Federation, SSO,Claims

Volkan Uzun

About MeSoftware Dev Staff Engineer @ Dell @ RD

Working on Identity Management Applications

Blog: http://volkanuzun.com/blog

Twitter: @volkanuzun

Email: volkan.uzun@gmail.com

Authentication/Authorization

Why Identity Federation?• Decouple authentication mechanism from

applications and services• Go claims-based• Reduce IT pain and risk related to

provisioning and de-provisioning users • Extend trust to users across domain,

corporate and Internet boundaries• Support Single Sign-On (SSO)

Decouple Authentication• Windows/Kerberos• Forms authentication• HTTP basic authentication• SSL Certificates• WS-Fed• WS-Trust• SAML• OAuth (authorization , people use it wrong!)• OpenID (authentication)

ClaimsAny information about a subject from a

provider.

Identity providers typically issue claims based on the user’s identity

Authenticate

Claims:Name=volkan uzun

Email=volkan.uzun@gmail.com

IsOver21=true

Role=Admin

Role=User

Credentials:

UserName=volkanuzun

Password =*******

ClaimsApplications may transform identity claims into

application-specific claims

Transform

Application Specific Claims:

LicenseKey=ABC12345

Permission=Create

Permission=Read

Permission=Update

Permission=Delete

Identity Provider

Claims:Name=Volkan Uzun

Email=volkan.uzun@gmail.com

IsOver21=true

Role=Admin

Role=User

Token• Contains the claims• The signature• Information about the issuer• May be encrypted• In XML format• Has an expiration date• SAML 1.1/2.0, Simple Web Token, JSON

Web Token

Token Types• SAML

XML based, encryption and signature with asymmetric or symmetric, processing power

• Simple Web Token (SWT)URL/Form encoded, symmetric signature only

• JSON Web Token (JWT)The new cool guy, symmetric or asymmetric, JSON encoded

Claims-based Identity ProsBefore Claims-based:• App authenticated the user or relies on 3rd

party to authenticate such as AD• App gets simple information from user, such

user name.

After Claims-based:• Authentication is outsourced to STS• App gets any information it needs

STS• Security Token Service• Claims are issued by a provider (STS)• A security token service (STS) is the

service component that builds, signs, and issues security tokens

• Client applications trust STS• The basic flow is: Client requests token,

issuer issues token, resource consumes the token

Passive Federation

IdP DomainRP Domain

2SignIn

Web Site

(RP)

Authorize

Access 7

Quest STS

(IdP)

5Authenticate / Issue Token

Browser

(requestor)

Login

Page

POST

Credentials

341

POST

SignIn

Response

6

User

(subject)

Active Federation

RP DomainIdP Domain

Rich

Client

Identity

Provider

(IdP)

Application

(Relying Party, RP)

1 3 4

2Authenticate

/ Issue

5Authorize

Credentials Security

Token / Claims

Certificate• Token is signed with certificate• Same cert maybe used for encrypting the

message• Same cert maybe used for cookie

encryption• Cert Type

.NET help me please

RBAC

(Since 2002)

IIdentity

IPrincipal

IIdentity: IsAuthenticated; AuthenticationType; Name

IPrincipal: IIdentity; IsInRole(string roleName);

Thread.CurrentPrincipal

DEMOOld style

First Attempt: WIFWindows Identity Foundation

• Hooks into ASP.NET pipeline• Not a new solution: Claims• Embedded into the .NET 4.5

ClaimsIdentity, ClaimsPrincipal

ClaimsIdentity:IIdentity {IEnumerable<Claim>Claims}

ClaimsPrincipal:IPrincipal {ReadOnlyCollection<ClaimsIdentity>Identities}

DEMOVisual Studio 2010 Demo with WIF

Visual Studio 2012 Demo with .NET 4.5

SSO• Client applications are responsible for

authorization (cookie)• STS is responsible for user authentication.

(cookie)• STS can generate the session token from

the cookie • STS can reissue the session token from the

cookie

Log Out• More difficult than login• STS has to delete its own cookie• Each client application must be notified for a

logout

Partner Federation• Your STS acts as a client application for

another STS• When your STS doesn’t have the user

identity• Client application still trusts only your STS• Your STS does claims transformation

Home Realm Redirection

IdP DomainApplication Domain

Browser

1 23

11

Sign-In

Request5

4

POST

Credentials

Set

Cookie 7IdP

SAML

9

Web Site

Authorize

Access10

Quest

STS

8

IdP

STS6Authenticate /

Issue Token

Login

Page

Sign-In

Request

Gather Attributes/ Issue

Assertion

Keystone Assertion w/ Session Token

Warnings• Caching SessionSecurityToken• Cookie size may be an issue (even with

chunking)• Infinite loops (cookie issue)• Load balancer issue (cookie issue)• Use SSL• QueryString length may be an issue