How to Tackle the Single Sign-On Challenge in 2012

Tackling the
Single Sign-On Challenge
Mihai Nadăș
Windows Azure MVP
Yonder CTO

@mihainadas
mihainadas.com

@ itcampro # itcamp12 Premium conference on Microsoft technologies

Private &
ITCamp 2012 sponsors Public Cloud


Private &
About myself Public Cloud

• mihainadas.com
• @mihainadas

• Passionate about technology, background in
the .NET World
• Windows Azure MVP

• Driving Yonder’s appetite for innovation


Private &
On security and the future Public Cloud

• As the world becomes more interconnected, security
becomes a more important topic

• Holland, 2012 – VCD’s SaaS solution exposed publically
information about its user’s medical history

We spend our time searching for security
and hate it when we get it.

-John Steinbeck


Private &
Passwords and implementations Public Cloud


Private &
OWASP’s Top 5 Public Cloud

1. Injection
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session
Management
4. Insecure Direct Object References
5. Cross Site Request Forgery


Private &
Agenda Public Cloud

• Claims-Based Identity and Access Control

• The Single Sign-On Challenge and Benefits

• Windows Azure Access Control Service

• Q&A


The problem with Identity and Access Control in the Enterprise

ENOUGH TALKING,
LET’S DEMO!


Private &
What you’ll see? Public Cloud

• A fictious case study of an enterprise called
Adatum

• The whiteboard diagram showing the
situation of the auth/auth problem pre-
claims

• DEMO


Private &
Adatum Infrastructure Pre-Claims Public Cloud


The problem with Identity and Access Control in the Enterprise

DEMO


Private &
What’s the problem? Public Cloud

• Users of a-Expense need user/password

• The IT staff have to sync roles between
authentication systems

• a-Order can’t be accessed from the Internet

• No Single Sign-On aka „Credentials Hell”


Private &
What’s the problem? Public Cloud


Private &
Be the consultant and please Adatum! Public Cloud

• Adatum’s requirements
– Single Sign-On (SSO) Capabilities
– Enable Adatum employees to access corporate
applications from the Internet (no VPN)
– Plan for the future (cloud, new apps)

• What is your solution?


Private &
Introducing Claims-Based Identiy Public Cloud

• Control the digital experience based on
things that are said about one party by the
other

• A party can be – web site, web service,
person, government, organization


Private &
Claims are not new! Public Cloud

• Mainframes asked about user/password and passed
„claims” about them to applications
– uid, gid
– sudo su

• As systems became interconnected we needed ways
to identify parties across multiple computers

• Specialized services appeared
– NTML, Kerberos (Windows Integrated Authentication)
– Public Key Infrastructure (PKI)
– Security Assertion Markup Lanaguage (SAML)


Private &
The Claims-Based ID Framework Public Cloud

• Two major components
1. A single, general notion of claims
2. Concept of issuer / authority

• Terminology
1. Application (Relying Party, Service Provider)
2. User (Subject, Principal)
3. Issuer (Security Token Service, Identity Provider)
4. Rich Client (Active Client)
5. Browser (Passive Client)


Private &
Claim-Based ID in Real World Public Cloud

Traveler Check-In Counter Airport Agents

1 Show ID or Passport

Give Boarding Card 2

Show Boarding Card to Gain
3 Access


Private &
Claim-Based ID in Real World Public Cloud

Traveler Check-In Counter Airport Agents

User Issuer

Application

1 Show ID or Passport

Authentication
Credentials

Give Boarding Card 2

Claims
Authorization

Show Boarding Card to Gain
3 Access


Private &
What are the benefits? Public Cloud

• Simplified authentication logic

• Decoupled authentication from authorization

• Eliminate redundancy


Private &
Implementing Claims-Based Identity Public Cloud

• What you need?
– An App (Web Service, Web Site, Mobile App, etc.)
– An Issuer
– Claims-Based Identity Magic

• What are the steps?
1. Setup an Issuer
2. Configure the Issuer to know abou the App
3. Add logic to the App to support claims
4. Configure the App to trust the Issuer


Private &
Claims-Based Identity Lifecycle Public Cloud


Private &
What’s WIF? Public Cloud

• Windows Identity Foundation

• Framework for building identity-aware applications

• Provides APIs for building ASP.NET or WCF based
security token services

• Tools for building claims-aware and federation
capable applications

• Now part of .NET Framework 4.5


Solving Adatum’s problem using Claims-Based Identity

ENOUGH TALKING,
LET’S DEMO!


Private &
Adatum Infrastructure Post-Claims Public Cloud


Private &
Technologies at work Public Cloud

• Windows Identity Foundation

• Active Directory Federation Services


Solving Adatum’s problem using Claims-Based Identity

DEMO


Private &
What about Smart Clients? Public Cloud


Private &
Going beyond Identity Providers Public Cloud

• Welcome Federated Providers!
• Powerful way to provide SSO cross-domains


Private &
Adatum meets Litware Public Cloud


Windows Azure

ACCESS CONTROL SERVICE


Private &
Shortly Public Cloud

• A feature of Windows Azure Active Directory

• Outsourcing Authentication (no need to write
code)

• Works with .NET, PHP, Python, Java and Ruby

• Out-of-the-box support for a variety of identify
providers

• Integrates with on-premises Active Directory


Private &
Benefits Public Cloud

• Open industry standards
– Protocols: OAuth 2.0, WS-Trust, WS-Federation
– Token formats: SAML 1.1/2.0 and Simple Web
Token

• $1,99 / 100.000 transactions


Private &
Identity Providers Public Cloud

• Built-in support for
– Windows Live ID
– Facebook
– Google
– Yahoo!
– WS-Federation Identity Providers

• Programatic configuration for
– WS-Trust based (AD FS 2.0)
– OpenID based


Private &
Relying Party Applications Public Cloud

• An application that relies on claims

• Implements federated authentication using
ACS

• Trusts the ACS namespace

• Can be configured manually or
programatically through ACS Management
Service


Private &
ACS Architecture Public Cloud


Private &
ACS - Protocol Handling Public Cloud

• ACS does heavy lifting for handling protocols
– WS-Federation
– WS-Trust
– OpenID
– OAuth 2.0, OAuth WRAP
– Facebook Graph

• ACS issues normalized tokens
– SAML
– SWT


Windows Azure ACS

ENOUGH TALKING,
LET’S DEMO!


Private &
Goals Public Cloud

1. Configure your application to outsource authentication
to ACS

2. Configure ACS to include the identity providers you want
to leverage

3. Configure ACS to process incoming identities and add
new claims

4. Modify your application to consume claims from ACS
and drive authorization decisions

5. Customize the default authentication user experience
provided by ACS


Private &
Requirements Public Cloud

• Windows Vista SP2, Windows Server 2008
SP2, Windows Server 2008 R2, or Windows 7
(32-bits or 64-bits)
• Internet Information Services (IIS) 7.0
• .NET Framework 4
• Visual Studio 2010
• Windows Identity Foundation Runtime
• Windows Identity Foundation SDK


Windows Azure ACS

DEMO


Private &
Summary Public Cloud

• A feature of Windows Azure Active Directory

• Outsourcing Auth and Auth (no need to write code)

• Works with .NET, PHP, Python, Java and Ruby

• Out-of-the-box support for identify providers like
Windows Live ID, Google, Yahoo! and Facebook

• Integrates with on-premises Active Directory


Private &
References Public Cloud

• Windows Azure
Training Kit

• claimsid.codeplex.com


Private &
Check Out AzureWorks.ro Public Cloud

www.azureworks.ro

meetwindowsazure.com


Q&A


How to Tackle the Single Sign-On Challenge in 2012

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (13)

Andere mochten auch

Andere mochten auch (8)

Ähnlich wie How to Tackle the Single Sign-On Challenge in 2012

Ähnlich wie How to Tackle the Single Sign-On Challenge in 2012 (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

How to Tackle the Single Sign-On Challenge in 2012