Windows Identity Foundation

Are you .NET Developer? We are hiring! Call us at: 818-223-9008

Windows Identity Framework

Manu SharmaBlackLine .com


An overview of digital identity and single sign on.

http://www.blackline.com/




Agenda What problems are we trying to solve Claims Security Token Service (STS) Active Directory Federation Services (ADFS 2.0) Claims Aware Application Windows Identity Foundation (WIF) Passive Federation (Intranet Scenario) Partner Federation Demo





What problems are we trying to solve?

• One user store per application• The amount of identities users must relate to (roles, groups)• Increasing cost around administration and maintenance of user

stores• Lack of control over user identities, both by user himself and the

organizations• When someone quits, how many identities in how many systems

must be deactivated ?• Single Sign-On





Claims• Not limited in the same way as e.g. Windows

Tokens (Kerberos)

- Username

- Groups

• …or ASP.NET membership provider:

- User

- Roles

- Profiles





Claims (contd..)

• Claims can carry more information about the user, roles, email, age…anything

• Applications using Claims have one common model.• Anonymize users (IsOver18).• Can be accessed over internet as well as intranet.• Can work with browsers and web services.• The Name Claim and Role Claim is something that .NET

understands today.:- HttpContext.Current.User

IPrincipal (IsInRole)

- HttpContext.Current.User.IdentityIIdentity (Name, IsAuthenticated)





Security Token Service (STS)• A centralized service for authentication outside

the application (separation of concern)

• Talks to other STSs with partner organization

• Issues and transforms Claims





Active Directory Federation Services (ADFS 2.0)

• Microsoft STS• Integrated with Active Directory• Supports both active as well as passive clients• Can integrate with other WS-trust, and other STS’s• Supports SAML 1.1 and 2.0 Tokens.• Supports WS-Fed (1 and 2) and SAML 2.0 protocol (not 1.1)• Two flavors : Service and Proxy





Claims Aware Application• The application makes authorization decisions

based on the claims contained in the security token• No longer required to make authentication

decisions

• Same authorization logic for Application• Deployed on the Intranet or as a Cloud service• Receiving claims from its own organization’s users

or users from trusted partners





Windows Identity Foundation (WIF)

• Provides a common programming model for claims.• Validates incoming security token parses claims that

are inside.• Reduces complexity and necessary code to

implement security in .NET apps. (no need to be a security expert)

• Provides plumbing tools integrated into Visual studio to configure .NET apps to use Claims and STS’s

• Works with WCF and ASP.NET applications.





User

ADFS STSClaims-aware app Active Directory

Browse app

Not authenticated

Redirected to STS Authenticate

User

Query for user attributesReturn Security Token

Return pageand cookie

Send Token

ST

ST

App trusts STS

Passive Client (Intranet scenario)





Process token

Home realm discovery

ST

ST

Redirected to partner STS requesting ST for partner user

Return ST for consumption by your STS

Return new ST

ST

YourADFS STS

YourClaims-aware app

Partner ActiveDirectory

Partner user PartnerADFS STS & IP

Redirected to your STS

ST

Authenticate

Send Token

Return pageand cookie

Browse app

Not authenticated

Redirect to your STS





DEMO





More Info

http://msdn.microsoft.com/en-us/security/aa570351

Q&A

Manu Sharma Senior Software Developer

[email protected]








Thank You!


Documents

Windows Identity Foundation