlingmultipleidentityproviders.Imaginebeingadeveloperforafinancialinstitution.Let’ssayyouarewritingacorporatebankingapplication,whichallowscompaniestohandlethesalarypaymentprocessfortheirwork-force.Thisisclearlyonecaseinwhichyouneedtotrustmultipleidentityproviders—namely,allthecompanieswhoaccessyourfinancialinstitutionformanagingpayments.

Fromwhatyouhaveseensofar,youknowonlyonewayofhandlingthesituation:addingmultipleFederatedPassiveSignIncontrolstoyourapplicationentrypage,eachofthempointingtoadifferentidentityprovider.Althoughtheapproachworks,itcanhardlybecalledafullexternalizationofidentitymanagementbecauseprovisioninganddeprovisioningidentityprovidersforcesyoutochangetheapplicationcode.Thingsgetworsewhenyouhaveoneentireportfolioofapplicationstomakeavailabletoalistofmultipleidentityproviders—havingtoreapplythetrickmentionedpreviouslyforeveryapplicationrapidly

100 Part II Windows Identity Foundation for Identity Developers

becomesunsustainableasthenumberofappsandIPsgoesup.ThisclearlyindicatestheneedtofactoroutIPrelationshipmanagementfromtheapplicationresponsibilities.

Anothercommonissueyoumightencounterhastodowiththeabilityofyourapplicationtounderstandclaimsasissuedbyoneidentityprovider.Hereiswhy:

■ Sometimesyoumighthavesimpleformatissues.Forexample,theusersyouareinterestedinmightcomefromanothercountryandtheirIPmightuseclaimURIscontaininglocale-specifictermsyourapplicationdoesnotunderstand.(AnEnglishapplicationmightneedtoknowthenameofthecurrentuserandexpectitinanhttp://claims/nameformat,whileanItalianIPmightsendthedesiredinformationinthehttp://claims/nomeclaimformat.)

■ Sometimestheinformationwillneedsomeprocessingbeforebeingfedtoyourapplication.Forexample,anIPmightofferabirthdateclaim,butyourapplicationmightbeforbiddenfromreceivingpersonallyidentifiableinformation(PII).AllyourequirehereisasimpleBooleanvalueindicatingiftheuserisbeloworaboveacertainthresholdage.AlthoughtheinformationisclearlyavailabletotheIP,itmightnotbeofferedasaclaim.

■ Finally,youmightneedtointegratetheclaimsreceivedfromtheIPwithfurtherinformationthattheIPdoesnotknow.Forexample,youmightbeanonlinebookshopacceptingusersfromapartnerIP.TheIPcanprovideyouwithnameandshippingaddressclaims,butitcannotprovideyouwiththelast10bookstheuserboughtfromyourstore.Thatisdatathatbelongstoyou,andyouhavetheresponsibilityofmakingitavailableintheformofclaimsifyouwanttooffertoyourdevelopersaconsistentwayofconsumingidentityinformation.

Whatisneededhereisameansofdoingsomepreprocessing—somekindofintermediarythatcanmassagetheclaimsandmakethemmoredigestiblefortheapplication.

Thestandardsolutiontotheseissuesistheintroductionofanewroleinidentitytransactions,whichgoesbythenameofFederationProvider(FP).

AFederationProviderisaclaimstransformer;itisanentitythatacceptstokensininput—kindoflikeanRPdoes—andissuestokensthatare(usually)theresultofsomekindofprocessingoftheinputclaims.AnFPoffersitstokenmanipulationcapabilitiesexactlylikeanIP,byexposingSTSendpoints.Themaindifferenceisthat,whereasoneIPusuallyexpectsre-questsforsecuritytokenssecuredbyusercredentialsthatwillbeusedforlookingupclaims,theFPexpectsrequeststobesecuredwithanissuedtokenthatwillbeusedasinputfortheclaimstransformationprocess.IntheIPcase,theissuedtokencontainstheclaimsdescribingtheauthenticateduser;intheFPcase,theissuedtokenistheresultoftheprocessingappliedtothetokenreceivedintherequest.GiventhefactthatanFPexposesoneSTS,applicationscanuseitforexternalizingauthenticationinexactlythesamewayasyouhaveseentheydowithIPs.WIF’sFederationUtilityWizarddoesnotdistinguishbetweenIPsandFPs—allitneedsisanSTSanditsmetadata.

Chapter 4 Advanced ASP .NET Programming 101

Thereasonthatit’sknownastheFederationProvideristhatenablingfederationistheprimarypurposethatledtotheemergenceofthisrole.Inanutshell,here’showthatworks.ImaginecompanyAisamanufacturerthathasanumberofline-of-business(LOB)applica-tionsforitsownemployees,includingapplicationsforsupplymanagement,inventory,andotherusualstuff.CompanyBisaretailerthatsellstheproductsmanufacturedbyA.Toim-provetheefficiencyoftheircollaboration,AandBdecidetoenterintoafederationagree-ment:certainBemployeeswillhaveaccesstocertainAapplications.InsteadofhavingeveryAapplicationaddtheBidentityproviderandhavingtheBIPprovisioneveryapplicationasarecognizedRP,AexposesaFederationProvider.

TheBIPwillprovisiontheAFPjustlikeanyotherRP,associatingtotherelationshipthelistofclaimsthatBdecidestosharewithAaboutitsusers.AlloftheAapplicationsthatneedtobeaccessiblewillenterintoatrustrelationshipwiththeAFP,outsourcingtheirauthenticationmanagementtoitsSTS.Figure4-1showsthetrustrelationshipsandthesign-inflow.

Browser

IP-STS

APP

1

23 4

6

7

Trust

Trust

R-STS

5

IP FP

B A

A

AB

B

FIGURE4-1 Theauthenticationflowinafederationrelationshipbetweentwoorganizations

Theflowgoesasfollows:

1 OneemployeeofBnavigatestooneapplicationinA.

2 TheuserisnotauthenticatedbecausetheapplicationwillacceptonlyuserspresentingtokensissuedbytheAFP.TheapplicationredirectstheusertotheAFP.

3 Again,theuserisnotauthenticated.TheAFPwillacceptonlyuserspresentingtokensissuedbytheBIP.TheapplicationredirectstheusertotheBIP.

4 TheuserlandsontheBIP,whereauthenticationwilltakeplaceaccordingtothemodesdecidedbyB.TheusergetsatokenfromtheBIP.

5 TheusergetsbacktotheAFPandpresentsthetokenfromtheBIP.

102 Part II Windows Identity Foundation for Identity Developers

6 TheAFPprocessesthetokenaccordingtotheapplication’sneeds—someclaimsmightbereissuedverbatimastheywerereceivedfromB;othersmightbesomehowprocessed;stillothersmightbeproducedandaddedanew.TheAFPpackagestheresultsoftheprocessingintheformofclaimsandissuesthenewtokentotheuser.

7 TheusergetsbacktotheapplicationandpresentsthetokenfromtheAFP;theapplicationauthenticatesthecallbyexaminingthetokenfromAFP.

ThemainadvantageofusinganFPinafederationscenarioisobvious:younowhaveasingleplacewhereyoucanmanageyourrelationship,definingitsterms(suchaswhichclaimsyoushouldreceive).Theapplicationsaredecoupledfromthosedetails.BecausetheFPknowsaboutboththeincomingclaims(becauseitisonpointforhandlingtherelationships)andtheclaimsneededbytheapplication(becauseitispartoftheorganization,itknowsaboutwhichclaimtypesareavailableandtheirsemantics),applicationscaneffectivelytrustittohandleauthenticationontheirbehalfeveniftheactualusercredentialsverificationtakesplaceelsewhere.Theprocesscanbeiterated.Forexample,youcanhaveanFPtrustinganotherFP,whichinturntrustsanIP,althoughthatdoesnothappentooofteninpractice.

The WIF STS TemplateOutsourcingauthenticationtooneexternalSTSmakeslifemucheasierfortheapplicationdeveloper,atthepriceofrelinquishingcontrolofakeysystemfunctiontotheSTSitself.Althoughrelinquishingcontrolofthemechanicsofauthenticationissweet,asI’vebeenpointingoutthroughtheentirebook,theSTSyouchoosebetterbegood,orelse.Here’swhatImeanby“good”inthiscase:

■ AnSTSmustbesecure AcompromisedSTSisanabsolutecatastrophebecauseitcanabuseyourapplication’strustbymisrepresentingtheuserprivileges.

■ AnSTSmustbeavailable IftheSTSendpointisdown,asaconsequenceofpeaktrafficoranyotherreason,yourapplicationisunreachable:notoken,noparty.

■ AnSTSmustbehigh-performing Everytimeauserbeginsasessionwithyourapplication,theSTScomesintoplay.Badperformanceisextremelyvisible,canbecomeasourceoffrustrationforusers,andevenpileuptocompromisethesystem’savailability.

■ AnSTSmustbemanageable IfyouowntheSTS,whetheritusedasanIPorFP,you’llneedtomanagemanyaspectsofitsactivitiesandlifecycle,suchasthelogicusedforretrievingclaimvalues,provisioningofrecognizedRPs,establishmentoftrustrelationshipswiththeIPoffederatedpartners,managementofsigningandencryp-tionkeys,auditingoftheissuingactivities,andmanagementofmultipleendpointsfordifferentcredentialtypesandprotocols.Thelistgoesonandon.

Chapter 4 Advanced ASP .NET Programming 103

Inotherwords,runninganSTSisseriousbusiness:don’tletanybodyconvinceyouotherwise.AnendpointthatunderstandsWS-Federation,WS-Trust,orSAMLPrequestsandcanissueatokenaccordinglytechnicallyfitsthedefinitionof“STS,”butprotocolcapabilitiesalonecan’thelpwithanyoftherequirementsjustmentioned.

Thisiswhyinthevastmajorityofreal-worldscenariositiswisetorelyonoff-the-shelfSTSproducts,suchasADFS2.0.ThoseproductshostSTSendpointsandadvancedmanagementfeaturesthatsimplifybothsmallandlargemaintenanceoperationsthatrunninganIPoranFP(orboth)entails.Let’stakeADFS2.0asanexample:ADFS2.0isatrueWindowsserverrole—tried,stressed,andtestedjustlikeanyotherWindowsserverfeature.

TheWindowsIdentityFoundationSDKmakesthegenerationofanSTSdeceivinglysimplebyofferingMicrosoftVisualStudiotemplatesforbothASP.NETWebsitesandWCFservicesprojectsthatimplementabare-bonesSTSendpoint(forWS-FederationandWS-Trust,re-spectively).TheGenerateNewSTSoptionintheAddSTSReferenceWizardjustinstantiatesoneofthosetemplatesinthecurrentsolution.ThosetestSTSesareanincrediblyusefultoolfortestingapplications,thankstothenearabsenceofinfrastructurerequirements(ADFS2.0requiresaworkingActiveDirectoryinstance,SQLServer,WindowsServer2008R2,andsoon)andinstantaneouscreation.AssomebodywhohadtowriteSTSesfromscratchwithWCFinthepast(alongandmessybusiness),IamdelightedbyhoweasyitistogenerateatestSTSwithWIF.Forthesamereason,suchtestSTSesareconsistentlyusedinWIFsamplesandcourseware.Thisbookisnoexception.

WhydoIsay“deceivinglysimple”?BecauseofalltherequirementsIlistedearlier.WIFcancertainlybeusedtobuildanenterprise-classSTS—ithasbeenusedforbuildingADFS2.0itself.However,betweentheSTStemplateofferedbytheWIFSDKandADFS2.0,therearemany,manyman-yearsofdesign,enormousamountsofdevelopmentandtesting,tonsofassumptionsanddefaultchoices,brutalfuzzing,relentlessstressing,andsoon.ThefactthattheSTStemplategivesyoubackatokendoesnotmeanitcanbeusedasisinareal-lifesys-tem.PeopleregularlyunderestimatetheeffortrequiredforbuildingaviableSTS,anerrorofjudgmentthatcanresultinseriousissues.ThatiswhyIalwaysdiscouragethecreationofcus-tomSTSesunlessit’sabsolutelynecessary,andthere’snotalotofdetailedguidanceonthat.

NowthatI’vegotthedisclaimeroutoftheway:thischapterwillusealotofcustomSTSes.TakingapeekinsideanSTSisapowerfuleducationaltoolthatcanhelpyouunderstandscenariosendtoend.BeingabletoputtogethertestSTSescanhelpyousimulatecomplexsetupsbeforecommittingresourcestothem.Finally,you’lllikelyencountersituationsinwhichsettingupacustomSTSisthewaytogo—forexample,ifyourusercredentialsarenotstoredinActiveDirectory.Theguidancehereisabsolutelynotenoughforhandlingthetask—thatwouldinvolveteachinghowtobuildsecure,scalable,manageable,andperform-ingservices,whichiswellbeyondthescopeofthistext—butitcanbeastartingpointforunderstandingthetokenissuancemodelofferedbyWIF.

104 Part II Windows Identity Foundation for Identity Developers

TherestofthesectiondescribestheSTStemplateforASP.NETofferedbyWIFSDK4.0.Asyoureadthroughthissection,IsuggestyougobacktothesimpleexampleyoucreatedinChapter2andputbreakpointsonthepartsoftheSTSprojectbeingdiscussed.Everytimesomethingisnottooclear,tryatestruninthedebuggertogetabettersenseofwhat’sgoingon.

Structure of the STS ASP .NET Project TemplateTheASP.NETSecurityTokenServiceWebSitetemplate,asWIFSDK4.0namesit,canbefoundintheC#WebsitestemplateslistinVisualStudio.Asmentioned,thisisalsothetemplatethatisusedbytheAddSTSReferenceWizardforgeneratinganSTSprojectwithinanexistingsolution.Figure4-2showsthelistoftemplatesinstalledbytheWIFSDK4.0.

FIGURE4-2 ThetemplatesinstalledbyWIFSDK4.0,withthetemplateusedforcreatinganASP.NETSTShighlighted

TheSTSWebsiteistypicallycreatedonthelocalIIS.AlthoughitispossibletousetheplainHTTPbinding,ingeneraltheSTSWebsitewillbecreatedonanHTTPSendpoint.

Note UsingHTTPinthiscaseisnormallyareallybadidea.Evenifyouencryptthetokensyouissue,andeveniftheRPcantakestepsformitigatingtheriskofacceptingstolentokens,therealityisthatusingplainHTTPonbrowser-basedscenariosmakesyouvulnerabletoman-in-the-middleandotherattacks.InChapter5,you’llhaveachancetodigdeeperintothetopic.

Chapter 4 Advanced ASP .NET Programming 105

IISvs.VisualStudioBuilt-inWebServerVisualStudioallowsyoutodevelopWebsiteswithoutrequiringthepresenceofIISonyourdevelopmentmachine.VisualStudiooffersabuilt-inWebserver,calledtheASP.NETDevelopmentServer,whichcanbeusedtorenderpagesdirectlyfromthefilesystem.

AlthoughyoucangetWIFtoworkonWebsitesrunningontheASP.NETDevelopmentServer,therearelimitations(forexample,thebuilt-inWebserverdoesnotsupportHTTPS)andcomplications(forexample,thedynamicallyassignedportschangethesiteURIsandthusforcechangesintheconfiguration).Becauseofthis,it’sjustsimplertouseIIS.

SimilarconsiderationsledmetouseWebsiteprojectsratherthanWebapplicationones.Webapplicationdevelopmentstartsonthefilesystemandrequiresextrastepsforhosting(anddebugging)theapplicationinIIS.Furthermore,atthetimeofthiswriting,Fedutil.exeisnotabigfriendofthedynamicportssystemfeaturedbyASP.NETDevelopmentServer.TheAddSTSReferenceWizardwillnotalwaysworkasexpectedwhenlaunchedonaWebapplicationproject.

Figure4-3showsthestructureoftheSTSproject.

FIGURE4-3 TheASP.NETSTSprojectstructure

ThatisthestructureofaminimalWebsiteprotectedviaFormsauthentication,containingtheclassicLogin.aspxandDefault.aspxpages.Theweb.configfileisminimal,containingprac-ticallynothingspecifictoWIFapartfromthereferencetoitsassemblyandafewvaluesinthe<appSettings>.TheWebsiteisconfiguredtouseFormsAuthentication.AsyousawinthefirstexampleinChapter2,Login.aspxdoesnotactuallyverifyanycredentialsandrepresents

106 Part II Windows Identity Foundation for Identity Developers

justapro-formaauthenticationpage:thepagewilljustcreatetheauthenticationcookieandstartasessionregardlessofthecredentialsenteredintheUI.

The hands-on lab Web Sites and Identity (C:\IdentityTrainingKit2010\Labs\WebSitesAndIdentity\Source\Ex1-ClaimEnableASPNET) exercise 2, shows how to use an existing Membership store for authenticating calls to the STS, and how to source claim values from a Role provider.

