Embed Size (px)
DESCRIPTION
ARC303. Pedro Félix. CCISEL [email protected]. Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation. try {. Motivation The claims based model Windows Identity Foundation Identity and claims representation Consumption pipeline - PowerPoint PPT Presentation
Citation preview
Aspectos essenciais no desenvolvimento de aplicações com o
Windows Identity Foundation
ARC303
Pedro Fé[email protected]
4
• Motivation• The claims based model• Windows Identity Foundation• Identity and claims representation• Consumption pipeline• ASP.NET and WCF Integration• Issuance pipeline
try {
5
Motivation
CloudTrac
k
. Create/view issuesView/manage issues
6
Identity and Authorization
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
7
webapp (IssueTracker)
Centralized Solution
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
MembershipProvider
RoleProvider IPrincipal.IsInRole(...)
8
webapp (IssueTracker)
Decentralized Authority
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
Contoso Authority
9
Contoso webapp
The Claims Model
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
Alice
webapp::IssueMgr
Claims
Security Token
Identity Provider(Issuer)
Identity Consumer(Relying Party)
Accepts
Issues
10
The Claims Model
Consumer/Provider
Identity {Claims}
ConsumerSubject
Provider
Security Tokens
Issue
About
UseIssue
Use
11
Demo
Demo.RP
ADFSDemo.MI
P
username+password
Memb.Prov.
RoleProv.
ASP.NET
ASP.NET
WIF
WIFIdentity
Consumer
IdentityTransformer
IdentityProvider
12
Not only for Federation
webapp 2smart card
orusername+password
windows authn
AD
webapp 1
13
Not only for Federation
externalapp/service
Partner
windows authn
IdP
AD
webapp 2
webapp 1
smart cardor
username+password
14
Protocols
Browser
12
2 3 4
4
IdP
webapp
tk
ActiveClient
IdP
service
1
21
2
tk
3 3tk
WIF
WIF
WIF
WIF
WIF
Web applicationspassive protocol – WS-Federation
Servicesactive protocol – WS-Trust
WIF
15
• Secure Assertion Markup Language
• Signed by provider (issuer)• (Optionally) Encrypted to consumer • Subject confirmation
• Bearer (passive protocols)• Holder-of-Key (active protocols)
• Audience restrictions (avoid reusage)• Statements (claims)
• Authentication, Authorization and Attributes
SAML Tokens
Certificate configuration
16
• Purpose: automatic configuration• Published by both consumers and providers• Signed XML documents containing• Endpoint addresses• Claims and token types required and offered• Certificates• …
Federation Metadata
17
• Contents• .NET Class Library (Microsoft.IdentityModel.dll)• Visual Studio AddIns
• Purpose• Identity Consumers• Identity Providers • Client helpers – client channels for WCF
Windows Identity Foundation
Unified model for both ASP.NET and WCF
18
• Class model for identity representation• Claims consumption pipeline• Token validation• Identity transformation• Authorization decisions
• Claims issuance pipeline
WIF Essentials
19
Claims Class Model
20
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
21
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
SerializedToken
Claims Identities
TokenToken
ref
22
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
SerializedToken
Claims Identities
TokenToken
ref
<microsoft.identityModel> <service> <securityTokenHandlers> <remove type=“…” /> <add type=“…” /> </securityTokenHandlers>
</service></microsoft.identityModel>
23
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
TokenIssuerToken
IssuerName
Tokenref
24
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
TokenIssuerToken
IssuerName
Tokenref
<issuerNameRegistry type=“…ConfigurationBasedIssuerNameRegistry…"> <trustedIssuers>
<add name="gaviao" thumbprint="a1…74"/> <add name="gaviao.adfs" thumbprint="72…8e"/>
</trustedIssuers></issuerNameRegistry>
25
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims
Authentication Manager
ClaimsPrincipal
ClaimsPrincipal
TokenIssuerToken
IssuerName
Tokenref
public override IClaimsPrincipal Authenticate( string endpointUri, IClaimsPrincipal incomingPrincipal) { if (incomingPrincipal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("LeadDeveloper@http://gaviao/demo.mip/issue.aspx"))) { incomingPrincipal.Identities[0].Claims.Add( new Claim(ClaimTypes.Role, "IssueMgr)); } return incomingPrincipal;}
26
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims
