ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge

itcampro @ itcamp12 # Premium conference on Microsoft technologies

Tackling the Single Sign-On Challenge

Mihai Nadăș

Windows Azure MVP

Yonder CTO

@mihainadas

mihainadas.com


Private &

Public Cloud ITCamp 2012 sponsors


Private &

Public Cloud

• mihainadas.com

• @mihainadas

• Passionate about technology, background in

the .NET World

• Windows Azure MVP

• Driving Yonder’s appetite for innovation

About myself


Private &

Public Cloud

• As the world becomes more interconnected, security becomes a more important topic

• Holland, 2012 – VCD’s SaaS solution exposed publically information about its user’s medical history

We spend our time searching for security and hate it when we get it.

-John Steinbeck

On security and the future


Private &

Public Cloud Passwords and implementations


Private &

Public Cloud

1. Injection

2. Cross Site Scripting (XSS)

3. Broken Authentication and Session

Management

4. Insecure Direct Object References

5. Cross Site Request Forgery

OWASP’s Top 5


Private &

Public Cloud

1. Injection

2. Cross Site Scripting (XSS)

3. Broken Authentication and Session

Management

4. Insecure Direct Object References

5. Cross Site Request Forgery

OWASP’s Top 5


Private &

Public Cloud

• Claims-Based Identity and Access Control

• The Single Sign-On Challenge and Benefits

• Windows Azure Access Control Service

• Q&A

Agenda


ENOUGH TALKING, LET’S DEMO!

The problem with Identity and Access Control in the Enterprise


Private &

Public Cloud

• A fictious case study of an enterprise called

Adatum

• The whiteboard diagram showing the

situation of the auth/auth problem pre-

claims

• DEMO

What you’ll see?


Private &

Public Cloud Adatum Infrastructure Pre-Claims


DEMO

The problem with Identity and Access Control in the Enterprise


Private &

Public Cloud

• Users of a-Expense need user/password

• The IT staff have to sync roles between

authentication systems

• a-Order can’t be accessed from the Internet

• No Single Sign-On aka „Credentials Hell”

What’s the problem?


Private &

Public Cloud What’s the problem?


Private &

Public Cloud

• Adatum’s requirements

– Single Sign-On (SSO) Capabilities

– Enable Adatum employees to access corporate

applications from the Internet (no VPN)

– Plan for the future (cloud, new apps)

• What is your solution?

Be the consultant and please Adatum!


Private &

Public Cloud

• Control the digital experience based on

things that are said about one party by the

other

• A party can be – web site, web service,

person, government, organization

Introducing Claims-Based Identiy


Private &

Public Cloud

• Mainframes asked about user/password and passed „claims” about them to applications

– uid, gid

– sudo su

• As systems became interconnected we needed ways to identify parties across multiple computers

• Specialized services appeared

– NTML, Kerberos (Windows Integrated Authentication)

– Public Key Infrastructure (PKI)

– Security Assertion Markup Lanaguage (SAML)

Claims are not new!


Private &

Public Cloud

• Two major components

1. A single, general notion of claims

2. Concept of issuer / authority

• Terminology

1. Application (Relying Party, Service Provider)

2. User (Subject, Principal)

3. Issuer (Security Token Service, Identity Provider)

4. Rich Client (Active Client)

5. Browser (Passive Client)

The Claims-Based ID Framework


Private &

Public Cloud Claim-Based ID in Real World Traveler Check-In Counter Airport Agents

1 Show ID or Passport

2 Give Boarding Card

3 Show Boarding Card to Gain

Access


Private &

Public Cloud Claim-Based ID in Real World Traveler Check-In Counter Airport Agents

1 Show ID or Passport

2 Give Boarding Card

3 Show Boarding Card to Gain

Access

Authentication Credentials

User

Claims

Issuer

Application

Authorization


Private &

Public Cloud

• Simplified authentication logic

• Decoupled authentication from authorization

• Eliminate redundancy

What are the benefits?


Private &

Public Cloud

• What you need?

– An App (Web Service, Web Site, Mobile App, etc.)

– An Issuer

– Claims-Based Identity Magic

• What are the steps?