AllthisemphasizeswhatImentionedearlierabouttheseparationbetweentheSTSfunctionsandtheauthenticationmechanism:hereFormsauthenticationisthemethodofchoice,butitisindependentfromwhatWIFdoesforimplementingthetoken-issuingfunctionality.TheauthenticationsystemcouldbeeasilysubstitutedwithWindowsintegratedauthenticationorwhateverelse,aslongasittakescareofauthenticatingtheuserbeforegivingaccesstoDefault.aspx.

Note AnobviousobservationisthattheSTStemplategeneratesanIP-STS,somethingthatauthenticatesusersandissuestokensdescribingthem.ItisnothardtotransformitintoanR-STS:youcanjustruntheAddSTSReferenceWizardontheSTSprojectitself,andthatwillbeenoughforexcludingthecurrentFormsauthenticationsettingsandexternalizeauthenticationtothesecondSTSofyourchoosing.However,thatwouldchangeonlythewayauthenticationishandled,notthewayclaimsaregenerated:anR-STStransformsincomingclaims,butthedefaulttemplateimplementationdoesnotdothat.Attheendofthesection,I’lldiscusswhatyouneedtochangeformodifyingtheclaimissuancecriteriaaswell.

TheDefault.aspxpagerepresentstheSTSendpoint,andittakescareofinstantiatingandexecutingthetoken-issuinglogicinthecontextofanASP.NETrequest.Thepageitselfdoesnotcontainmuch.WhatweareinterestedinisthePage_PreRenderhandlerinDefault.aspx.cs:

public partial class _Default : Page { /// <summary> /// Performs WS-Federation Passive Protocol processing. /// </summary> protected void Page_PreRender( object sender, EventArgs e ) { string action = Request.QueryString[WSFederationConstants.Parameters.Action]; try { if ( action == WSFederationConstants.Actions.SignIn ) { // Process signin request. SignInRequestMessage requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri( Request.Url ); if ( User != null && User.Identity != null && User.Identity.IsAuthenticated ) {

Chapter 4 Advanced ASP .NET Programming 107

SecurityTokenService sts = new CustomSecurityTokenService( CustomSecurityTokenServiceConfiguration.Current ); SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest (requestMessage, User, sts ); FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse (responseMessage, Response ); } else { throw new UnauthorizedAccessException(); } } else if ( action == WSFederationConstants.Actions.SignOut ) { // Ignore the rest for now // ... } }

ThiscodeistheSTScounterpartoftheWS-FederationprocessinglogicthatWIFprovidesforRPs,asstudiedinChapter3.WhereastheRPgeneratestherequestforasecuritytokenandvalidatesit,theSTSlistenstothoserequestsandissuestokensaccordingtotheWS-Federationprotocol.Here’saquickexplanationofwhatthemethoddoes:

■ ThehandlerinspectstherequestQueryStringfortheWS-Federationactionparameter,wa.Let’sfocusonthecaseinwhichwaispresentandhasthevaluewsignin1.0,whichindicatesarequestforatoken.(We’llexplorethesign-outcaselaterinthechapter.)

■ ThecodecreatesanewSignInRequestMessagefromtherequest—thatis,aname-valuecollectionthatsurfacesthevariousWS-Federationparametersasproperties.

■ Doyouhaveanon-emptyIPrincipal?Isthecurrentuserauthenticated?Ifitisn’t,anUnauthorizedAccessExceptionisthrownandtheuserisredirectedtotheloginpage.Ifitis,thefollowingmusttakeplace:

❑ GetaninstanceofSecurityTokenServicebyretrievinganinstanceofasubclass,CustomSecurityTokenService.ThisclasscontainsthecoreSTSlogic,asyou’llseeinamoment.

❑ ThenewSTSinstance,alongwiththeincomingSignInRequestMessageandtheuser’sIPrincipal,isfedtoFederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest,whereitwillbeusedforissuingthetokenandproducingasuitableSignInResponseMessage.

❑ Finally,FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponsewritestheSignInResponseMessageintheresponsestream,whichwillbeeventuallyforwardedtotheRPandprocessedasyousawinChapter3.

108 Part II Windows Identity Foundation for Identity Developers

Therearealotofclasseswithlongnames,butintheendthecodeshownearlierjustfeedstheauthenticateduserandtherequesttoacustomSecurityTokenServiceclassandsendsbacktheresult.TheSTSprojectfeaturesanApp_Codefolder,whichcontainsalltheclassestheSTSneeds,includingtheCustomSecurityTokenServiceclass;allyouneedtodoistakealookatwhathappensthere.

TheRedirectExceptionintheSTSTemplateinVisualStudio2010Atthetimeofthiswriting,theASP.NETSTStemplateexhibitsasmallissuewithVisualStudio2010.AttheendofthePage_PreRendermethod,thereisacatchclausethathandlesgenericExceptionsandre-throwsthemafterhavingaddedamessage.Unfortunately,thecodedescribedearliercontainsatleastaredirect,whichthrowsanexception.Normally,youwouldnotseeit,butthere-throwmakesVisualStudiostopattheunhandledexception.Therearevariousworkaroundsforthisissue.YoucouldcatchThreadAbortExceptionandignoreit.YoucouldjustpressF5again,andtheappli-cationwillmoveforwardwithoutissues.Youcouldcommentthatlineinthetemplate.Youcouldstartwithoutdebugging.IdonotsuggestdisablingtheVisualStudiodefaultbehaviorofstoppingatunhandledexceptionsunlessyouknowverywellwhatyouaredoing.

STS Classes and Methods in App_CodeTheCommon.csfileisnotveryinteresting;it’sjustabunchofconstants.CertificateUtil.csisnotthatremarkableeither;it’sahelperclassforretrievingX.509certificatesfromtheWindowsstores,althoughthereisaninterestingpieceoftriviaforit.WIFusesthatcode,insteadoftheclassicX509Certificate2Collection.FindbecausethelatterdoesnotcallResetonthecertifi-catesitopened.

CustomSecurityTokenServiceConfiguration,asthenameimplies,takescareofstoringsomekeyconfigurationsettingsfortheSTS:thename,thecertificatethatshouldbeusedforsigningtokens,serializersforthevariousprotocols,andsoon.ThemostimportantsettingitstoresisthetypeofthecustomSecurityTokenServiceitself.

Finally,wegettotheveryheartoftheSTS:theclassinCustomSecurityToken.cs.ThecodegeneratedbythetemplatehasthepurposeofdoingthebareminimumforobtainingaworkingSTS;hence,Iwon’tanalyzeittoocloselyhere,exceptforpointingoutsomenotablebehavior.Rather,I’lluseitasabasefortellingyouaboutthemoregeneralmodelthatyouhavetofollowwhendevelopingacustomSTSinWIF.NotethattheconsiderationsaboutSecurityTokenServiceapplybothtoASP.NETandWCFSTSes.

SecurityTokenService InWIF,acustomSTSisalwaysasubclassofSecurityTokenService,andtheASP.NETtemplateisnoexception.Theclaims-issuanceprocessisrepresentedbyaseries

Chapter 4 Advanced ASP .NET Programming 109

ofSecurityTokenServicemethods,whichareinvokedfollowingaprecisesyntaxthatleadstheformrequestvalidationtoemitthetokenbits.Completecoverageofthatsequenceisbe-yondthescopeofthisbook;however,hereI’lllistthemainmethodsyoushouldknowabout:

❑ ValidateRequest ThismethodtakesinaRequestSecurityTokenandverifiesthatitisinarequestthatcanbehandledbythecurrentimplementation.Forexample,itchecksthattherequiredtokentypeisknown.SecurityTokenServiceprovidesanimplementa-tionofValidateRequest.YoushouldoverrideitonlyifyouareaddingorsubtractingfromthedefaultSTScapabilities.TherearealsofewthingstakingplaceinGetScopethatcouldperhapsbedoneinValidateRequest.I’llpointthoseoutasweencounterthem.

❑ GetScope GetScopeisanabstractmethodinSecurityTokenServicethatmustbeoverriddeninanyconcreteimplementation.IttakesasinputtheIClaimsPrincipalofthecallerandthecurrentRequestSecurityToken.

ThepurposeofGetScopeistovalidateandestablishsomekeyparametersthatwillinfluencethetoken-issuanceprocess.ThoseparametersaresavedinoneinstanceofScope,whichisreturnedbyGetScopeandwillcascadethroughallthesubsequentmethodsinthetoken-issuancesequence.HerearethemainquestionsthatGetScopeanswers:

❑ Whichcertificateshouldbeusedforsigningtheissuedtoken?Althoughasigningcertificatehasalreadybeenidentifiedintheconfigurationclass,GetScopeshouldconfirmthatcertificate(asdonebythetemplateimplementa-tion)oroverrideitwithcustomcriteria—forexample,ifsomethingintherequestinfluenceswhichcertificateshouldbeused.

❑ IstheintendedtokendestinationarecognizedRP?Asdiscussedearlier,normallyanSTSissuestokensonlytotheRPURIsthathavebeenexplicitlyprovisioned.Iftheincomingwtrealm(availableinRequestSecurityTokenviathepropertyAppliesTo)doesnotcorrespondtoaknownRP,anInvalidRequestExceptionshouldbethrown.

Note ThetemplateimplementationofGetScopeperformsthecheckagainstahard-codedlist.OnecouldarguethatavalidationcheckwouldbelongtotheValidateRequestmethod,buttheitemaboutencryptionthatfollowsshowshowGetScopewouldneedtoqueryanRPsettingsdatabaseanyway.

IftheAppliesTovalueisvalid,itisfedintotheScopeobject.ItwillbeneededfortheAudienceRestrictionelementoftheissuedtoken,whichinturnwillbevali-datedbyWIFagainstthe<audienceURI>configelementontheRP.

❑ Shouldtheissuedtokenbeencrypted?Ifyes,withwhichcertificate?TheSTSconfigurationshouldspecifywhetherthetokenshouldbeencrypted.Ifitshould

110 Part II Windows Identity Foundation for Identity Developers

be,thesamestorethatwasusedforestablishingwhethertheRPwasvalidshouldalsocarryinformationaboutwhichencryptioncertificateshouldbeused.Thetemplateusesavaluefromconfig.

❑ Towhichaddressshouldthetokenbereturned?Thetemplateassumesthatwtrealm—thatis,theAppliesTovalue—isboththeidentifieroftheRPanditsnetwork-addressableURI.Asaresult,GetScopeassignsthevalueofAppliesTototheReplyToAddresspropertyoftheScopeobject.

Important AlthoughinmanycasesitistruethatAppliesTocontainsthenetworkaddressableendpointofoneRP,thatdoesnotalwayshold.Sometimeswtrealmwillbealogicalidentifierfortheapplicationratherthananetworkaddress,andtheactualaddresstowhichthetokenshouldbereturnedwillbedifferent.Awayofhandlingthisisbysendingtheactualaddressintherequestviathewreplyparameter,andthenassigningittoScope.ReplyToAddress(fromRequestSecurityToken.ReplyTo).ReplyToaddressesshouldalwaysbethoroughlyvalidatedbecausesupportingwreplyopensyourSTSuptoredirectattacks.

Note ADFS2.0doesnothandlewreply.

WhentheScopeisready,anumberoflowerleveltoken-issuancepreparationstepstakeplace.Youcaninfluencethoseifyouwantto,butIwon’tgointofurtherdetailshere.Afterthosestepsarecompleted,itisfinallytimetoworkwithclaims.

❑ GetOutputClaimsIdentity ThismethodtakesasinputtheIClaimsPrincipalofthecaller,theRequestSecurityToken,andthe Scope.ItreturnsanIClaimsIdentity,whichcon-tainstheclaimsthatshouldbeissuedinthetokenforthecaller.NotethatatthispointtheIClaimsPrincipalofthecallerisarepresentationoftheIPrincipalobtainedfromtheSTScallerviaFormsauthentication.ThisshouldnotbeconfusedwiththeoutputIClaimsPrincipalcreatedbytheSTS,whichwillbeavailableattheRPaftersuccessfulsign-in.

ThisisperhapstheleastrealisticoftheimplementationsintheSTStemplate.Itreturnstwohard-codedclaims,NameandRole,regardlessofthetargetedRPorthecaller(theonlyconcessionbeingthevalueoftheNameclaim,extractedfromtheincomingprincipal):

protected override IClaimsIdentity GetOutputClaimsIdentity (IClaimsPrincipal principal, RequestSecurityToken request, Scope scope ) { if ( principal == null ) { throw new ArgumentNullException( "principal" ); }

Chapter 4 Advanced ASP .NET Programming 111

ClaimsIdentity outputIdentity = new ClaimsIdentity(); // Issue custom claims. // TODO: Change the claims below to issue custom claims required by your application. // Update the application's configuration file too to reflect new claims requirement. outputIdentity.Claims.Add( new Claim( System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name ) ); outputIdentity.Claims.Add( new Claim( ClaimTypes.Role, "Manager" ) ); return outputIdentity; }

Inamorerealisticsetting,yourGetOutputClaimsIdentityimplementationwouldneedtomakesomedecisionsabouttheoutgoingIClaimsIdentity.Thesearethequestionsitwillneedtoanswer:

❑ Giventhecurrentrequest,whichclaimtypesshouldbeincluded?ThelistofclaimsthatshouldbeissuedisoftenestablishedperRP,atprovisioningtime.ThatisespeciallycommonforWS-Federationscenarios,andsomeproductswillgoasfarasimplementingthattacticfortheWS-Trustcaseaswell.

Note ADFS2.0usesthatapproachineverycase.ThelistofclaimstoissueisalwaysestablishedonthebasisoftheRPforwhichthetokenisbeingissued.

ChancesarethatthelistofclaimstousewillbeavailableinthesamestoreyouusedinGetScopeforretrievingtheRPURIandencryptioncertificate.

WS-Trust(andWS-Federation,viawreqorwreqptrparameters)supportsrequest-ingaspecificlistofclaimsforeveryrequest.Althoughthatrequiresmorework,whichprobablyincludescheckingonanRP-boundlistiftherequiredclaimsareallowedforthatgivenRP,therearemanyadvantagestotheapproach.Apartfromminimaldisclosureandprivacyconsiderations,possiblyabitoutofscopehere,oneobviousadvantageisthatthiscanhelpkeepthetokensizeundercon-trol.AtokenrepresentingaWindowsidentitycanhavemanygroupclaims.Ifforagiventransactionthegroupclaimisnotrequired,beingabletoexcludeitcandramaticallyshrinktheresultingtoken.

Ifyouwanttosupportrequeststhatspecifytherequiredclaims,you’llfindthatlistintheRequestSecurityToken.Claimscollection.

❑ Giventhecurrentprincipal,whichclaimvaluesshouldbeassigned?Togetherwiththerequestauthenticationmethod,thisisthequestionthatdetermineswhetheryourSTSisanIP-STSoranR-STS.

112 Part II Windows Identity Foundation for Identity Developers

OneIP-STSusessomeclaimsoftheincomingIClaimsPrincipalforlookingupthecallerinoneormoreattributestores,fromwheretheSTSwillretrievethevaluestoassigntotheestablishedclaimtypes.That’sthedirectdescendentofusingausernameforlookingupattributesinaprofilestore;infact,itcantakeplaceinexactlythesamewayifyouhaveausernameclaim.Ofcourse,youarenotlimitedtoit—youcanuseanyclaimyoulike.

OneR-STSprocessestheclaimsintheincomingIClaimsPrincipalinarbitraryways,storingtheresultsinotherclaimsintheoutgoingIClaimsIdentity.NotethattheSTScanalsojustcopysomeclaimsfromtheincomingtokentotheoutgoingonewithoutmodification,anditcanevenaddnewclaimsinthesamewaytheIP-STSdoes.I’llshowsomeexamplesofthislater,duringthefederationandhome-realmdiscoverydiscussions.

ADFS2.0offersamanagementUI,whereadministratorscanspecifyhowtosourceortransformclaims.ThemappingscanbespecifiedviaasimpleUIorviaaSQL-likelanguagethatisespeciallywellsuitedforclaimsissuance.InyourownSTS,youcanembedthecorrespondingcodedirectlyinGetOutputClaimsIdentity,oryoucandevelopamechanismfordrivingitsbehaviorfromoutside.

MetadataYouknowaboutmetadatafromChapter3.IfyouneedtochangesomethinginthemetadatadocumentofoneRP,youcansimplyeditit.Perhapsthat’snotthegreatestfunyou’llhave,butitisfeasible.

DoingthesameforoneSTSisoutofthequestionbecauseanSTSmetadatadocumentmustalwaysbesigned.TheWIFSDKhasoneexampleshowinghowtousetheWIFAPIforgener-atingametadatadocumentprogrammatically.It’snotrocketscience,justalotofserializa-tion.Generatingthedocumenthastheadvantageofkeepingitautomaticallyupdatedifyouplayyourcardswellandreadthingsfromtheconfig.Italsohasanotheradvantageofgrant-ingyoubettercontrolofcomplicatedsituations,suchascasesinwhichonthesameWebsiteyouexposebothWS-FederationandWS-Trustendpoints.

Anydynamiccontentgenerationmechanismwilldo.MyfavoriteisexposingaWCFserviceandhidingthe.svcextensionwithsomeIISURLrewriting.

SingleSign-on,SingleSign-out,andSessionsInthissection,I’llformalizesomeofthesession-relatedconceptsI’vebeenhintingatsofar.Namely,I’llhelpyouexplorehowWIFcanreducethenumberoftimesauserispromptedforcredentialswhenbrowsingWebsitesthataresomehowrelatedtoeachother.I’llshowyouhowyoucansignoutauserfrommultipleWebsitesatonce,makingsurenodangling

Chapter 4 Advanced ASP .NET Programming 113

sessionsarestillopen.Finally,I’llshareafewtricksyoucanusefortweakingthewayinwhichWIFhandlessessions.

Single Sign-onInChapter3,IillustratedthedancethatWS-FederationprescribesforsigninginarelyingpartyandhowtheWIFobjectmodelimplementsthat.Let’smovethescenarioalittlefurtherbysupposingthatyouwanttomodelthecaseinwhichtheuservisitsmorethanoneRPapplication.

IftheRPshaveabsolutelynothingincommon,thereisnotmuchtobesaid:everyRPsessionwillhaveitsownindependentstory.Butwhathappensif,forexample,twoRPstrustthesameSTS?Thingsgetmoreinteresting.Figure4-4brieflyrevisitsthesign-insequence,showingtheusersigninginthefirstRPapplication,namedA.

STS

STS A

5

A

3

51

23 4

FIGURE4-4 TheusersignsintheRPnamedA,andinsodoingitreceivessessioncookiesbothfromtheSTSandA

Bynow,youknowthedrill:

1. TheusersendsaGETforapageonA.

2. TheuserisredirectedtotheSTS.

3. TheuserisauthenticatedbywhateversystemtheSTSchoosesandobtainsasessioncookie.

4. Theusergetsbackatoken.

5. TheusersendsthetokentoAandgetsbackasessioncookie.

Herestep3isespeciallyinteresting:InFigure4-4,IassumedtheauthenticationmethodpickedbytheSTSinvolvesthecreationofasessionwiththeSTSsiteitself.That’sareason-ableassumptionbecausethat’spreciselythecasewithcommonauthenticationmethods

114 Part II Windows Identity Foundation for Identity Developers

suchasKerberos(whichleveragesthesessionthattheusercreatedfromherworkstationatlogintime)orFormsauthentication(whichdropsasessioncookie,justliketheWIFSTStemplatedoes).Ifthatisthecase,attheendofthesign-insequencetheuser’smachinewillhavetwocookies:onerepresentingthesessionwithA,createdbyWIF,andonerepresentingthesessionwiththeSTS.Startingfromthatsituation,let’snowlookatFigure4-5toseewhathappenswhentheusersignsinwithB,anotherRP,thattruststhesameSTS.

STS

B

4 A

1

2

3

4STS A

B

FIGURE4-5 TheusersignsintotheRPnamedB,andtheexistingsessionwiththeSTSallowstheusertosigninwithoutbeingpromptedfortheSTScredentials

Theflowstartsasusual,theuserrequestsapagefromB(step1,asshowninFigure4-5)andgetsredirectedtotheSTStoobtainatoken(step2).However,thistimetheuserisalreadyauthenticatedwiththeSTSsitebecausethereisanactivesessionrepresentedbytheSTScookie.ThismeanstherequestfortheSTSpage—say,Default.aspxifyouareintheWIFSTStemplatecase—leadsstraighttoexecutionoftheSecurityTokenServiceissuingsequencewithoutshowingtotheuseranyUIforcredentialgathering.Thetokenisissuedsilently(step3)andforwardedtoB(step4)accordingtotheusualsequence.FromthemomenttheuserclicksonthelinktoBandthebrowserdisplaystherequestedpagefromB,onlysomeflickeringoftheaddressbarinthebrowserwillgiveawaythefactthatsomeauthenticationtookplaceunderthehood.That’sprettymuchwhatSingleSign-on(SSO)means:theuserwentthroughtheexperienceofsigninginonlyonce,andfromthatmomentonthesystemisabletogainaccesstofurtherRPswithoutpromptingtheuserforcredentialsagain.

SSOisanall-timefavoriteforendusers.UsingasinglesetofcredentialsfordifferentWebsiteswithoutbeingreproachedforit?Typingstuffonlyonce?Countmein!Thisisalsosomethingthatgreatlypleasessystemadministrators,becausereducingthenumberofcredentialstomanageeasestheadministrativeburden,lowerstheprobabilitythatuserswillreusethesamepasswordindifferentWebsites,andsoon.

Chapter 4 Advanced ASP .NET Programming 115

Note Bynow,youcancertainlyseethefundamentaldifferencebetweenauthenticatingwithanSTSonlyonce,andsilentlyobtainingtokensformultipleWebsitesafterthatsinglecredentialgatheringmomentandreusingthesamecredentialsacrossmultipleWebsites(eachhandlingtheirownauthentication).Whereasthefirstapproachminimizesthechancesofpasswordsbeingstolen,thesecondmaximizesit.

You’llfindthatalthoughmostuninitiatedpeoplewillnotunderstandmostofthestuffIcoveredinthisbook,everybodywillhaveaclear,intuitiveunderstandingandappreciationofSSO.Perhapsnotsurprisingly,SSObecametheHolyGrailoftheindustrylongbeforetheemergenceofclaims-basedidentity,andasoftodayalotofpeoplethinkthattheultimategoalofidentitymanagementshouldbeuniversalSSO.

Thegoodnews?AslongastheSTScreatesasessioninitsauthenticationmethod,havingSSOacrossWebsiteRPsprotectedviaWIFissomethingthatworksrightoutofthebox.There’snoarcaneWS-Federationtrickhere,justgoodoldcookiesandabitoftrustmanagement.

The hands-on lab ASP.NET Membership Provider and Federation (c:\IdentityTrainingKit2010\Labs\MembershipAndFederation) demonstrates how you can easily obtain SSO across Web sites using WIF. In fact, it shows how it is enough to add a page to an existing Web site, without modifying anything else, to add IP capabilities to it. The scenario in the lab modifies a Web site secured via the Membership provider, but this pattern can be applied to any authentication system.

Single Sign-outInoneofthoserareinstancesinwhichbuildingiseasierthandestroying,youareabouttodiscoverthatSingleSign-outissomewhathardertoimplementthanSingleSign-on.

SingleSign-out,orSSOut,takesplacewhentheterminationofonesessionwithaspecificRPtriggersthecleanupofstateandothersessionsacrossthesameübersession.Inotherwords,signingoutfromoneWebsitecascadesthroughalltheWebsitesthatwerepartoftheSSOclubandsignsoutfromthemaswell.

Note ThebasicideaofSSOutisreadilyunderstoodandcanbeeasilyexperiencedevenoutsidefederatedscenarios:thesign-outoptionofLiveID,which(atthetimeofthiswriting)throwsyououtatoncefromalltheWebsitesacceptingLiveIDyou’vebeensigninginto,isagoodexampleofthat.However,inliterature“SingleSign-out”isalmostalwaysusedasasynonymof“federatedsign-out”andisexpectedtobehaveasspecifiedbyWS-FederationorSAMLP.

116 Part II Windows Identity Foundation for Identity Developers

ThemechanicsofSSOutarenotverystraightforward,especiallybecausetheoutcomeoftheentireprocessreliesonalltheentitiesinvolvedreceivingmessagesandcomplying.Bothofthosethingsarehardtoenforcewithoutreliablemessagingortransactions;hence,theentirethingendsupbeinga“makeyourbesteffort”attempt.ThisstateofaffairswaswellknowntotheauthorsoftheWS-Federationspecification,whowerenotespeciallyprescriptiveindescribingthemessagesandmechanismsusedforimplementingSSOut.WIFdoessupportSSOutoutoftheboxforRPs,buttheSTStemplateisnotespeciallythoroughinimplement-ingallitsdetails.Inthissection,I’llclueyouintothethingsyouneedtoaddforachievingmorecompletesupport.

Signing Out from One RPBeforegettingintothedetailsofhowtohandlesigningoutfrommultipleWebsites,let’sseewhatittakestosignoutfromjustone.

Whatkeepsausersessionalive,apartfromthesheerFormsauthenticationmachinery?Firstofall,it’stheexistence(andvalidity)ofthesessioncookiegeneratedatsign-ontime.ThedefaultnameusedbyWIFforthatcookieisFedAuth,withanadditionalFedAuth1…FedAuthnifthesizeoftheSessionSecurityTokenrequiresmultiplecookies.Youcaneasilytakecareofthatyourself—it’sjustamatterofcallingFormsAuthentication.SignOutanddeletingthesessioncookie(byhandorviaSessionAuthenticationModule.DeleteSessionTokenCookie).

Second,it’sthesessionwiththeSTS.IfyoudeletethesessionwiththeRPbuttheuserstillhasavalidsessionwiththeSTS,shewillstillhaveaccesstotheRP.ThefirstunauthenticatedGETelicitstheusualredirecttotheSTS,andavalidsessionmeansthattheuserwillbeissuedanewtokenwithoutevenbeingpromptedforcredentials.

TheRPcannotdirectlychangetheSTSsession.Infact,itisnotevensupposedtoknowhowthatsession(ifany)isimplementedtobeginwith!Luckily,WS-FederationdefinesawayfortheRPtoasktheSTStosignoutthecurrentprincipal.ItwillbeuptotheSTStodecidewhatspecificstepsthatentailsinthecontextofitsownimplementation.

ThemechanismthatWS-Federationusesforsigningoutisstraightforward:youaresupposedtodoaGEToftheSTSendpointpagewiththeparameterwa=wsignout1.0andawreplyin-dicatingwhereyouwantthebrowsertoberedirectedafterthesignoutisdone.Onceagain,thisissomethingyoucoulddoyourself;butwhybother,whenthereissomethingthatcantakecareofboththeRPsessioncleanupandsendingthesign-outmessagetotheSTS?ThatsomethingisFederatedPassiveSignInStatus,anASP.NETcontrolthatcomeswithWIF.

FederatedPassiveSignInStatus,asthenameimplies,canbeusedforeasilydisplayingonyourWebsitethecurrentstateofthesession.Dragitonanypage,anditsappearancewillchangeaccordingtowhetheryouhaveavalidsessioninplace.Ifyoudo,bydefaultthecontrolappearsasahyperlinkwiththetext“SignOut.”ClickingthatlinkresultsinthecurrentRPsessionbeingcleanedup.IfthecontrolpropertySignOutActionissettoFederatedSignOut,

Chapter 4 Advanced ASP .NET Programming 117

thecontroltakescareofsendingthewsignout1.0messagetotheSTSindicatedintheSessionSecurityToken.Handy,isn’tit?That’smyfavoritewayofimplementingsignoutwithWIF—it’seasyandpainless.

Warning FederatedPassiveSignInStatushasaproperty,SignOutPageUrl,thatindicatesthepagethebrowsershouldreturntoafterthesign-outisdone.Inpractice,it’sthewreplyinthewsignout1.0message.Ifyouleavethepropertyblank,WIFsetswreplytoyourwtrealmandappends“login.aspx”toit.ChancesarethatyourWebsitedoesnotcontainaloginpagebe-causeyouareusinganSTS.Ifthat’sthecase,youmightgetanerroratthenextsuccessfulau-thentication.Thebottomlineisthis:makesureyouaddameaningfulvaluetoSignOutPageUrl.

TheWIFSTSTemplateandwsignout1.0InthedescriptionoftheWIFSTStemplate,Ipurposefullyomittedthecodethattakescareofsigningout.NowthatyouknowwhatanSTSissupposedtodoinresponsetoawsignout1.0message,Icangetbacktoitandcompletethedescriptionofthetemplate.Thefollowingcodeshowsthemissingbranch:

else if ( action == WSFederationConstants.Actions.SignOut ) { // Process signout request. SignOutRequestMessage requestMessage = (SignOutRequestMessage)WSFederationMessage.CreateFromUri( Request.Url ); FederatedPassiveSecurityTokenServiceOperations.ProcessSignOutRequest( requestMessage, User, requestMessage.Reply, Response ); }

SignOutRequestMessageisanalogoustoSignInRequestMessage,inthatit’sjustadictionaryofquerystringvalues.FederatedPassiveSecurityTokenServiceOperations.ProcessSignOutRequestisnotallthatglamorouseither,I’mafraid.ItjustsignsoutfromtheFormauthenticationsession,deletestheWIFsessiontoken(ifthereisany—theSTStemplatedoesnotincludeSessionAuthenticationManagerbydefault)andredirectstotheaddressindicatedbywreply.

Signing Out from Multiple RPsFromtheperspectiveoftheRPfromwhichtheuserissigningout,cleaningupitsownses-sionandsendingwsignout1.0totheSTSisallthatisneededforclosingthegames.IfthereareotherRPswithwhichtheuserstillentertainsanactivesession,itisresponsibilityoftheSTStopropagatethesign-outtothemaswell.

AllthatislefttodoisfortheotherRPstogetridoftheirsessions.NotethattheSTSalreadyeliminateditsownsessionwiththeuser;hence,thereisnoriskofsilentre-issuingaftertheotherRPsdotheircleanup.

118 Part II Windows Identity Foundation for Identity Developers

Onceagain,WS-Federationprovidesamechanismforthat.Iwon’tgointothedetailshere—itsufficestosaythatonewayofrequestingacleanuptooneRPissimplybydoingaGETrequestontheRPandincludinginthequerystringtheactionwa=wsignoutcleanup1.0.Youcouldspecifyanaddressviawreplytoreturntoafterthecleanupisdone,butthingscangetproblematichere.WhatifyouhavethreeRPsthatneedtocleanuptheirsessions?IfyouarerelyingonthebrowsertoperformthenecessaryGETs,you’dhavetochaintherequests.Inadditiontobeingcomplicated,thisisaverybrittleapproachbecausesome-thinggoingwrongwithoneRPwouldjeopardizethechanceofsendingcleanuprequeststoallthesubsequentRPsinthelist.TheSTScanavoidusingthebrowserandsendtheGETrequestsdirectly,butagain,thisisnotverystraightforward.Forthosereasonsandothers,thepresenceofawreplyisoptionalinwsignoutcleanup1.0 messages;itisacceptabletore-turnsomethingfromtheRPthatsomehowindicatestheoutcomeoftheoperation.There’smore:thecleanupoperationisrequiredtobeidempotent—thatis,youshouldbeabletocallthesameoperationmultipletimeswithoutaffectingtheoutcomeorraisingerrors.Thisal-lowsyoutoretrytheoperationifyouthinksomethingwentwrong,withoutworryingaboutcreatingerrorsituations.

Nowforsomegoodnews:RPssecuredviaWIFhandlewsignoutcleanup1.0 messagesoutofthebox.TheWSFAMlooksoutforthosemessagesinitsAuthenticateRequesthandler.Iftheincomingmessagehasawsignoutcleanup1.0action,WSFAMpromptlydeletesthesessioncookieanddropsthecorrespondingtokenfromthecache.

WhatsetsapartthecleanupfromallotheractionsI’vedescribedsofaristhatitmightnotendwitharedirect.Ifthemessagecontainsawreply,WSFAMdutifullyreturnsa302messagetotheindicatedlocation;ifitdoesn’t,itwillreturnanimageor.gifofagreencheckmark.

Returningthebitsofoneimageuponsuccessfulcleanupispartofacleverstrategyforworkingaroundthe“chainingofsign-outredirects”problemdescribedearlier.AftertheSTSsuccessfullyclearsitsownsession,itcanreturnapagecontainingan<img>elementforeachRPwhosesessionisupforcleanup.Ifthesrcvalueofthe<img>elementsisoftheformhttps://RPAddress/Default.aspx?wa=wsignoutcleanup1.0,justrenderingthelistofimagesinthebrowsersendsasmanycleanupmessagestotheRPsinthelist.Everysuccessfulcleanupsendsbacktheimageofthegreencheckbox,whichtheSTSpagecanuseforconfirmingthatthesign-outactuallytookplaceforagivenRP.Failuretorendertheimagemightbeanindicationthatsomethingwentwrongwiththecleanupoperations.

AlloftheprecedingactivityreliesonthefactthattheSTSwillkeeptrackoftheRPsforwhichitissuedatokeninthecontextofonefederatedsession.Atsign-outtime,theSTSneedstoremembertheaddressofallRPsinordertogeneratethecorrectcleanupURIsforthesrcoftheimagescollectioninthesign-outpage.TheSTScanusewhateverstate-preservingmech-anismitsownerseesfit.Inmysamples,IusuallykeepthelistofRPURIsinaprotectedcookiebecauseitrequireszerostate-managementcodeontheserver.

Chapter 4 Advanced ASP .NET Programming 119

DidyougetlostinallthebackandforthrequiredbytheSSOutprocess?Let’stakealookatoneexample.Figure4-6illustratestheSingleSign-outmessageflowacrosstwoWebsitesandacommonSTS,togetherwithwhathappenstotheclient’scookiecollectionasthesequenceprogresses.

WebSiteA WebSiteB STSST

SASP

XAU

TH

SsoS

essio

ns

STSA

SPXA

UTH

SsoS

essio

ns

STSA

SPXA

UTH

SsoS

essio

ns

STS

STS

WebSiteABrowser

POST /WebSiteA/ HTTP/1.1..Cookie: FedAuth__EVENTTARGET=ctl00%24FederatedPassiveSignInStatus1%24signoutLink&…

HTTP/1.1 302 FoundLocation: https://STS/?wa=wsignout1.0&wreply=https%3a%2f%2fWebSiteA%2fDefault.aspx...Set-Cookie: FedAuth=; expires=Fri, 18-Jun-201005:47:03 GMT; path=/SSOWebSiteA/

GET /STS/?wa=wsignout1.0&wreply=https%3a%2f%2fWebSiteA%2fDefault.aspx HTTP/1.1..Cookie: .STSASPXAUTH … SsoSessions

HTTP/1.1 200 OK…Set-Cookie: .STSASPXAUTH=; expires=…; path=/; HttpOnlySet-Cookie: SsoSessions=; expires=… path=/<html>...<body><form method="POST" action=" /?wa=wsignout1.0&wreply=…">You are now signed out of the following sites: <div id="SignoutLinks"> <p><a href='https://WebSiteA/'>WebSiteA/</a> <img src='https://WebSiteA/?wa=wsignoutcleanup1.0'/> </p> <p><a href='https://WebSiteB/'>WebSiteB/</a> <img src='https://WebSiteB/?wa=wsignoutcleanup1.0/></p> </div></form></body>..</html>

GET / WebSiteB/?wa=wsignoutcleanup1.0 HTTP/1.1Cookie: FedAuth=…

1

2

3

4

5

6

WebSiteB

GET / WebSiteA/?wa=wsignoutcleanup1.0 HTTP/1.1

HTTP/1.1 200 OKContent-Type: image/gif...GIF89a

HTTP/1.1 200 OKContent-Type: image/gifSet-Cookie: FedAuth=; expires=…;path=/SSOWebSiteB/...GIF89a

WebSiteA WebSiteB STS

WebSiteA WebSiteB STS

STSA

SPXA

UTH

SsoS

essio

ns

WebSiteA WebSiteB STS

WebSiteA WebSiteB STS

FedA

uth

FedA

uth

FedA

uth

STSA

SPXA

UTH

SsoS

essio

ns

FedA

uth

FIGURE4-6 ASingleSign-outprocesstakingplaceasdescribedinWS-Federation

120 Part II Windows Identity Foundation for Identity Developers

Let’sexamineeverystep.Inthebeginning,theuserissignedintoWebSiteAandWebSiteBviatokensobtainedfromSTS,andhisbrowseriscurrentlyonWebSiteA.Hiscookiecollec-tioncontainsaFedAuthsessioncookieforeachRPandoneFormsauthenticationcookie(STSASPXAUTH)withSTS.ItalsohasanSsoSessionscookiewithSTS,whichcontainsthelistofRPsforwhichtheSTSissuedatokeninthecontextofitsSTSASPXAUTHsession.Here’showtheprocessunfolds:

1. TheuserclicksonaFederatedSignInStatuscontrolinstanceonWebSiteA,triggeringaPOSTintheauthenticatedsessiondescribedbyWebSiteA’sFedAuthcookie.TheSignOutActionpropertyofthecontrolissettoFederatedPassiveSignOut.

2. WebSiteAreceivestherequestforsigningout.Asaresult,itdestroysitsownsession(bycleaningFedAuthfromtheWebSiteAcookiecollectionontheclient)andredirectsthebrowsertosendasign-outmessagetotheSTSthatoriginatedthecurrentsession.

3. Thebrowserfollowstheredirect,sendingtotheSTSthesign-outmessage,alongwiththesessioncookieSTSASPXAUTHandthecookiecontainingthelistofRPswithwhomtheusermightstillentertainactivesessions.

4. TheSTSreactsbycleaningupallitscookiesandsendsbackapagethatcontainsimageswhosesrcURIsareinfactcleanupmessagesforalltheRPslistedintheSsoSessionscookie—thatis,WebSiteAandWebSiteB.

5. Thebrowserrendersthefirstimage,pointingtoWebSiteA.Hence,itsendsaGETforitssource,whichinfactdeliversacleanupmessage.WebSiteAalreadycleanedupitssessionbecauseitwastheoriginatoroftheSingleSign-outsequence.IftheSTShadknownthis,itcouldhaveavoidedaddingWebSiteAtothelistofcleanupRPs;however,nothingbadhappens,thankstotheidempotencyrequirementsofwssignoutcleanup1.0messages.WebSiteAsimplyreturnsthebitsoftheGIFindicatingthatcleanupsuccess-fullytookplace.

6. Thebrowserrenderstheimage,pointingtoWebSiteB.WebSiteBreceivesthecleanupmessageandreactsbydeletingitsownFedAuthcookieandreturningthebitsoftheGIFofthecheckmarkasexpected.Atthispoint,allthesessionshavebeencleanedup:theSingleSign-outconcludedsuccessfully,andtheusercanseeontheSTSpagethelistofWebsiteshehasbeensignedoutfrom.

Onceyougetthehangofit,it’sreallynotthathard.OneofthethingsIlikebestaboutthisapproachisthatitallowsyoutoherdthebehaviorofmultipleWebsiteswithoutknowinganydetail.Somesitescouldbehostedonyourintranet,otherscouldbehostedinthecloud,orsitescouldberunningondifferentstacksandoperatingsystems,butaslongastheyallspeakviaWS-Federationandshareacommon,trustedground,therightthingjusthappens.

Chapter 4 Advanced ASP .NET Programming 121

TheWIFSTSTemplateandSingleSign-outAsyousawearlier,theSTStemplatehandleswssignout1.0messages.However,itdoesnotpropagatethemviawssignoutcleanup1.0totheotherRPsinthesession,nordoesitcontainanymechanismforkeepingtrackoftheRPsinthecurrentsessionatissuancetime.ThesamplediscussedhereofferssuchamechanismintheSingleSignOnManagerclass.ItisafaçadeforacollectionofRPURIssavedinacookie,whichgetsupdatedwiththeRPaddresseverytimetheSTSissuesatoken(inGetOutputClaimsIdentity)andthatcanbelookedupwhenit’stimetosendcleanupmessages.Thatisjustoneexample—youcanuseanyequivalentmechanism.Onceyouhavethatcapability,enhancingtheSTStemplatecodetosupportSSOutiseasy.Considerthefollowingmodifiedversionofthesign-outbranchintheDefault.asp.cs code:

else if ( action == WSFederationConstants.Actions.SignOut ) { // Process signout request. SignOutRequestMessage requestMessage = (SignOutRequestMessage)WSFederationMessage.CreateFromUri( Request.Url ); FederatedPassiveSecurityTokenServiceOperations.ProcessSignOutRequest( requestMessage, User, /*requestMessage.Reply*/ null, Response ); // new string[] signedInUrls = SingleSignOnManager.SignOut(); lblSignoutText.Visible = true; foreach (string url in signedInUrls) { SignoutLinks.Controls.Add( new LiteralControl(String.Format( "<p><a href='{0}'>{0}</a>&nbsp;<img src='{0}?wa=wsignoutcleanup1.0' title='Signout request: {0}?wa=wsignoutcleanup1.0'/></p>," url))); } }

Thechangesarestraightforward.ThecalltoProcessSignOutRequestdoesnotredirecttowreply,becauseafteritcleanedupitsownsessionthere’sstillworktodothatwouldnotbedoneifitredirectedasinthedefaultcase.Aftercleaningitsownsession,theSTSpreparestheUIforthesign-outbyturningonthevisibilityofasign-outmessage(here,inalabel).ThecalltoSingleSignOutManagerreturnsthelistofalltheRPswhosesessionshouldbecleanedup.Theforeachthatappearsbelowthatusesthatlistforgeneratingandappendingtothepageasmanyimagesasneeded,whichwilldispatchthecleanupmessageoncetheyarerendered.

122 Part II Windows Identity Foundation for Identity Developers

More About SessionsIbrieflytouchedonthetopicofsessionsattheendofChapter3,whereIshowedyouhowyoucankeepthesizeofthesessioncookieindependentfromthedimensionofitsoriginat-ingtokenbysavingareferencetosessionstatestoredontheserverside.TheWIFprogram-mingmodelgoeswellbeyondthat,grantingyoucompletecontroloverhowsessionsarehandled.HereI’dliketoexplorewithyoutwonotableexamplesofthatprincipleinaction:slidingsessionsandnetworkload-balancer-friendlysessions.

Sliding SessionsBydefault,WIFcreatesSessionSecurityTokenswhosevalidityisbasedonthevalidityoftheincomingtoken.Youcanoverrulethatbehaviorwithoutwritinganycode,byaddingtothe<microsoft.identityModel>elementintheweb.configfilesomethinglikethefollowing:

<securityTokenHandlers> <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <sessionTokenRequirement lifetime="0:02" /> </add> </securityTokenHandlers>

Note Thelifetimepropertycanrestrictonlythevalidityexpressedbythetokentobeginwith.Intheprecedingcodesnippet,Isetthelifetimeto2minutes,butiftheincomingsecuritytokenwasvalidforjust1minute,thesessiontokenwouldhave1minuteofvalidity.Ifyouwanttoincreasethevaliditybeyondwhattheinitialtokenspecified,youneedtodosoincode(bysubclassingSessionSecurityTokenHandlerorbyhandlingSessionSecurityTokenReceived).

Now,let’ssaythatyouwanttoimplementamoresophisticatedbehavior.Forexample,youwanttokeepthesessionaliveindefinitelyaslongastheuserisactivelyworkingwiththepages.However,youwanttoterminatethesessionifyoudonotdetectuseractivityinthepast2minutes,regardlessofthefactthattheinitialtokenwouldstillbevalid.ThisisacommonrequirementforWebsitesthatrevealpersonallyidentifiableinformation(PII)orgivecontroltobankingoperations.Thosearecasesinwhichyouwanttoensurethattheuserisactuallyinfrontofthemachineandthepagesarenotabandonedtothemercy(ormercenaryinstincts)ofbystanders.

InChapter3,Ihintedatthisscenario,suggestingthatitcouldbesolvedbysubclassingtheSessionAuthenticationModule.Thatistherightstrategyifyouexpecttoreusethisfunction-alityoverandoveragainacrossmultipleapplications,giventhatitneatlypackagesitinaclassyoucanincludeinyourcodebase.Infact,SharePoint2010offersslidingsessionsandimplementsthosepreciselyinthatway.If,instead,thisisanimprovementyouneedtoapply

Chapter 4 Advanced ASP .NET Programming 123

onlyoccasionally,oryouownjustoneapplication,youcanobtainthesameeffectsimplybyhandlingtheSessionSecurityTokenReceivedevent.Takealookatthefollowingcode:

<%@ Application Language=”C#” %> <%@ Import Namespace=”Microsoft.IdentityModel.Web” %> <%@ Import Namespace=”Microsoft.IdentityModel.Tokens” %> <script runat=”server”> void SessionAuthenticationModule_SessionSecurityTokenReceived (object sender, SessionSecurityTokenReceivedEventArgs e) { DateTime now = DateTime.UtcNow; DateTime validFrom = e.SessionToken.ValidFrom; DateTime validTo = e.SessionToken.ValidTo; double halfSpan = (validTo – validFrom).TotalMinutes / 2; if ( validFrom.AddMinutes( halfSpan ) < now && now < validTo ) { SessionAuthenticationModule sam = sender as SessionAuthenticationModule; e.SessionToken = sam.CreateSessionSecurityToken(e.SessionToken.ClaimsPrincipal, e.SessionToken.Context, now, now.AddMinutes(2), e.SessionToken.IsPersistent); e.ReissueCookie = true; } } //...

Asyoucertainlyguessed,thisisafragmentoftheglobal.asaxfileoftheRPapplication.SessionSecurityTokenReceivedgetscalledassoonasthesessioncookieisdeserialized(orresolvedfromthecacheifyouareinsessionmode).Hereyouverifywhetheryouarewithinthesecondhalfofthevaliditywindowofthesessiontoken.Ifyouare,youextendthevaliditytoanother2minutes,startingnow.Thatchangetakesplaceonthein-memoryinstanceoftheSessionSecurityToken.SettingReissueTokentotrueinstructstheSessionAuthenticationModuletopersistthenewsettingsinthecookieaftertheexecutionleavesSessionSecurityTokenReceived.Let’ssaythatthetokenisvalidbetween10:00a.m.and10:02a.m.Ifthecurrenttimefallsbetween10:01a.m.and10:02a.m.—say,10:01:15—thecodesetsthenewvalidityboundariestogofrom10:01:15to10:03:15andsavesthoseinthesessioncookie.

Note ThisisthesameheuristicthatFormsAuthenticationusesforslidingexpiration.Whyrenewthesessiononlyduringthesecondhalfofthevalidityinterval?Well,writingthecookieisnotforfree.Thisisjustaheuristicforreducingthetimesatwhichthesessiongetsrefreshed,butyoucancertainlychoosetoapplydifferentstrategies.

Ifthecurrenttimeisoutsidethevalidityinterval,thisimplementationofSessionSecurityTokenReceivedwillhavenoeffect.TheSessionAuthenticationModulewilltakecareofhandlingtheexpiredsessionrightafter.Notethatanexpiredsessiondoesnotelicitanyexplicitsign-outprocess.IfyourecallthediscussionaboutSSOandSSOutjustafew

124 Part II Windows Identity Foundation for Identity Developers

pagesearlier,you’llrealizethatiftheSTSsessionoutlivestheRPsessiontheuserwilljustsilentlyre-obtaintheauthenticationtokenandrenewthesessionwithoutevenrealizinganythinghappened.

Sessions and Network Load BalancersBydefault,sessioncookieswrittenbyWIFareprotectedviaDPAPI,takingadvantageoftheRP’smachinekey.Suchcookiesarecompletelyopaquetotheclientandanybodyelsewhodoesnothaveaccesstothatspecificmachinekey.

Thisworkswellwhenalltherequestsinthecontextofausersessionareaimedatthesamemachine.ButwhathappenswhentheRPishostedonmultiplemachines—forexample,inaload-balancedenvironment?Asessioncookiemightbecreatedononemachineandsenttoadifferentmachineatthenextpostback.UnlessthetwomachinessharethesamemachinekeyanduseitforencryptingthecookieinsteadoftakingadvantageoftheDPAPIEncryptionkey,acookieoriginatedfrommachineAwillbeunreadablefrommachineB.

Therearevarioussolutionstothesituation.Oneobviousoneisusingstickysessions—thatis,guaranteeingthatasessionbeginningwithmachineAkeepsreferringtoAforallsubsequentrequests.Iamnotabigfanofthatsolutionbecauseitdampenstheadvantagesofusingaload-balancedenvironment.Furthermore,youmightnotalwayshaveasayinthematter—forexample,ifyouarehostingyourapplicationsonathird-partyinfrastructure(suchasWindowsAzure),yourcontroloftheenvironmentwillbelimited.

Anothersolutionistosynchronizethemachinekeysofeverymachineandusethoseforencryptingcookies.Ilikethisbetterthanusingstickysessions,butthereisanapproachIlikeevenbetter.Moreoftenthannot,yourRPapplicationwilluseSecureSocketsLayer(SSL),whichmeansyouneedtomakethecertificateandcorrespondingprivatekeyavailableoneverynode.Itmakesperfectsensetousethesamecryptographicmaterialforsecuringthecookieinaload-balancer-friendlyway.

WIFmakestheprocessofapplyingtheaforementionedstrategyinASP.NETapplicationstrivial.Thefollowingcodeillustrateshowitcanbedone:

public class Global : System.Web.HttpApplication { //... void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) { // // Use the <serviceCertificate> to protect the cookies that are // sent to the client. // List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] { new DeflateCookieTransform(),

Chapter 4 Advanced ASP .NET Programming 125

new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate), new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate) }); SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); } protected void Application_Start(object sender, EventArgs e) { FederatedAuthentication.ServiceConfigurationCreated += OnServiceConfigurationCreated; }

Insteadofusingtheusualinlineapproach,thistimeIamshowingyouthecode-behindfileglobal.asax.cs.OnServiceConfigurationCreatedis—Surprise!Surprise!—ahandlerfortheServiceConfigurationCreatedeventandfiresjustafterWIFreadstheconfiguration.Ifyoumakechangeshere,youhavetheguaranteethattheywillalreadybeappliedfromtherequestcomingin.

Note Contrarytowhatvarioussamplesouttherewouldleadyoutobelieve,OnServiceConfigurationCreatedisprettymuchtheonlyWIFeventhandlerthatshouldbeassociatedtoitseventinApplication_Start.Thishastodowiththeway(andthenumberoftimes)ASP.NETinvokesthehandlersthoughtheapplicationlifetime.

Thecodeisself-explanatory.ItcreatesanewlistofCookieTransformtransformations,whichtakescareofcookiecompression,encryption,andsignature.ThelasttwotakeadvantageoftheRsaxxxxCookieTransform,takingininputthecertificatedefinedfortheRPintheweb.configfile.

Note Whydoyousignthecookie?Wouldn’titbeenoughtoencryptit?IfyouusetheRPcertificate,encryptionwouldnotbeenough.Remember,theRPcertificateisapublickey.Ifyoujustencryptit,acraftyclientcanjustdiscardthesessioncookie,createanewonewithsuper-privilegesintheclaims,andencryptitwiththeRPcertificate.TheRPwouldnotbeabletotellthedifference.Addingthesignaturesuccessfullypreventsthisattackbecauseitrequiresaprivatekey,whichisnotavailabletotheclientoranybodyelsebuttheRPitself.

ThenewtransformationslistisassignedtoanewSessionSecurityTokenHandlerinstance,whichisthenusedforoverridingtheexistingsessionhandler.Fromthispointon,allsessioncookieswillbehandledusingthenewstrategy.That’sit!AslongasyouremembertoaddanentryfortheservicecertificateintheRPconfiguration,you’vegotnetworkloadbalancing(NLB)–friendlysessionswithouthavingtoresorttocompromisessuchasstickysessions.

126 Part II Windows Identity Foundation for Identity Developers

FederationAtthebeginningofthechapter,IintroducedtheFederationProvideranddiscussedsomeoftheadvantagesthattheIP-FP-RPpatternoffers.Thetemptationtoexpandthearchitec-turalconsiderationsaboutthisimportantpatternisstrong;however,hereIwanttokeepthefocusonWIFandgiveyouaconcretecodingexample.Therearemanygoodhigh-levelintroductionstothetopicyoucanreferto.

For a good introduction to the subject, refer to AGuidetoClaims-BasedIdentityandAccessControlby Dominick Baier, Vittorio Bertocci, Keith Brown, Matias Woloski, and Eugenio Pace (Microsoft Press, 2010).

WIFdoesnotreallycareiftheSTSusedbytheRPisanIP-STSoranR-STS.Bothtypeslookthesameintheirmetadatadescriptionand,despitethedifferencesinthesequencethatultimatelyleadtothat,theybothissueatokenasrequested.Ithelpstoseethisinactioninaconcreteexample.

Note Asusual,inarealisticscenarioyoucanexpecttheR-STStobeprovidedbyoneADFS2.0instanceplayingtheFProle.Onceagain,foreducationalpurposes,I’lltakeadvantageofcustomSTSeshere.

DoyourecallthefirstexampleweexploredinChapter2?ItwasaclassicRP-IPscenario,butitisveryeasytotransformitintoatoyfederationsample.Justright-clickontheBasicWebSite_STSprojectinSolutionExplorer,selecttheAddSTSReferenceentry,andusethewizardforcreatingyetanothernewSTSprojectinthecurrentsolution.

Note TheAddSTSReferenceWizardaddsan<httpModules>elementinthe<system.web>sectionofBasicWebSite_STSconfig,whichdoesnotplaywellwiththeIISintegratedpipeline.Youmighthavetocommentoutthat<httpModules>entry.

Figure4-7showsthenewsolutionlayout.

Chapter 4 Advanced ASP .NET Programming 127

FIGURE4-7 BasicWebSitetrustsBasicWebSite_STS,whichinturntrustsBasicWebSite_STS_STS

NothingchangedfortheRP,BasicWebSite,whichisstilloutsourcingauthenticationtoBasicWebSite_STS.BasicWebSite_STSwasanIP-STSwhenwestarted,becauseitwasanunmodifiedinstanceoftheWIFSTStemplate.AfterthewizardconfiguredittooutsourceauthenticationtoBasicWebSite_STS_STS,however,BasicWebSite_STSbecameanR-STS;therefore,itslogin.aspxpagewillnotbeusedanymore.Ifyourunthesolutionyou’llobservethebrowserbeingredirectedfromBasicWebSitetoBasicWebSite_STS,whichwillredirectrightawaytoBasicWebSite_STS_STS,whichwillfinallyshowitsownlogin.aspxpage.AfteryouclickSubmitontheloginform,theflowwillgothroughthechainintheoppositeorder:BasicWebSite_STS_STSwillissueatokenthatwillbeusedforsigninginBasicWebSite_STS,whichinturnwillissueanewtokenthatwillbeusedforsigninginBasicWebSite. Figure4-8summarizesthesign-inflow.

128 Part II Windows Identity Foundation for Identity Developers

Browser

BasicWebSite_STS_STS

BasicWebSite1

23 46

7

Trust

Trust

BasicWebSite_STS

5A

5

FIGURE4-8 TheauthenticationflowlinkingBasicWebSite,BasicWebSite _STS,andBasicWebSite_STS_STS

1 TheuserrequestsapagefromBasicWebSite.

2 Becausetheuserisnotauthenticated,heisredirectedtoBasicWebSite_STSforauthentication.

3 BasicWebSite_STSitselfoutsourcesauthenticationtoBasicWebSite_STS_STS;hence,itredirectstherequestaccordingly

4 OncetheusersuccessfullyauthenticateswithBasicWebSite_STS_STS,hegetsbackatoken.

5 TheusergetsredirectedbacktoBasicWebSite_STS,whichvalidatesthetokenfromBasicWebSite_STS_STSandconsiderstheuserauthenticatedthankstoit.

6 BasicWebSite_STSissuesatokentotheuser,asrequested.

7 TheusergetsbacktoBasicWebSitewiththetokenobtainedfromBasicWebSite_STSasrequired,andtheauthenticatedsessionstarts.

Convoluted?Abit,perhaps.Ontheupside,BasicWebSiteisnowcompletelyisolatedfromtheactualidentityprovider—changesintheIPwillnotaffecttheRP.IfyouhavemultipleRPs,youcannowhavethemalltrustthesameR-STS,whichwilltakecareofenforcinganychangesintherelationshipwiththeIP(orIPs,asI’llshowinamoment)withoutrequiringanyad-hocinterventionontheRPcodeorconfigurationitself.Prettyhandy!

Chapter 4 Advanced ASP .NET Programming 129

Transforming ClaimsTheexampleintheprecedingsectionmodifiedtheauthenticationflowtoconformtothefederationpattern,butitdidn’treallychangethewayinwhichBasicWebSite_STSprocessesclaims.Withitshard-codedclaimsentries,thedefaultWIFSTStemplatebehaviormimicsthatofanIP-STS;whereasinitsnewFProle,BasicWebSite_STSisexpectedtoprocesstheincom-ingclaims(inthiscase,fromBasicWebSite_STS_STS).IfyouwanttochangeBasicWebSite_STSintoaproperR-STS,youneedtomodifytheGetOutputClaimsIdentity methodoftheCustomSecurityTokenServiceclass.

Asyoualreadyknow,inGetOutputClaimsIdentitytheincomingclaimsareavailableintheIClaimsPrincipal principalparameter.Youcanprettymuchdoanythingyouwantwiththeincomingclaims,butIfinditusefultoclassifythepossibleactionsintothree(non-exhaustive)categories:pass-through,modification,andinjectionofnewclaims.Theyarerepresentedinstep5aofFigure4-8.HereisasimpleexampleofaGetOutputClaimsIdentityimplementationthatfeaturesallthreemethods:

protected override IClaimsIdentity GetOutputClaimsIdentity (IClaimsPrincipal principal, RequestSecurityToken request, Scope scope ) { if ( null == principal ) { throw new ArgumentNullException( "principal" ); } ClaimsIdentity outputIdentity = new ClaimsIdentity(); IClaimsIdentity incomingIdentity = (IClaimsIdentity)principal.Identity; // Pass-through Claim nname = (from c in incomingIdentity.Claims where c.ClaimType == ClaimTypes.Name select c).Single(); Claim nnnm = new Claim(ClaimTypes.Name, nname.Value, ClaimValueTypes.String, nname.OriginalIssuer); outputIdentity.Claims.Add(nnnm); // Modified string rrole = (from c in incomingIdentity.Claims where c.ClaimType == ClaimTypes.Role select c.Value).Single(); outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Transformed " + rrole)); // New outputIdentity.Claims.Add(new Claim("http://maseghepensu.it/hairlength", "a value", ClaimValueTypes.Double)); return outputIdentity; }

130 Part II Windows Identity Foundation for Identity Developers

Beforegoingintothedetailsofhowthevarioustransformationswork,itisfinallytimetotakeadeeperlookatthatClaimclasswe’vebeenusingwithoutgivingittoomuchthoughtsofar.Herearethevariouspropertiesoftheclassandsomemethodsofinterest:

public class Claim { // Methods public virtual Claim Copy(); public virtual void SetSubject(IClaimsIdentity subject); // Properties public virtual string ClaimType { get; } public virtual string Issuer { get; } public virtual string OriginalIssuer { get; } public virtual IDictionary<string, string> Properties { get; } public virtual IClaimsIdentity Subject { get; } public virtual string Value { get; } public virtual string ValueType { get; } }

OnethingthatimmediatelygrabsyourattentionisthatallpropertiesofClaimareread-only:aftertheclasshasbeencreated,thevaluescannotbechanged.TheonlyexceptionisthesubjecttowhichtheClaiminstanceisreferringto:SetSubjectwillchangethevalueoftheSubjectpropertytoanewIClaimsIdentity.

YouarealreadyfamiliarwithValueandClaimTypebecauseI’vebeenusingthosethroughouttheentirebook.ValueTypeismoreinteresting.Itallowsyoutospecifyatypefortheclaimvalue,whichtheclaimconsumercanusetodeserializetheclaiminacommonlanguageruntime(CLR)type(orwhatevertypesystemyourprogrammingstackrequiresifyouarenotin.NET)otherthanthedefaultstring.Thatisakeyenablerforapplyingcomplexlogictoclaims.WithoutknowingthatDateOfBirthshouldbedeserializedinaDateTime,you’llfinditdifficulttoverifywhetheritisbeloworaboveagiventhreshold.NotethattheValueTypeisjustoneindication:theValuereturnedbytheclaimisalwaysastringregardlessoftheValueType.You’llhavetocalltheappropriateParsemethod(orsimilar)yourself.

ThePropertiesdictionaryisusedforcarryingextrainformationabouttheclaimitselfwhentheprotocolrequiresit.Forexample,inSAML2youmighthavepropertiessuchasSamlAttributeDisplayNameassignedtoaclaim.

Note TheWIFtokenhandlerswillnotserializetheproperties.Ifyouwantthemtotravel,you’llhavetotakecareofthatyourself.

TheIssuerpropertyisastringrepresentingthetokenissuerfromwhichtheclaimhasbeenextracted.ThestringitselfcomesfromthemappingthatIssuerNameRegistrymakesbetweenthecertificateusedforsigningthetokenandthefriendlynameassignedtotheassociatedissuer.TheOriginalIssuerpropertyrecordsthefirstissuerthatproducedthisclaiminthefed-erationchain.I’veincludedmoredetailsaboutthisinthe“Pass-ThroughClaims”section.

Chapter 4 Advanced ASP .NET Programming 131

ClaimTypesandValueConstantsWIFofferstwocollectionsofstringconstantsthatgathermostoftheknownclaimtypeURIs.OneisMicrosoft.IdentityModel.Protocols.WSIdentity.WSIdentityConstants.ClaimTypes(whichisalmostthesameastheWCFcollectionSystem.IdentityModel.Claims.ClaimTypes);theotherisMicrosoft.IdentityModel.Claims.ClaimTypes(whichisasupersetofthefirstone).Foryourreference,thecontentofMicrosoft.IdentityModel.Claims.ClaimTypesislistednext.Notethatsomepopularclaimtypes(suchasGroup)arekeptinthePripsubtypeandareoftenoverlooked.PripstandsforWS-FederationPassiveRequestorInteroperabilityProfile,whichisaspecificsubsetofWS-Federationusedduringearlymultivendorinteroperabilitytests.

public static class ClaimTypes { // Fields public const string Actor = "http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor"; public const string Anonymous = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/anonymous"; public const string Authentication = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication"; public const string AuthenticationInstant = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"; public const string AuthenticationMethod = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod"; public const string AuthorizationDecision = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision"; public const string ClaimType2005Namespace = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims"; public const string ClaimType2009Namespace = "http://schemas.xmlsoap.org/ws/2009/09/identity/claims"; public const string ClaimTypeNamespace = "http://schemas.microsoft.com/ws/2008/06/identity/claims"; public const string CookiePath = "http://schemas.microsoft.com/ws/2008/06/identity/claims/cookiepath"; public const string Country = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"; public const string DateOfBirth = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"; public const string DenyOnlyPrimaryGroupSid = "http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid"; public const string DenyOnlyPrimarySid = "http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid"; public const string DenyOnlySid = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid"; public const string Dns = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns"; public const string Dsa = "http://schemas.microsoft.com/ws/2008/06/identity/claims/dsa";

132 Part II Windows Identity Foundation for Identity Developers

public const string Email = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; public const string Expiration = "http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration"; public const string Expired = "http://schemas.microsoft.com/ws/2008/06/identity/claims/expired"; public const string Gender = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender"; public const string GivenName = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; public const string GroupSid = "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"; public const string Hash = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/hash"; public const string HomePhone = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone"; public const string IsPersistent = "http://schemas.microsoft.com/ws/2008/06/identity/claims/ispersistent"; public const string Locality = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality"; public const string MobilePhone = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone"; public const string Name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"; public const string NameIdentifier = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"; public const string OtherPhone = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone"; public const string PostalCode = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode"; public const string PPID = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"; public const string PrimaryGroupSid = "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid"; public const string PrimarySid = "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"; public const string Role = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"; public const string Rsa = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa"; public const string SerialNumber = "http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"; public const string Sid = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid"; public const string Spn = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn"; public const string StateOrProvince = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince"; public const string StreetAddress = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress"; public const string Surname = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";

Chapter 4 Advanced ASP .NET Programming 133

public const string System = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/system"; public const string Thumbprint = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint"; public const string Upn = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"; public const string Uri = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri"; public const string UserData = "http://schemas.microsoft.com/ws/2008/06/identity/claims/userdata"; public const string Version = "http://schemas.microsoft.com/ws/2008/06/identity/claims/version"; public const string Webpage = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage"; public const string WindowsAccountName = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"; public const string X500DistinguishedName = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname"; // Nested Types public static class Prip { // Fields public const string ClaimTypeNamespace = "http://schemas.xmlsoap.org/claims"; public const string CommonName = "http://schemas.xmlsoap.org/claims/CommonName"; public const string Email = "http://schemas.xmlsoap.org/claims/EmailAddress"; public const string Group = "http://schemas.xmlsoap.org/claims/Group"; public const string Upn = "http://schemas.xmlsoap.org/claims/UPN"; } }

Youcan,ofcourse,createyourownclaimtypes.However,IsuggestthatbeforedoingsoyoutakealookattheInformationCardFoundationWebsite,which(amongotherthings)gathersalltheknownandemergentclaimtypesfromthecommunity.Thedirectaddressishttp://informationcard.net/resources/claim-catalog.

WIFalsooffersvariousconstantsrepresentingcommontypesofclaimvalues:

public static class ClaimValueTypes { // Fields public const string Base64Binary = "http://www.w3.org/2001/XMLSchema#base64Binary"; public const string Boolean = "http://www.w3.org/2001/XMLSchema#boolean"; public const string Date = "http://www.w3.org/2001/XMLSchema#date"; public const string Datetime = "http://www.w3.org/2001/XMLSchema#dateTime"; public const string DaytimeDuration = "http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration"; public const string Double = "http://www.w3.org/2001/XMLSchema#double"; public const string DsaKeyValue = "http://www.w3.org/2000/09/xmldsig#DSAKeyValue"; public const string HexBinary = "http://www.w3.org/2001/XMLSchema#hexBinary"; public const string Integer = "http://www.w3.org/2001/XMLSchema#integer";

134 Part II Windows Identity Foundation for Identity Developers

public const string KeyInfo = "http://www.w3.org/2000/09/xmldsig#KeyInfo"; public const string Rfc822Name = "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"; public const string RsaKeyValue = "http://www.w3.org/2000/09/xmldsig#RSAKeyValue"; public const string String = "http://www.w3.org/2001/XMLSchema#string"; public const string Time = "http://www.w3.org/2001/XMLSchema#time"; public const string X500Name = "urn:oasis:names:tc:xacml:1.0:data-type:x500Name"; private const string Xacml10Namespace = "urn:oasis:names:tc:xacml:1.0"; private const string XmlSchemaNamespace = "http://www.w3.org/2001/XMLSchema"; private const string XmlSignatureConstantsNamespace = "http://www.w3.org/2000/09/xmldsig#"; private const string XQueryOperatorsNameSpace = "http://www.w3.org/TR/2002/WD-xquery-operators-20020816"; public const string YearMonthDuration = "http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration"; }

ThetypesarerepresentedaccordingtoW3CandOASIStypeURIs,butthemappingtoCLRtypesisobviousmostofthetime.

NowthatyouunderstandabitbetterhowtheClaimclassworks,let’sresumethediscussionabouttheclaimtransformations.

Pass-Through ClaimsOneofthemostcommontransformationsyou’llwanttoapplytoyourclaimsis…notransformationatall.SometimestheIPdirectlyissuestheclaimstheRPneeds;hence,youhavetomakesurethatthoseclaimsarereissuedas-isbytheR-STS.

Althoughtheclaimtypeandvaluecomestraightfromtheincomingvalues,thefactthatthenewclaimisissuedinatokensignedbytheR-STSmakestheR-STSitselftheassertingpartyandshadowstheoriginalissuer.TheR-STSmightevenbeacceptingtokensfrommultipleissuers,whichwouldcomplicatethingsfurther.Therecouldbesituationsinwhichknow-ingtheactualoriginoftheclaimcouldchangethewayinwhichtheinformationitcarriesisprocessed;therefore,itisimportanttosomehowlettheRPknowwhichIPissuedtheclaiminthefirstplace.ThisisdonebysettingtheOriginalIssuerpropertyoftheoutgoingclaimtotheOriginalIssuercarriedbytheclaimyouarere-issuing.HerearetherelevantlinesfromtheGetOutputClaimsIdentityimplementationshownearlier:

// Pass-through Claim nname = (from c in incomingIdentity.Claims where c.ClaimType == ClaimTypes.Name select c).Single(); Claim nnnm = new Claim(ClaimTypes.Name, nname.Value, ClaimValueTypes.String, "," nname.OriginalIssuer); outputIdentity.Claims.Add(nnnm);

Chapter 4 Advanced ASP .NET Programming 135

Inthisexample,theclaimtobereissuedistheNameclaim.Thecoderetrievesitfromtheincomingprincipal,andthenitjustcreatesanewclaimthatcopieseverythingfromtheorigi-nalexceptfortheissuer.(HeretheissuerparameterisleftemptybecauseitisgoingtobeoverriddenwiththecurrentR-STS,anyway.)ThatsnippetisdesignedtosurfacetoyoutheuseofOriginalIssuer,butinfactyoucanuseamorecompactformusingCopyasshownhere:

// Pass-through Claim nname = (from c in incomingIdentity.Claims where c.ClaimType == ClaimTypes.Name select c).Single(); Claim nnnm = nname.Copy(); outputIdentity.Claims.Add(nnnm);

Modifying Claims and Injecting New ClaimsThedistinctionbetweenmodifyingclaimsandinjectingnewclaimsisabitphilosophical,becausefromthecodeperspectivethetwotransformationsarethesame.

Modifyingaclaimmeansproducinganewclaimbyprocessingorcombiningthevalueofoneormoreincomingclaims,accordingtoarbitrarylogic.AnexcellentexampleofthatisgivenbytheADFS2.0claims-transformationlanguage,whichallowsadministratorstospecifytransformationswithoutwritinganyexplicitcode.Ofcourse,inGetOutputClaimsIdentityyoucanliterallywritewhateverlogicyouwant.

Injectingnewclaimsusuallyentailslookingupnewinformationabouttheincomingsubject—informationthatwasnotavailabletotheIPbutthattheRPneeds.Aclassicexampleisthebuyer’sprofile:imaginethattheuserisoneemployee,theIPistheuser’semployer,andtheRPissomekindofonlineshop.TheR-STSmightmaintaininformationsuchasthelast10itemstheuserbought,datathattheemployerdoesnotkeeptrackofandthatshouldbeinjectedbytheresourceorganization—forexample,intheR-STS.Thechallengeherecanbechoosingwhichincomingclaimsshouldbeusedforuniquelyidentifyingthecur-rentuserandlookinguphisdataintheR-STSprofilestore.WhereastheIPhasonestrongincentivetohavesuchauniqueidentifier—becausethatisusuallyneededinordertoapplythemechanicsoftheauthenticationmethodofchoice—theR-STSdoesnothaveasimilarrequirementperse.Theclaimschosenshouldbeunique,atleastinthecontextofthecurrentR-STS,andstableenoughtobereusableacrossmultipletransactions.Thee-mailclaimisagoodexample,butofcourseit’snotaperfectonebecausee-mailaddressesdochangefromtimetotime—thinkofthesituationwhereinternsbecomefull-timeemployeesandsimilarevents.

Home Realm DiscoveryOneofthegreatadvantagesoffederationisthepossibilityofhandlingmultipleidentityproviderswithouthavingtochangeanythingintheRPitself.TheFederationProviderscan

136 Part II Windows Identity Foundation for Identity Developers

takecareofallthetrustrelationships.Extendingtheaudienceoftheapplicationwithoutpay-inganycomplexitypriceisgreat;however,thesheerpossibilityofusingmorethanoneIPdoesintroduceanewproblem:whenanunauthenticatedusershowsup,whichIPshouldsheultimatelyauthenticatewith?Inthetrivialfederationcaseexaminedsofar,theonewithoneFPandoneIP,theanswerisobvious:theredirectchaincrawlsallthewaytotheIPandback.WhenyouhavemorethanoneIP,however,howdoestheR-STSdecideiftheredirectshouldgotoIPAorIPB?

TheproblemofdecidingwhichIPshouldauthenticatetheuseriswellknowninliterature,anditgoesunderthenameofHomeRealmDiscovery(HRD).TheHRDproblemhasmanysolutions,althoughasoftodaytheyaremostlyadhocandwhatworksinonegivenscenariomightnotbesuitableforanother.Forexample,oneclassicsolution(offeredoutoftheboxbyADFS2.0)askstheR-STStoshowaWebpageinwhichtheusercanpickhisownrealmamongthelistofalltrustedIPs.Thisisoftenagoodsolution,buttherearesituationsinwhichitisnotadvisabletorevealthelistofalltrustedIPs.Furthermore,sometimesaskingtheusertomakeachoiceisinconvenientorunacceptable,inwhichcasetheIPselectionshouldbedonesilentlyaccordingtosomecriteria.

WS-FederationprovidesaparameterthatcanbeusefulinhandlingHRD:whr.Itismeanttocarrytheaddress(ortheurn:identifier)ofthehomerealm.AnR-STSreceivingawsignin1.0messagethatincludeswhrwillconsiderwhrcontenttobetheIP-STSoftherequestorandwilldrivethesequenceaccordingly.(SeeFigure4-9.)

Browser

IP-STS A

APP

1

23 4

6

7

Trust

Trust

R-STS

IP-STS B

Trust

WHR=http://A

5

FIGURE4-9 TheHomeRealmDiscoveryproblem

Chapter 4 Advanced ASP .NET Programming 137

1 TheuserrequestsapagefromApp.

2 Becausetheuserisnotauthenticated;instead,heisredirectedtoR-STSforauthenti-cation.Thesign-inmessageincludesanewparameter,whr,whichindicatesAasthehomerealmfortherequest.

3 R-STSredirectstherequesttoA.

4 OncetheusersuccessfullyauthenticateswithA,hegetsbackatoken.

5 TheusergetsredirectedbacktoR-STS,whichvalidatesthetokenfromAandconsiderstheuserauthenticatedthankstoit.

6 R-STSissuesatokentotheuser,asrequested.

7 TheusergetsbacktoAppwiththetokenobtainedfromR-STSasrequired,andtheauthenticatedsessionstarts.

Whoinjectsthewhrvalueintheauthenticationflow?Thereareatleasttwopossibilities:

■ Therequestor YoucanimagineascenarioinwhichtheadministratoroftheorganizationofIPAgivestoallusersalinktotheRPthatalreadycontainsthewhrparameterpreselectingIPA.Thatisahandytechnique,whicheliminatedtheHRDproblematitsroot.Unfortunately,thisisnotguaranteedtowork:thissystemrequirestheRPtounderstand(oratleastpreserveintheredirecttotheR-STS)thewhrparam-eter,butWS-FederationdoesnotmandatethistotheRP.Infact,RPsimplementedviaWIFdonotsupportthisbehavioroutofthebox(althoughit’snotespeciallyhardtoaddit).

■ TheRP TheRPitselfcouldinjectwhrinthemessagetotheR-STS.ImaginethecaseinwhichtheRPisonespecificinstanceofamultitenantapplication.Inthatcase,thewhrmightbeoneoftheparametersthatpersonalizetheinstanceforagiventenant.WIFsupportsthisspecificsetupontheRP,byallowingyoutospecifytheattributehomeRealminthe<federatedAuthentication/wsFederation>elementoftheWIFcon-figuration.ThevalueofhomeRealmwillbesentviawhrtotheR-STS.However,theWIFSTStemplateprojectknowsnothingaboutwhrandwilljustignoreit.Onceagain,itisnothardtoaddsomehandlinglogic.

TheR-STSistherecipientofwhr.IftheexecutionreachestheFPwithouthavingaddedawhr,itisuptotheR-STStomakeadecisiononthebasisofanythingelsethatisavailableinthespecificsituationandcanhelpdecidewhichIPshouldbechosen.

Let’sonceagainsetupahypotheticalsolutioninVisualStudiosothatyoucangainhands-onexperiencewiththeflowthescenarioentails.

Ifyoustillhavethesolutionweusedforshowinghowfederationworks,right-clickonBasicWebSite_STS,andagainusetheAddSTSReferenceWizardtooutsourceitsauthentica-tiontoanewSTS.VisualStudiowillcallthenewSTSBasicWebSite_STS_STS1.ThecurrentsituationisdescribedinFigure4-10.

138 Part II Windows Identity Foundation for Identity Developers

FIGURE4-10 ThesamplesolutionshowinghowtohandleHRD

BasicWebSitetrustsBasicWebSite_STS,theR-STSofthescenario.BasicWebSite_STSnowtrustsBasicWebSite_STS_STS1becausewiththelatestaddSTSreference,itsformertrustrelationshipwithBasicWebSite_STS_STShasbeenoverridden.ThegoalhereistoestablishamechanismthatallowstheflowtoswitchbetweenthetwoIPsinthescenario(BasicWebSite_STS_STSandBasicWebSite_STS_STS1)dynamically.

Note WithallthoseSTSeslookingalike,thingsmightbecomehardtofollow.Agoodtrickforalwaysknowingwhatisgoingonisassigningdifferentcolorstothebackgroundofthelogin.aspxpagesofthevariousSTSprojects.

TheeasiestthingtoaccomplishinthescenarioisenablingtheRPBasicWebSitetoexpressapreferenceforoneIPviawhr.Asmentionedearlier,thiscanbedoneeasilyviaconfiguration:

<federatedAuthentication> <wsFederation passiveRedirectEnabled=”true” issuer=”https://localhost/BasicWebSite_STS/” realm=”https://localhost/BasicWebSite/” homeRealm=”https://localhost/BasicWebSite_STS_STS/” requireHttps=”true” /> <cookieHandler requireSsl=”true” /> </federatedAuthentication>

ThevalueofhomeRealmestablishesthatBasicWebSite_STS_STSshouldbeusedforauthentication,whichiscontrarytowhattheWIFconfigurationofBasicWebSite_STScurrentlysays.Thatway,itwillbeobviouswhetherthesystemsuccessfullyoverridesthestaticsettings.

Note Asisusuallythecasefortheparametersin<wsFederation>,youcandosomethingtothesameeffectbyusingthePassiveFederationSignInControlanditsproperties.Fromnowon,I’llomitthisnote,assumingthatinsimilarsituationsyou’llknowthatthecontrolalternativeisavailable.

ThenextstepismakingtheWIFSTStemplateunderstandwhr.Itisactuallysimple—itismainlyamatterofinterceptingtheredirecttotheIPandforcingittogowheneverthewhr

Chapter 4 Advanced ASP .NET Programming 139

decides.AddtotheBasicWebSite_STSprojectaglobal.asaxfile.HereyoucanhandletheWSFAMRedirectingToIdentityProvidereventasfollows:

<%@ Application Language=”C#” %> <%@ Import Namespace=”Microsoft.IdentityModel.Web” %> <script runat=”server”> void WSFederationAuthenticationModule_RedirectingToIdentityProvider (object sender, RedirectingToIdentityProviderEventArgs e) { string a = HttpContext.Current.Request.QueryString[“whr”]; if (a != null) { e.SignInRequestMessage.BaseUri = new Uri(a); } }

Thecodecouldnotbeeasier.Itverifieswhetherthereisawhrparameterinthequerystring,andifitthereisone,itassignsittotheBaseUriintheSignInRequestMessage,overwritingwhatevervaluetheBasicWebSite_STSconfigurationhadputinthere.Assoonasthehandlerreturns,theWSFAMwillredirectthesign-inmessagetothewhr—inthiscase,BasicWebSite_STS_STS.Andthatisexactlyasyouwantedit.

Note Thecodehereassumesthatwhrcarriesanetwork-addressableURI,butpertheWS-Federationspecificationthismightnotbethecase.IftheURIisanurnidentifier,BasicWebSite_STSshouldlookuptheactualaddressinsomemappingstore.

HavingtospecifythehomerealmintheRPconfigurationmightbetoostaticabehav-iorformanyoccasions.Fortunately,theRedirectingToIdentityProvidereventcanbeeasilyhandledontheRPaswell,implementinganydynamicbehavior.Forexample,youcanthinkofmaintainingatableofIPrangeswhererequestsmightcomefrom,andmapthemtothecorrespondingIPaddresses.Forthesakeofsimplicity,hereI’llshowyouhowtoimplementtheapproachwhenitistherequestorthatsendsthewhrupfrontinitsfirstrequesttotheRP.

Ifyouaddaglobal.asaxfiletoBasicWebSite,almostexactlythesamecodeasshownearlierwillgiveyouthedesiredeffect:

<%@ Application Language=”C#” %> <%@ Import Namespace=”Microsoft.IdentityModel.Web” %> <script runat=”server”> void WSFederationAuthenticationModule_RedirectingToIdentityProvider (object sender, RedirectingToIdentityProviderEventArgs e) { string a = HttpContext.Current.Request.QueryString[“whr”]; if (a != null) { e.SignInRequestMessage.HomeRealm = a; } }

140 Part II Windows Identity Foundation for Identity Developers

ThecodehereinterceptstheexecutionrightbeforesendingbacktheredirecttotheR-STS,andiftheoriginalrequestcontainedwhritensuresthatitwillbepropagatedtotheR-STSaswell.ThatmeansyoucandeletethehomeRealmattributeintheBasicWebSiteconfig,becausenowyouhavetheabilitytoexpresswhrdirectlyatrequesttime.

Important Keepinmindthatallthesampleshereaimtohelpyouunderstandtheproblem,buttheydonotconstitutecompletesolutions.HandlingHRDinpracticeisnotjustamatterofcomplyingwiththeprotocol.Instead,itpresentsvariouschallengeswithmanageabilityandmaintenanceaspectsthatarebeyondthescopeofthisbookandarebestaddressedbyusingpackagedserver-gradeproductssuchasADFS2.0.

Step-up Authentication, Multiple Credential Types, and Similar ScenariosThetrickofusingRedirectingToIdentityProviderforsteeringtherequesttotheSTShasmanyapplicationsthatgobeyondtheHRDproblemexaminedearlier.

OneeminentexampleofthisshowsupeverytimetheRPneedstocommunicatesomekindofpreferenceabouttheauthenticationprocesstheIPshouldusewhenissuingtokenstousers.It’sgreatthatclaims-basedidentitydecouplestheRPfromtheauthenticationrespon-sibilities,buttherearesituationsinwhichthevalueoftheoperationimposescertainguar-anteesaboutthestrengthoftheauthentication.ImagineabankingWebsiteoramedicalrecordsWebsitethatgivesaccesstocertainoperationsonlyiftheuserisauthenticatedwithahigh-assurancemethodsuchasX.509certificatesorsimilar.

Asyou’vegrowntoexpect,WS-Federationhasaparameterforthat:wauth.Itissupposedtobeattachedtowsignin1.0messagestocommunicatetotheSTStheauthenticationmethodpreference.Usually,theSTSusesthatforperforminginternalredirectstooneendpointthatissecuredwiththecorrespondingauthenticationtechnique,orsomethingtothateffect(forexample,wiringcustomHttpHandlersorsimilarlow-leveltricks).

Important Iwon’tgointothedetailshereofhowanSTSshouldhandlewauth,mainlybecauseitwoulddosobyleveragingtheauthenticationinfrastructuresratherthanWIFAPIs.ThemainthingtorememberontheSTSsideisthatatokenwilladvertisetheauthenticationmethodthatledtoitsownissuancebythepresenceoftheclaimoftypeClaimTypes.Authentication.

EachRPhasitsowncriteriaforassigningavaluetowauth.SometimesitisablanketpropertyfortheentireWebsite—inwhichcase,itisexpresseddirectlyin<wsFederation>intheau-thenticationTypeattribute.Atothertimes,theuserisgiventhechanceofselecting(directlyorindirectly)fromamongmultiplecredentialtypes.Inyetanothersituation,theremightbelogicthatsilentlyestablisheswhetherthecurrentauthenticationlevelisenoughforaccessingtherequestedresource,orwhetherthesystemshouldstepuptoahigherlevelofassurance

Chapter 4 Advanced ASP .NET Programming 141

andre-authenticatetheuseraccordingly.Thelasttwocasescallforadynamicassignmentofwauth,whichiswhenreusingwhatyoulearnedaboutwhrandRedirectingToIdentityProvidercomesinhandyforwauthtoo.

AuthenticationMethodsWIFoffershandyconstantsrepresentingcommonauthenticationmethods.Onceagain,theyaregroupedinmultiplecollections:Microsoft.IdentityModel.Claims.AuthenticationMethodsandMicrosoft.IdentityModel.Tokens.Saml11.Saml11Constants+AuthenticationMethods(shownnext).TheSDKsamplesusethefirstone,whereasthesecondoneisusedwhencommunicatingwithADFS(thoughinthatcase,itboilsdowntoPassword,TlsClientString,andWindowsString).Infact,thevaluesinthefollowingAuthenticationMethodsareonlyusedintheon-the-wireformatspecifiedbySAML.Inthegeneralcaseyouwon’tneedthem.

public static class AuthenticationMethods { // Fields public const string HardwareTokenString = "URI:urn:oasis:names:tc:SAML:1.0:am: HardwareToken"; public const string KerberosString = "urn:ietf:rfc:1510"; public const string PasswordString = "urn:oasis:names:tc:SAML:1.0:am:password"; public const string PgpString = "urn:oasis:names:tc:SAML:1.0:am:PGP"; public const string SecureRemotePasswordString = "urn:ietf:rfc:2945"; public const string SignatureString = "urn:ietf:rfc:3075"; public const string SpkiString = "urn:oasis:names:tc:SAML:1.0:am:SPKI"; public const string TlsClientString = "urn:ietf:rfc:2246"; public const string UnspecifiedString = "urn:oasis:names:tc:SAML:1.0:am: unspecified"; public const string WindowsString = "urn:federation:authentication:windows"; public const string X509String = "urn:oasis:names:tc:SAML:1.0:am:X509-PKI"; public const string XkmsString = "urn:oasis:names:tc:SAML:1.0:am:XKMS"; }

TheWS-Federationspecificationlistsyetadifferentsetofwst:AuthenticationType values,buttobefairitexplicitlystatesthatthosetypesareoptional.

ClaimsProcessingattheRPInthisfinalsectionofthechapter,Icoversomeofthethingsyoucandowithclaimsatthelastminute,whentheyarealreadyintheRPpipelineandareabouttohittheapplicationcode.

Thereisnotawholelotofcodingrequired,especiallyconsideringthatIalreadycoveredClaimsAuthorizationManagerindetailinChapter2.Thissectionattemptstogiveyouanideaoftheintendedusageofthoseextensionpointsandinspireyoutotakeadvantageoftheminyourscenarios.

142 Part II Windows Identity Foundation for Identity Developers

AuthorizationClaimsauthorizationisafascinatingsubjectthatprobablydeservesanentirebookofitsown.OnethingthatputsoffthevariousRole-BasedAccessControl(RBAC)aficionadosisthatthereissomuchfreedomandsomanywaysofdoingthings.Forexample,takethecoarseformofauthorizationthatcanbeimplementedbysimplyrefusingtoissueatoken.YoucansetuprulesattheIPthatpreventfromobtainingatokenalltheusersthatarealreadyknownnottobeauthorizedtoaccesstheapplicationtheyareaskingfor.ThatisfeasibleforallthesituationsinwhichtheIPknowsenoughtomakeadecision—forexample,incaseslikeCustomerRelationshipManagement(CRM)online,inwhichusersneedtobeexplicitlyinvitedbeforehavingaccess,evenwhenthere’safederationinplace.

AnotherobviousplaceforenforcingauthorizationisintheR-STS,whichmightdenytokensonthebasisofsomecross-organizationalconsiderations.Forexample,theR-STSusedbyoneindependentsoftwarevendor(ISV)formanagingaccesstoitsapplicationportfoliomightkeeptrackofhowmanyconcurrentusersarecurrentlyholdingactivesessionsandrefusetoissueanewtokenifthatwouldexceedthenumberoflicensesboughtbytheIPorganization.

TheenforcementpointthatistheclosesttotraditionalauthorizationsystemsistheRPitself,whichiswhereClaimsAuthorizationManagerispositioned.Thereareintrinsicadvantagestoenforcingauthorizationhere.Theresourcesarewellknown.Forexample,iftheRPisadocu-mentmanagementsystem,thelifecycleofdocumentsthemselvesisunderthecontroloftheRP,whichcaneasilymanagepermissionsaswell;whereasothers(suchastheR-STS,orworsestill,theIP)wouldneedtobesynchronized.Anotheradvantageistheavailabilityofthecallitself,althoughthat’seasiertoseewithWebservicesthanwithWebsites.Ifyouwanttoauthorizetheusertomakeapurchaseaccordingtoaspending-limitclaim,youneedboththeclaimvalueandtheamountoftheproposedpurchase:oneSTSwouldonlyseetheclaimvalue,asthebodyofacallplaysnopartinRST/RSTRexchanges.

TheabsoluteflexibilityofferedbyClaimsAuthorizationManagerisbothitsgreateststrengthandbiggestweakness.Claims-basedauthorizationisreallypowerful,butatthetimeofthiswritingtherearenoout-of-the-boximplementationsofClaimsAuthorizationManagerortoolsandofficialpolicyformatsforit.Youcandoeverythingwithit,butyouarerequiredtowriteyourowncode.

Authentication and Claims ProcessingSometimesitjustmakessensetodosomeclaimsprocessingattheRPside.PerhapsyouneedtomakeavailabletotheapplicationcodeinformationabouttheuserthatisknowntotheRPbutnottotheR-STS,suchasinthecaseofauserprofilespecifictotheapplication.Ormaybethereareclaimsyouneedtoseeonlyonce,atthebeginningofthesession,butthatyouprefernottomakeavailabletotheapplicationcode.

Chapter 4 Advanced ASP .NET Programming 143

Fordoinganyofthesethings,WIFoffersyouaspecifichookintheRPpipeline,whichyoucanleveragebyprovidingyourownclaims-manipulationlogicwrappedinacus-tomClaimsAuthenticationManagerclass.ClaimsAuthenticationManagerworksalotlikeClaimsAuthorizationManager:youprovideyourlogicbyoverridingonemethod(hereit’sAuthenticate),andyouaddyourclassinthepipelinebyaddingintheWIFconfigtheelement<claimsAuthenticationManager type=”CustomClaimsAuthnMgr”/>.

InyourimplementationofAuthenticate,youcandowhateveryouwantwiththeprincipal,includingdeletingclaims,addingclaims,orevenusingacustomIClaimsPrincipalimplementation.Hereisasuper-simpleexampleofClaimsAuthenticationManager:

public class CustomClaimsAuthnMgr: ClaimsAuthenticationManager { public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal) { //If the identity is not authenticated yet, keep this principal and let it redirect to the STS if (!incomingPrincipal.Identity.IsAuthenticated) { return incomingPrincipal; } ((IClaimsIdentity)incomingPrincipal.Identity).Claims.Add( new Claim(ClaimTypes.Country,"Saturn,"ClaimValueTypes.String,"LOCAL AUTHORITY")); return incomingPrincipal; } }

Inthiscase,thecodesimplyaddsanextraclaimtotheprincipal.Notethattheissuerisassignedto“LOCALAUTHORITY.”Youcanuseprettymuchanythingyouwanthere,butyoushouldreallyavoidusinganexistingissueridentifierbecauseitisequivalenttopretendingtobealegitimateissuer.

SummaryWow,thatwasanintensechapter!IhopeyouhadasmuchfunreadingitasIhadwritingit.

ThischaptertookamuchmoreconcreteapproachtoWIFprogramming,leveragingtheprogrammingmodelknowledgeyouacquiredinChapter3totacklemanyimportantproblemsandscenariosyoumightencounterwhensecuringASP.NETapplications.

YoulearnedaboutthedistinctionbetweenidentityprovidersandFederationProviders,acquiringfamiliaritywiththeWIFSTStemplateintheprocess.

Youfinallysawappliedinpracticethesign-inflowstudiedinChapter3,applyingittothecaseofmultipleWebsitesanddiscoveringhowtheunderlyingstructuremakesSSOpossible.YouhadachancetolearnhowSingleSign-outworks,andhowtouseWIFforimplementing

144 Part II Windows Identity Foundation for Identity Developers

itinafewlinesofcode.Weexploredonecaseofexoticsessionmanagement,inwhichthevalidityisdrivenbyuseractivityratherthanfixedexpirationtimes.

Theclassicfederationcaseandhomerealmdiscoveryarenowveryconcretescenariosforyou,andyouknowwhatittakesfordealingwiththeminvarioussituations.Intheprocessoflearningthis,youalsogainedfamiliaritywithWIF’sobjectmodelforclaims.

Finally,youhadachancetotieupafewlooseendsregardingtheuseofClaimsAuthenticationManagerandClaimsAuthorizationManagerforprocessingclaimsoncetheyhavealreadyreachedtheRP.

IfyoudevelopfortheASP.NETplatform,thischaptershouldhaveequippedyouwithalltheknowledgeyouneedfortacklingthemostcommonproblemsandthensome.Foranythingnotexplicitlycoveredhere,youshouldnowbeabletoinvestigateandsolveissuesonyourown.

Inthenextchapter,I’llturntoWebservicesandexplorehowWIFandWCFcanworktogethertocreatesaferapplicationswhiledeliveringakillerdevelopmentexperience.

241

Index

Symbols<applicationService>,86<audienceURI>,85<authorization>elementinthe<system.web>

block,36<behavior>element,157<certificateValidation>,89<certificateValidator>,89<ClaimsAuthenticationManager>,87<ClaimsAuthorizationManager>,87<cookieHandler>,85,88<federatedAuthentication>,85,87<issuerNameRegistry>,86<issuerTokenResolver>,89<maximumClockSkew>,88<microsoft.identityModel>,82,84,155overview,39<service>elements,84

<microsoft.identityModel/Service>structure,86.NETapplications

IIdentity,5IPrincipal,5

.NETFrameworkauthenticationmechanisms,5compatibilitywithWindowsIdentityFoundation,24–47

.NETsecurityiPrincipal,6traditionalapproaches,4

<policy>elements,43<protocolMapping>element,157<saml:Assertion>,66<saml:Conditions>,66<saml:SubjectConfirmation>,67<securityTokenHandlers>,89<serviceTokenResolver>,89<wsFederation>,85,88parameters,88Issuer,85passiveRedirectEnabled,85realm,85requireHttps,85

Aaccessgrants,237ACS.SeeAppFabricAccessControlServiceActAsSTSsupport,177tokens,176

ActAsapproach,173Actioncollection,42activeclients,56,148holder-of-keyconfirmationmethod,151message-basedsecurity,150message-levelsecurityoptions,150

ActiveDirectoryFederationServices2.0,15,32,57

activeSTSendpoints,209activesystems,146Actor property,176AddSTSReference,26ADFS2.SeeActiveDirectoryFederationServices2AdobeFlash,147anonymousauthentication,6App_Code,108App_Codefolder,108AppFabricAccessControlService(ACS),204ASP.NET,52authorization,36HttpModules,73integrationwithWIF,52rolesandauthorizationcompatibility,36WIFprocessingpipeline,58

ASP.NETDevelopmentServer,105ASP.NETmembershipprovider,35ASP.NETMVCframework,216

AccountController class,217Authorize,217flow,216–240HttpModules,218login,219LogOnCommon,221logout,220projecttemplate,217web.config,addingWIF,218WIFintegrationsolutions,216–240

ASP.NETSecurityTokenServiceWebSitetemplate,104

242

ASP.NETSTS.SeeSTSASP.NETWebsites,linkingtoanSTS,26audienceverification,193AuthenticateRequest event,75,76,78authenticationadvantagesofastandardinterface,97externalizing,16,24–47genericsystem,11methodsinWIF,141.NETFramework,5real-world,9step-up,140traditionalapproaches,4

authenticationAPIs,6authenticationlevelverificationoftokens,64authenticationmodesanonymous,6Forms,7Windows,6

authorization,33–46cachinguserdata,34claims,142groupsandroles,35IsInRole,36real-world,9traditionalapproaches,34

AuthorizeRequestevent,75,77Azure.SeeWindowsAzure

Bbearertokens,65,147blacklists,98bootstraptokens,172–184browser-basedpassivesystemsvs.active

systems,147

CCAM.SeeClaimsAuthorizationModuleCanReadKeyIdentifier/CanWriteKeyIdentifier,93CanReadToken,93CanValidateTokenproperty,93CanWriteTokenproperty,93CheckAccessmethod,42Claimclass,130claims,12ADFS2.0claims-transformationlanguage,135ADFS2.0managementUI,112vs.attribute,12authorization,142

customizingUI,37hard-coded,110InformationCardFoundationWebsite,133injectingnew,129,135modification,129,135Name,110pass-through,129,134processingattheRP,141–142processingusingFederationProviders,100Role,110transforming,100,129types,111,133typesandvalueconstants,131

ClaimsAuthenticationManager,92,143ClaimsAuthorizationManager,42,142ClaimsAuthorizationModule,73,92claims-basedauthorization,142claims-basedidentity,3–21advantages,4asalogicallayer,11needfor,4

claims-basedsecurity,147claimsobjectmodel,146–184ClaimsTypesRequested,70ClaimType,72ClaimTypeproperty,19ClaimTypesOffered,72ClaimTypesRequested,72classes,90client-sidefeatures,170–184client-to-STScommunications,180cloud,185–213communicatingacrosssilos,55communicationprotocolsandlanguages,55configelements,40ConfigurationBasedIssuerNameRegistryclass,86confirmationmethod,147CookieHandler,94CORBA,55crackingatoken,151CreateChannelActingAs,175,176CreateChannelOnBehalfOf,175CreateChannelWithIssuedToken,183CreateToken,93cryptographicoperations,147CSDEFextension,189CSPKGfile,187customizingUIbasedonclaims,37CustomSecurityTokenService,107CustomSecurityTokenServiceConfiguration,108

ASP .NET STS

243

Ddelegation,176DevFabric,187–213digitalsignaturesfortokens,63dynamicmetadatageneration,205

Eencryptingtokens,63EndRequestevent,75,77end-to-endsecurity,150enforcingauthorizationattheRP,142Esposito,Dino,73externalizingauthentication,16advantages,39

FFederatedAuthentication,40FederatedPassiveSignInStatus,116federationproviders,101relationships,101scenarios,102

federationmetadatadocuments,28FederationPassiveSignIncontrol,81federationproviderroleofIPs,96FederationProviders,99outsourcingfunctions,204

federationrelationships,authenticationflows,101federationscenarios,102FederationUtilityWizard,26creatinganewSTSproject,28NoSTSoption,28UsinganexistingSTS,28

FedUtil.exe,26,39defaultconfiguration,82

Formsauthentication,7,114FormsIdentityobjects,7FP.SeeFederationProvidersFullTrustmode,188