Authentication Manager
Claims
Authorization Manager
ClaimsPrincipal
ClaimsPrincipal
AuthorizationContext boolean
TokenIssuerToken
IssuerName
Tokenref
public override bool CheckAccess(AuthorizationContext context) { var resource = new Uri(context.Resource.First().Value); if(resource.AbsolutePath.Equals("/demo.rp/issues.aspx")) { return context.Principal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("IssueMgr")); }
return true;}
[ClaimsPrincipalPermission( SecurityAction.Demand, Operation = "Get", Resource = "ViewIssues")]
private void ViewIssues(){ …}
27
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims
Authentication Manager
Claims
Authorization Manager
ClaimsPrincipal
ClaimsPrincipal
ClaimsPrincipal boolean
TokenIssuerToken
IssuerName
Tokenref
28
WIF Consumer Pipeline (ASP.NET)
ASP.NET
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims
Authentication Manager
Claims
Authorization Manager
ClaimsPrincipal
ClaimsPrincipal
ClaimsPrincipal boolean
TokenIssuerToken
IssuerName
Tokenref
ClaimsAuthorization
Module
ClaimsPrincipal
HttpModule
WSFederationPassive
AuthenticationModule
SessionAuthentication
Module
<federatedAuthentication>
<cookieHandler requireSsl=“true" /> <wsFederation issuer="https://gaviao/adfs/ls/" realm="http://gaviao/Demo.RP/default.aspx" requireHttps=“true" />
</federatedAuthentication>
29
ASP.NET Integration
AuthenticateRequest PostAuthenticateRequest AuthorizeRequest EndRequest
Any AuthenticationModule
ClaimsPrincipalHttpModule
ClaimsAuthorizationModule
Any AuthenticationModule
SessionAuthenticationModule
• Using a legacy authentication mechanism• e.g. Forms authentication
30
ASP.NET Integration
AuthenticateRequest PostAuthenticateRequest AuthorizeRequest EndRequest
WSFedAuthenticationModule
ClaimsAuthorizationModule
WSFedAuthenticationModule
WSFedAuthenticationModule
SessionAuthenticationModule
SessionAuthenticationModule
• Using federated authentication• WS-Federation
31
WS-Federation Authn Module (FAM)
?Authenticate
FAMEndRequest
IdP
FAMAuthenticate
HTTP request
HTTP request with fed. request message
HTTP redirect with fed. response message
HTTP redirect with fed. request message
HTTP request with fed. response message
?Authorize
?Authorize
RP
RP
Security Token
Security Token
Handler
32
• WSFederationAuthenticationModule• OnAuthorizationFailed• RedirectingToIdentityProvider• SecurityTokenReceived• SecurityTokenValidated• …
• SessionAuthenticationModule• SessionSecurityTokenCreated• SessionSecurityTokenReceived• …
Module Pipeline Events
33
• FederatedPassiveSignIn
• FederatedPassiveSignInStatus
Controls
34
• WCF already supported federation and claims• System.IdentityModel.dll• e.g. WS2007FederationHttpBinding binding, Claims class
• WIF• Builds upon this previous support• Changes the token processing model
• WCF and ASP.NET uniform model
• Adds client-side features (e.g. explicit token requests)
WCF Integration
35
• FederatedServiceCredentials• Derives from ServiceCredentials• Static method ConfigureServiceHost(ServiceHostBase)
“installs” WIF (the Host Adaptation Layer)
• Overrides WCF behavior, namely• Configuration (e.g. username validation)• Authorization policies• Authentication manager
WCF Integration
<extensions> <behaviorExtensions> <add name="federatedServiceHostConfiguration" type=“…ConfigureServiceHostBehaviorExtensionElement, …"/> </behaviorExtensions></extensions>
<behavior name="Demo.RP.statusBehavior"> <federatedServiceHostConfiguration/></behavior>
36
WIF Consumer Pipeline (WCF)
WCF
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims
Authentication Manager
Claims
Authorization Manager
ClaimsPrincipal
ClaimsPrincipal
ClaimsPrincipal boolean
TokenIssuerToken
IssuerName
Tokenref
ServiceAuthorization
ManagerSecurityTokenAuthenticator
37
Producer Model – host independence
38
Producer Model – issue pipelineIssue Pipeline
ValidateRequest
GetScope
CreateSecurityTokenDescriptor
GetSecurityTokenHandler
GetIssuerName
GetTokenLifetime
GetProofToken
GetOutputClaimsIdentity
CreateToken
GetDisplayToken
GetResponse
• GetScope• Creates the Scope
• Scope• Signing and encrypting creds.• reply to address
• GetOutputClaimsIdentity• Creates the issued claims identity• Defines the issued claims
• Other non-mandatory extensibility points• ValidateRequest, …
39
Producer Model – ASP.NETprotected void Page_Load(object sender, EventArgs e) {
FederatedPassiveSecurityTokenServiceOperations.ProcessRequest( Page.Request, Page.User, new SimpleSecurityTokenService( new SimpleSecurityTokenServiceConfiguration()), Page.Response); }
40
Producer Model - WCF<%@ ServiceHost Language="C#" Debug="true" Factory =
"Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory,…" Service = "Demo.MIP.SimpleSecurityTokenServiceConfiguration" %>
<binding name="MessageIssueBinding"> <security> <message clientCredentialType="UserName" …/> </security></binding>
<services> <service behaviorConfiguration=“…" name="Microsoft.IdentityModel….WSTrustServiceContract"> <endpoint address=“” … bindingConfiguration="MessageIssueBinding" contract="Microsoft.IdentityModel….IWSTrust13SyncContract" /> …</services>
41
Producer Model – WCF integration
42
• Identity and Access Control Management• Claims Model Relevance• WIF• Class library for both identity providers and consumers• Multiple hosts: ASP.NET and WCF
} finally {
43
Q & A
A sua opinião é importante!Complete o questionário de avaliação e devolva-o à saida.
45
46
47
• ClaimsPrincipalHttpModule• Hooks on the PostAuthenticateRequest event• Translate, into the claims-model, the authentication performed by
another module
• ClaimsAuthorizationModule• Hooks on the AuthorizeRequest event• If current user is authenticated, then calls the authorization manager
• Action = HTTP method, Resource = raw URL
• If authorization is denied, complete request with a 401 status code
ASP.NET integration
48
ASP.NET integration
• WSFederationAuthenticationModule• Hooks on the AuthenticateRequest
• If request is a sign-in federation message, process it
• Hooks on the PostAuthenticateRequest• Behavior similar to the ClaimsAuthorizationModule
• Hooks on the EndRequest• If response status code is 401 and request is not authenticated,
then redirect to identity provider with a sign-in request message
49
ASP.NET integration
• SessionAuthenticationModule• Hooks on the AuthenticateRequest event• Try to read and validate session token from a cookie• If successful, then sets the current principal with the
session token info
• Uses a CookieHandler to read and write from cookies
50
Authorization Model - Enforcement
• Called automatically in the pipeline• ASP.NET – In a HTTP Module (ClaimsAuthorizationModule)• WCF – In the service dispatcher
• Called explicitly via permission demand• Similar to PrincipalPermission and PrincipalPermissionAttribute• ClaimsPrincipalPermission and
ClaimsPrincipalPermissionAttribute
51
WIF consumer pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims
Authentication Manager
Claims
Authorization Manager
ClaimsPrincipal
ClaimsPrincipal
ClaimsPrincipal boolean
TokenIssuerToken
IssuerName
Tokenref
52
A taxonomy of claims
• Primordial vs. Substantive claims• Primordial – proof (e.g. shared secret) presentable by only one subject• Substantive – produced by claims providers
• Claim types• Static – properties of the subject
• National Identifier Number; Date-of-Birth• Derived – derived from other claims
• Portuguese Citizen; Over-18• Membership – role or group membership, relation with other subject
• Administrator; Lead Developer; Purchase Officer• Capability – authorization to something
• Can-emit-purchase-order; Can-admin-CI-server• Contextual – information about the context
• Authentication method, location and time
53
Security Token Analogies
• National Identity Card• Claims: Name, DoB, PoB, Address• Subject binding: picture and signature• Issuer binding: physical anti-tampering measures• Consumer binding: omni-directional identity
• Train Ticket• Claims: authorization to travel in a specific train/place• Subject binding: holder, claim• Issuer binding: physical anti-tampering measures, signature• Consumer binding: authorization details
54
Authorization Model
• “Old” model (PrincipalPermission)• PrincipalPermission constructed with the required identity names
and/or roles• Association between the permission and the users is hard-coded
• “New” model (ClaimsPrincipalPermission)• ClaimsPrincipalPermission constructed with the resource and action
characterization• Association between the permission and the required identity is external