1. Setup an Issuer

2. Configure the Issuer to know about the App

3. Add logic to the App to support claims

4. Configure the App to trust the Issuer

Implementing Claims-Based Identity


Private &

Public Cloud Claims-Based Identity Lifecycle


Private &

Public Cloud

• Windows Identity Foundation

• Framework for building identity-aware applications

• Provides APIs for building ASP.NET or WCF based security token services

• Tools for building claims-aware and federation capable applications

• Now part of .NET Framework 4.5

What’s WIF?



Solving Adatum’s problem using Claims-Based Identity


Private &

Public Cloud

Adatum Infrastructure Post-Claims


Private &

Public Cloud

• Windows Identity Foundation

• Active Directory Federation Services

Technologies at work


DEMO

Solving Adatum’s problem using Claims-Based Identity


Private &

Public Cloud

• Welcome Federated Providers!

• Powerful way to provide SSO cross-domains

Going beyond Identity Providers


Private &

Public Cloud Adatum meets Litware


ACCESS CONTROL SERVICE

Windows Azure


Private &

Public Cloud

• A feature of Windows Azure Active Directory

• Outsourcing Authentication (no need to write code)

• Works with .NET, PHP, Python, Java and Ruby

• Out-of-the-box support for a variety of identify providers

• Integrates with on-premises Active Directory

Shortly


Private &

Public Cloud

• Open industry standards

– Protocols: OAuth 2.0, WS-Trust, WS-Federation

– Token formats: SAML 1.1/2.0 and Simple Web

Token

• $1,99 / 100.000 transactions

Benefits


Private &

Public Cloud

• Built-in support for

– Windows Live ID

– Facebook

– Google

– Yahoo!

– WS-Federation Identity Providers

• Programatic configuration for

– WS-Trust based (AD FS 2.0)

– OpenID based

Identity Providers


Private &

Public Cloud

• An application that relies on claims

• Implements federated authentication using ACS

• Trusts the ACS namespace

• Can be configured manually or programatically through ACS Management Service

Relying Party Applications


Private &

Public Cloud ACS Architecture


Private &

Public Cloud

• ACS does heavy lifting for handling protocols

–WS-Federation

–WS-Trust

–OpenID

–OAuth 2.0, OAuth WRAP

– Facebook Graph

• ACS issues normalized tokens

–SAML

–SWT

ACS - Protocol Handling



Windows Azure ACS


Private &

Public Cloud

1. Configure your application to outsource authentication to ACS

2. Configure ACS to include the identity providers you want to leverage

3. Configure ACS to process incoming identities and add new claims

4. Modify your application to consume claims from ACS and drive authorization decisions

5. Customize the default authentication user experience provided by ACS

Goals


Private &

Public Cloud

• Windows Vista SP2, Windows Server 2008

SP2, Windows Server 2008 R2, or Windows 7

(32-bits or 64-bits)

• Internet Information Services (IIS) 7.0

• .NET Framework 4

• Visual Studio 2010

• Windows Identity Foundation Runtime

• Windows Identity Foundation SDK

Requirements

http://go.microsoft.com/fwlink/?linkid=186916

http://go.microsoft.com/fwlink/?linkid=186916

http://www.microsoft.com/visualstudio/en-us/products/2010-editions

http://www.microsoft.com/visualstudio/en-us/products/2010-editions

http://support.microsoft.com/kb/974405

http://support.microsoft.com/kb/974405

http://www.microsoft.com/downloads/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504




DEMO

Windows Azure ACS


Private &

Public Cloud

• A feature of Windows Azure Active Directory

• Outsourcing Auth and Auth (no need to write code)

• Works with .NET, PHP, Python, Java and Ruby

• Out-of-the-box support for identify providers like Windows Live ID, Google, Yahoo! and Facebook

• Integrates with on-premises Active Directory

Summary


Private &

Public Cloud

• Claims get the job done

• Separate authentication from authorization

• Solves OWASP’s 3rd vulnerability

• How can it work for you?

Conclusions


Private &

Public Cloud

• Windows Azure

Training Kit

• claimsid.codeplex.com

References


Private &

Public Cloud Check Out AzureWorks.ro

www.azureworks.ro


meetwindowsazure.com


Q & A


Private &

Public Cloud What about Smart Clients?

Technology

ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge