This document discusses identity federation and claims-based authentication. It explains that identity federation allows decoupling authentication from applications/services and enables single sign-on. Claims contain information about a subject issued by an identity provider. Security token services issue and sign tokens containing claims. Common token types are SAML, JWT, and SWT. Claims-based identity provides applications with any user information needed from the identity provider via claims in tokens.
2. About Me
Software Dev Staff Engineer @ Dell @ RD
Working on Identity Management Applications
Blog: http://volkanuzun.com/blog
Twitter: @volkanuzun
Email: volkan.uzun@gmail.com
4. Why Identity Federation?
• Decouple authentication mechanism from
applications and services
• Go claims-based
• Reduce IT pain and risk related to
provisioning and de-provisioning users
• Extend trust to users across domain,
corporate and Internet boundaries
• Support Single Sign-On (SSO)
5. Decouple Authentication
• Windows/Kerberos
• Forms authentication
• HTTP basic authentication
• SSL Certificates
• WS-Fed
• WS-Trust
• SAML
• OAuth (authorization , people use it wrong!)
• OpenID (authentication)
6. Claims
Any information about a subject from a
provider.
Identity providers typically issue claims based
on the user’s identity
Authenticate
8. Token
• Contains the claims
• The signature
• Information about the issuer
• May be encrypted
• In XML format
• Has an expiration date
• SAML 1.1/2.0, Simple Web Token, JSON
Web Token
9. Token Types
• SAML
XML based, encryption and signature with
asymmetric or symmetric, processing power
• Simple Web Token (SWT)
URL/Form encoded, symmetric signature
only
• JSON Web Token (JWT)
The new cool guy, symmetric or
asymmetric, JSON encoded
10. Claims-based Identity Pros
Before Claims-based:
• App authenticated the user or relies on 3rd
party to authenticate such as AD
• App gets simple information from user, such
user name.
After Claims-based:
• Authentication is outsourced to STS
• App gets any information it needs
11. STS
• Security Token Service
• Claims are issued by a provider (STS)
• A security token service (STS) is the
service component that builds, signs, and
issues security tokens
• Client applications trust STS
• The basic flow is: Client requests token,
issuer issues token, resource consumes the
token
12. Passive Federation
IdP DomainRP Domain
2SignIn
Web Site
(RP)
Authorize
Access
7
Quest STS
(IdP)
5Authenticate /
Issue Token
Browser
(requestor)
Login
Page
POST
Credentials
3
41
POST
SignIn
Response
6
User
(subject)
14. Certificate
• Token is signed with certificate
• Same cert maybe used for encrypting the
message
• Same cert maybe used for cookie
encryption
• Cert Type
15. .NET help me please
RBAC
(Since 2002)
IIdentity
IPrincipal
IIdentity: IsAuthenticated; AuthenticationType; Name
IPrincipal: IIdentity; IsInRole(string roleName);
Thread.CurrentPrincipal
20. SSO
• Client applications are responsible for
authorization (cookie)
• STS is responsible for user authentication.
(cookie)
• STS can generate the session token from
the cookie
• STS can reissue the session token from the
cookie
21. Log Out
• More difficult than login
• STS has to delete its own cookie
• Each client application must be notified for a
logout
22. Partner Federation
• Your STS acts as a client application for
another STS
• When your STS doesn’t have the user
identity
• Client application still trusts only your STS
• Your STS does claims transformation
24. Warnings
• Caching SessionSecurityToken
• Cookie size may be an issue (even with
chunking)
• Infinite loops (cookie issue)
• Load balancer issue (cookie issue)
• Use SSL
• QueryString length may be an issue
Hinweis der Redaktion
World was smallAuthentication was easy (or was it?)Apps has/d their own directoriesThere weren't many outsiders
IIDentity=>IsAuthenticated, NameIprincipal=> IsInRole, IIDentityWCF model is different???