GGenerateNewSTSoption,103genericidentitytransaction,14GenericPrincipal extension,5,7GetOutputClaimsIdentityimplementation,111GetScopemethod,109GetTokenTypeIdentifiersmethod,93

Hholder-of-keyconfirmationmethod,151,153holderofkeytokens,65homeRealm,137HomeRealmDiscovery,136Howard,Michael,4HRD.SeeHomeRealmDiscoveryHTML5,147HttpContext.Current.User,5HttpModulesASP.NET,73ClaimsAuthorizationModule,73SessionAuthenticationModule,72WIFsign-inflow,74WSFederationAuthenticationModule,72

HttpModulespipeline,74

IIClaimsIdentity,18,37,110

Actorproperty,176ClaimTypeproperty,19Issuerproperty,19Subjectproperty,20Valueproperty,19

IClaimsPrincipal,18,37,110identityproviders,12,97allowlistofRPs,98federationproviderrole,96multiple,99multipleSTSendpoints,98roles,96specifying,32standardexample,97unknownRPidentity,99

IIdentity,5IIdentityextensions,18IIS7,84IISauthenticationtypes,6InformationCardFoundationWebsite,133intendedaudienceoftokens,63InternetInformationServicesvs.ASP.NETDevelopmentServer,105

InternetInformationServices(IIS)authentication,6

IP.SeeidentityprovidersIP-FP-RPpattern,126IPrincipal,5extensions,5populating,6

IP-STS,97,106,111

IP-STS

244

IsInRole,6issuedtokens,64,100Issuemethod,149IssuerNameRegistry,94Issuerproperty,20

JJavaScript,147

KKerberos,97,114constraineddelegation,171–184

Kerberostokens,65keyingstrategies,191

LLeBlanc,David,4lifetimeproperty,122logicalidentitylayer,11logicallayerofidentity,11

Mman-in-the-middleattacks,151MembershipProvider,7MembershipUserNameSecurityTokenHandler,93message-basedsecurity,150end-to-endsecurity,150nonrepudiationappliedtosinglemessages,150properties,150vs.transportsecurity,150

metadata,112dynamicgenerationinthecloud,205generatingdocumentsprogrammatically,112

metadatadocuments,69MicrosoftExcel,148Microsoft.IdentityModel.Claimsnamespace,41Microsoft.IdentityModel.dll,24MicrosoftOutlook,148MicrosoftSilverlight,147MicrosoftVisualStudio,6defaultauthenticationmode,6WindowsAzuretemplates,187–213

MicrosoftWindowsCommunicationFoundation,7

MicrosoftWord,148multipleidentityproviders,96multipleRPapplications,113multitenantapplications,137

Nnamed<microsoft.identityModel/Service>

sections,199NASCARproblem,232networkloadbalanced(NLB)environments,191networkloadbalancing(NLB)–friendlysessions,

125nonrepudiation,150

OOASISIdentityMetasystemInteroperability

TechnicalCommittee,228OAuth2.0protocol,233AuthorizationServerrole,234Clientrole,234implementationforWIF,238profiles,235ProtectedResourcerole,234ResourceServerrole,234WS-Trustintegration,237

OAuthWRAP,204,234OnBehalfOf,174OpenIDimplementinginWIF,232OpenIDmoniker,232OpenIDprovider(OP),232

outsourcingFPfunctions,204

PPage_PreRenderhandler,106passiveclients,56,147HTTPSsecurityoption,150

PassiveRequestorEndpoint,70,72passivesystemsvs.active,146–184pass-throughclaims,134personallyidentifiableinformation,122PFX(PersonalInformationExchange)format,189PII.Seepersonallyidentifiableinformationpolicies,13PostAuthenticateRequestevent,76primitivetokens,65Principal,42processingpipelineinASP.NET,58proofofpossession,153prooftoken,153protocoltransitionSTS,204

RRBAC.SeeRole-BasedAccessSecurity

IsInRole

245

ReadToken,93redirect-basedprotectionvs.loginpage,80RedirectingToIdentityProviderevent,139relyingparty,12endpointidentity,192load-balancedenvironments,124

RelyingPartyTrust,98remoteservices,148RequestforSecurityTokenResponse(RSTR),149RequestforSecurityToken(RST),149RequestSecurityToken,183RequestSecurityToken.Claimscollection,111RequestSecurityTokenResponse,183Resourcecollection,42REST,55,230restrictingresourcesandactions,33RESTservice,205RESTWebservices,204richclients,148richstacks,147Role-BasedAccessControl,142Role-BasedAccessSecurity,35role-basedauthorization,36RoleDescriptor,70,72roles,35RP.SeerelyingpartyRST.SeeRequestforSecurityTokenRSTR.SeeRequestforSecurityTokenResponseR-STS,111

SSAM.SeeSessionAuthenticationModuleSAML2.0protocol,229–230WIFintegration,229

Saml2SecurityTokenHandler,93Saml2TokenHandler,93Saml11SecurityTokenHandler,93Saml11TokenHandler,93SAMLtokens,66SecureSocketsLayer(SSL)certificates,7securingMicrosoft.NETapplications,3SecurityAssertionMarkupLanguageprotocol,55SecurityTokenCacheKeyclass,191SecurityTokenHandlerclass,93,168securitytokens,13,62authenticationlevelverification,64bearer,65claims,64descriptor,66deserializing,62digitalsignatures,63

duplication,63encryptionanddecryption,63expiration,63format,62,64holderofkey,65integrity,63intendedaudience,63issued,64Kerberos,65primitive,65SAMLformat,64structure,64subelements,66trustedsource,63Username,65validityperiod,63verifying,62WS-*specificationdefinition,64X.509,65

SecurityTokenService,107,108SecurityTokenServiceEndpointelement,72SecurityTokenServiceType,72SecurityTokenVisualizerControlsampleASP.NET

control,68serializinganddeserializingtokens,93SessionAuthenticationModule,72,91sessions,122,191keepingalive,116lifetimeproperty,122networkloadbalancers,124sessiontokens,122singlesign-in,112singlesign-out,115sliding,122state,116sticky,124

SessionSecurityTokenCookieSerializer,191SessionSecurityTokenHandler,93,192SessionSecurityTokens,93,122SharePoint2010,97sign-in,57WF-Federationsequence,58WS-Federationsequence,58

sign-inflowinWIF,74signingin.SeeSingleSign-insigninginacrossmultipleWebsites,230signingout.SeeSingleSign-outSignInRequestMessage,107Silverlight,223

DisplayToken,228makingclaimsavailabletoapplications,227WIFintegration,224

Silverlight

246

SimpleObjectAccessProtocol(SOAP)Webservices,55

SimpleWebTokens(SWTs),204,236SingleSign-in,113SingleSign-out,115cleanup,117multipleRPs,117oneRP,116WIFSTStemplate,121

slidingsessions,122smartcards,152sqlMembershipProvider,7SSO.SeeSingleSign-onSSOut,115.SeeSingleSign-outstep-upauthentication,140STSactiveendpoints,209addingreferences,32ADFS2.0,103ASP.NETWebsitelinkage,26autogenerated,32availability,102buildingviable,103classesandmethodsinApp_Code,108configurationsettings,108criteriafor"good",102custom,103difficultyofrunning,103generatingatestSTS,28hostedendpoints,103hostinginWindowsAzure,205multipleendpointscenarios,98nonauditing,99off-the-shelfproducts,103performance,102projectstructure,105protocoltransition,204R-STS,106security,102selecting,28separationfromauthenticationmechanism,106template,102usernameandpasswordauthenticationforaWebservice,164

STSauthenticationpage,30STStemplate,102forWCF,158redirectexception,108SingleSign-out,121signingoutcode,117structure,104wsignout1.0,117

subclassing,54Subjectproperty,20subjects,12SunMetro,231SvcTraceViewer.exeutility,203SvcUtil,162SWTs.SeeSimpleWebTokens

TTargetScopes,70Thread.CurrentPrincipal,5Thread.CurrentPrincipal.IsInRole(“Administrators”),

5tokenhandlerclasses,93tokenhandlerscollection,89TokenResolvers,94tokens.See alsosecuritytokensauthenticationlevelverification,64authenticationtokensforservicecalls,180bearer,65bootstrap,172–184certificates,109claims,64deserializing,62destinations,109digitalsignatures,63duplication,63encryptionanddecryption,63,109expiration,63format,62,64holderofkey,65integrity,63intendedaudience,63issuanceprocessparameters,109issuedtokens,64,100Kerberos,65primitive,65processingusingFederationProviders,100proof,153requiredtypevalidation,109SAMLformat,64serializinganddeserializing,93signatures,190size,111structure,64subelements,66trustedsource,63Username,65validityperiod,63verifying,62wellformed,62

Simple Object Access Protocol (SOAP) Web services

247

tokens(continued)WS-*specificationdefinition,64X.509,65

TokenTypeproperty,93tokenvalidationsettings,89tokenvalidity,62tracelisteners,202transportsecurityvs.message-basedsecurity,150troubleshootingcodeexecutioninthecloud,201TrustChannel,238trustedIPs,63trustedsubsystems,170TurboTax,148Twitter,148

Uusernameandpasswordauthenticationscenario

usingWIFwithinWCF,167Usernametokens,65users.Seesubjects

VValidateRequestmethod,109ValidateToken,93validityperiodoftokens,63valueconstantsandClaimtypes,131Valueproperty,19verifyingsecuritytokens,62

Wwaparameter,59,61wauthparameter,61wauthparameterinWS-Federation,140WCF,145–184claims,162client-sidefeatures,170–184configuration,156,161configuringaservicetouseWIF,168cookiemode,196delegation,175–184findingclaiminformation,169RESTservice,205similiaritieswithASP.NET,146–184testingservicestool,159usernameandpasswordauthenticationwithWIF,164

WCFsecuritymodelvs.WIFmodel,167WIFSTStemplate,158

WCFroleinWindowsAzure,195–203

WCFServicetemplate,154WcfTestClient.exe,159wctparameter,60,61wctxparameter,61Webapplications,147Webauthenticationprotocols,232Webbrowsersign-in,57web.configfile,6,53,82,155WebIdentities,230Webprotocolsvs.WS-*,231

WebResourceAuthorizationProtocol,234WebRole.csfile,191Webroles,190WebserversASP.NETDevelopmentServer,105IISvs.VisualStudiobuilt-inWebserver,105

Webservices,146–184invoking,149securitypolicies,149

Webservicesinaload-balancedenvironment,196

Websiteauthentication,57whrparameter,61whrparameterinWS-Federation,136WIF.See alsoWindowsIdentityFoundationASP.NETMVCframework,216–223authenticationmethods,141<authorization>elements,37classes,90client-sidefeatureswithWCF,170–184configelements,40configuration,82delegation,175–184extending,216HttpModules,72IsInRoleintegration,36mainclasses,82OAuth2.0,238processingpipelineinASP.NET,58runtimeassemblies,188SAMLprotocolortokenformat,69servingevents,53sign-inflow,74signoutimplementation,117subclassing,54supportedprotocols,57usingtheSDKtools,53Webbrowsersign-in,57Websiteauthentication,57

WIFRuntime,24–47installing,24

WIF Runtime

248

WIFSDK,24differencesbetweenversions,25installing,25

WIFSDKSTStemplate.SeeSTStemplateWIFsign-inflow

AuthenticateRequestevent,75AuthorizeRequestevent,75EndRequestevent,75PostAuthenticateRequestevent,75

WIFSoftwareDevelopmentKit.SeeWIFSDKWIFSTStemplate,102WIFSTSTemplateforWCF,158

WIF-WCFpipelineintegration,168Windowsauthentication,6WindowsAzure,185–213AppFabricAccessControlService(ACS),204CSPKGfile,187–213DevFabric,187–213,192diagnostics,201environments,192FullTrustmode,188globalassemblycache(GAC),188hostinganSTS,205localsimulationenvironment,187–213ProductionEnvironment,192Roles,188sessions,191sessionsinaload-balancedenvironment,196StagingEnvironment,192tracelisteners,202tracing,201VisualStudiotemplates,187–213WCFrole,195Webrole,190WIFandpassivefederation,191WIFRuntimeAssembly,188X.509certificates,188

WindowsCardSpace,228WindowsCommunicationFoundation,52,

145–184integrationwithWIF,52

WindowsIdentityFoundationcompatibilitywith.NETFramework,24–47definition,15fourmainuses,52integrationwithASP.NETorWindowsCommunicationFoundation,52

IsInRoleintegration,36purpose,16WIFRuntime,24–47WIFSDK,24WS-Federationimplementation,72

WindowsPresentationFoundation,14extension,5

WindowsServerroles,15WRAP.SeeWebResourceAuthorizationProtocolwreplyparameter,61wresultparameter,60,61WriteToken,93WritingSecureCode,4WS-*,55vs.SAML-P,57vs.Webprotocols,231

WS-*capableclients,56WSFAM,72WSFAMevents,90WS-Federation,55,56audienceverification,193implementationinWIF,72metadatadocumentcompatibility,70parameters,59sign-insequence,58SingleSign-outprocess,119waparameter,59,61wauthparameter,61wctparameter,60,61wctxparameter,61whrparameter,61,136wreplyparameter,61wresultparameter,60,61wtrealmparameter,59,61

WS-Federation1.2specification,56WSFederationAuthenticationModule,72WS-<function>,55wsignin1.0,61wsignout1.0,61,117WS-Security,148signingandencryptingmechanisms,150

WS-Trust,148flowanduseofkeys,152intergratingwithOAuth2.0,237invokingWebservices,149

WSTrustChannel,180WSTrustServiceContractclass,159wtrealm,110wtrealmparameter,59,61

XX.509certificate,7,65,152,188tokens,65

X509CertificateValidatorclass,89X509SecurityTokenHandler,93XAPfiles,225

WIF SDK

Vittorio BertocciVittorioBertocciisaSeniorArchitectEvangelistinDeveloperandPlatformEvangelism(DPE)andakeymemberoftheextendedengineeringteamthatproducesMicrosoft’sclaims-basedplatformcomponents(forexample,WindowsIdentityFoundationandADFS2.0).Heisresponsibleforidentityevangelismforthe.NETdevelopercommunityanddroveinitiativessuchastheIdentityDeveloperTrainingKit(http://go.microsoft.com/fwlink/?LinkId=148795)andtheIdElementshow(http://channel9.msdn.com/shows/identity/ )onChannel9.

VittorioholdsamasterdegreeinComputerScience,andhebeganhiscareerdoingresearchoncomputationalgeometryandscientificvisualization.In2001,heJoinedMicrosoftItaly,whereheimmediatelyfocusedonthe.NET

platformandthenascentfieldofWebservicessecurity,becomingareferenceatthenationalandEuropeanlevel.

In2005,VittoriomovedtoRedmond,wherehehelpedtolaunchthe.NETFramework3.5byworkingwithFortune100andGlobal100companiesoncutting-edgeSOAprojectsbasedonWCF,WF,andCardSpace.Hebecamemoreandmorefocusedonidentitythemes,eventuallyundertakinghiscurrentmissionofevangelizingclaims-basedidentityintomainstreamuse.

Inthelastfiveyears,thismissionhasledhimtospeakaboutidentityin23countriesand4continents.VittorioisaregularspeakeratconferencessuchasMicrosoftPDC,TechEdUSA,TechEdEurope,TechEdAustralia,TechEdNewZealand,TechEdJapan,TechDaysBelux,GartnerSummit,EuropeanIdentityConference,IDWorld,OreDev,NDC,IASA,Bastaandmanyothers.

Vittorioisapublishedauthor,bothintheacademicandindustryworlds,andhaswrittenmanyarticlesandpapers.Heisco-authorofA Guide to Claims-Based Identity and Access Control(MicrosoftPress,2010)andUnderstanding Windows CardSpace(Addison-Wesley,2008).Heisaprominentauthority/bloggeronidentity,WindowsAzure,.NETdevelopment,andrelatedtopics,andheshareshisthoughtsatwww.CloudIdentity.net.

Vittoriolivesinthelush,greencityofRedmondwithhiswife,Iwona.Hedoesn’tmindthegrayskiestoomuch,buteverytimehehashalfachancehefliestosomebeachplace,beitHawaiiorCamogli,hishometowninItaly.

Stay in touch!TosubscribetotheMicrosoft Press® Book Connection Newsletter—fornewsonupcomingbooks,events,andspecialoffers—pleasevisit:

What do you think of this book?Wewanttohearfromyou!Toparticipateinabriefonlinesurvey,pleasevisit:

Tellushowwellthisbookmeetsyourneeds—whatworkseffectively,andwhatwecandobetter.Yourfeedbackwillhelpuscontinuallyimproveourbooksandlearningresourcesforyou.

Thankyouinadvanceforyourinput!

microsoft.com/learning/booksurvey

microsoft.com/learning/books/newsletter