Windows Identity Foundation Essentials
advertisement
Aspectos essenciais
no desenvolvimento de aplicações com o
Windows Identity Foundation
try {
• Motivation
• The claims based model
• Windows Identity Foundation
•
•
•
•
Identity and claims representation
Consumption pipeline
ASP.NET and WCF Integration
Issuance pipeline
4
Motivation
CloudTrack
.
View/manage issues
Create/view issues
5
Identity and Authorization
creds
Contoso::
Alice
Contoso::
LeadDev
webapp::
IssueMgr
webapp::
IssueView
6
Centralized Solution
webapp (IssueTracker)
creds
Contoso::
Alice
Membership
Provider
Contoso::
LeadDev
webapp::
IssueMgr
Role
Provider
webapp::
IssueView
IPrincipal.IsInRole(...)
7
Decentralized Authority
webapp (IssueTracker)
creds
Contoso::
Alice
Contoso::
LeadDev
webapp::
IssueMgr
webapp::
IssueView
Contoso Authority
8
The Claims Model
Claims
Contoso
creds
Contoso::
Alice
webapp
Contoso::
LeadDev
Alice
webapp::
IssueMgr
webapp::
IssueView
Security Token
Identity Provider
(Issuer)
Accepts
Issues
Identity Consumer
(Relying Party)
9
The Claims Model
Provider
Issue
Use
Consumer/
Provider
Issue
Identity
{Claims}
About
Subject
Security Tokens
Use
Consumer
10
Demo
Memb.
Prov.
Identity
Provider
Role
Prov.
ASP.NET
Demo.MIP
Identity
Transformer
ADFS
Identity
Consumer
WIF
ASP.NET
Demo.RP
username+password
WIF
11
Not only for Federation
AD
webapp 1
smart card
or
username+password
webapp 2
windows authn
12
Not only for Federation
AD
external
app/service
Partner
smart card
or
username+password
IdP
webapp 1
webapp 2
windows authn
13
Protocols
Web applications
passive protocol – WS-Federation
Services
active protocol – WS-Trust
IdP
2 3 4
IdP
WIF
WIF
1 2
tk
tk
Browser
WIF
4
2
1
WIF
webapp
1 2
Active
Client
3
WIF
tk
3
service
WIF
14
SAML Tokens
• Secure Assertion Markup Language
• Signed by provider (issuer)
• (Optionally) Encrypted to consumer
• Subject confirmation
•
•
Certificate configuration
Bearer (passive protocols)
Holder-of-Key (active protocols)
• Audience restrictions (avoid reusage)
• Statements (claims)
•
Authentication, Authorization and Attributes
15
Federation Metadata
• Purpose: automatic configuration
• Published by both consumers and providers
• Signed XML documents containing
•
•
•
•
Endpoint addresses
Claims and token types required and offered
Certificates
…
16
Windows Identity Foundation
• Contents
• .NET Class Library (Microsoft.IdentityModel.dll)
• Visual Studio AddIns
• Purpose
• Identity Consumers
Unified model for both ASP.NET and WCF
• Identity Providers
• Client helpers – client channels for WCF
17
WIF Essentials
• Class model for identity representation
• Claims consumption pipeline
• Token validation
• Identity transformation
• Authorization decisions
• Claims issuance pipeline
18
Claims Class Model
19
WIF Consumer Pipeline
Host Adaptation Layer
Host (e.g. ASP.NET, WCF)
20
WIF Consumer Pipeline
Token
Resolver
Token
ref
Token
Token Handler
Serialized
Token
Claims
Identities
Host Adaptation Layer
Host (e.g. ASP.NET, WCF)
21
WIF Consumer Pipeline
<microsoft.identityModel>
<service>
Token
Resolver
Token
ref
<securityTokenHandlers>
<remove type=“…” />
<add type=“…” />
</securityTokenHandlers>
Token
Token Handler
Serialized
Token
</service>
</microsoft.identityModel>
Claims
Identities
Host Adaptation Layer
Host (e.g. ASP.NET, WCF)
22
WIF Consumer Pipeline
Token
Resolver
Token
ref
Token
Issuer Name
Registry
Issuer
Token
Issuer
Name
Token Handler
Serialized
Token
Claims
Identities
Host Adaptation Layer
Host (e.g. ASP.NET, WCF)
23
WIF Consumer Pipeline
Token
Resolver
Token
ref
Token
Issuer Name
Registry
Issuer
Token
Issuer
Name
<add name="gaviao" thumbprint="a1…74"/>
<add name="gaviao.adfs" thumbprint="72…8e"/>
</trustedIssuers>
</issuerNameRegistry>
Token Handler
Serialized
Token
<issuerNameRegistry
type=“…ConfigurationBasedIssuerNameRegistry…">
<trustedIssuers>
Claims
Identities
Host Adaptation Layer
Host (e.g. ASP.NET, WCF)
24
WIF Consumer Pipeline
Token
Issuer Name
public override IClaimsPrincipal Authenticate(
Resolver
string
endpointUri, Registry
IClaimsPrincipal
incomingPrincipal)
{
Token
Issuer
Issuer
ref
}
Token
Token
Name
if (incomingPrincipal.Identities[0].Claims.Any(c =>
Claims
c.ClaimType.Equals(ClaimTypes.Role)
&&
c.Value.Equals("LeadDeveloper@http://gaviao/demo.mip/issue.aspx")))
Token Handler
Authentication
{
Manager
incomingPrincipal.Identities[0].Claims.Add(
Claims
Claims
new Claim(ClaimTypes.Role,
"IssueMgr));
Serialized
Claims
Principal
Principal
} Token
Identities
return incomingPrincipal;
Host Adaptation Layer
Host (e.g. ASP.NET, WCF)
25
WIF Consumer Pipeline
public override bool CheckAccess(AuthorizationContext context) {
Token
Issuer Name
Registry
var Resolver
resource = new Uri(context.Resource.First().Value);
if(resource.AbsolutePath.Equals("/demo.rp/issues.aspx"))
Token
Issuer
Issuer
{
Token
ref
Token
Name
return context.Principal.Identities[0].Claims.Any(c =>
c.ClaimType.Equals(ClaimTypes.Role)
&&
Claims
Claims
c.Value.Equals("IssueMgr"));
Token Handler
Authentication
Authorization
}
Manager
Manager
[ClaimsPrincipalPermission(
return
true;
SecurityAction.Demand,
Claims
Claims
Authorization
Serialized
Claims
boolean
}
Operation
=
"Get",
Principal
Principal
Context
Token
Identities
Resource = "ViewIssues")]
Host Adaptation Layer
private void ViewIssues(){
…
Host
(e.g.
ASP.NET, WCF)
}
26
WIF Consumer Pipeline
Token
Resolver
Token
ref
Token
Issuer Name
Registry
Issuer
Token
Issuer
Name
Token Handler
Serialized
Token
Claims
Identities
Claims
Claims
Authentication
Authorization
Manager
Manager
Claims
Principal
Claims
Principal
Claims
Principal
boolean
Host Adaptation Layer
Host (e.g. ASP.NET, WCF)
27
WIF Consumer Pipeline (ASP.NET)
Token
Resolver
Token
ref
Token
Issuer<federatedAuthentication>
Name
Registry <cookieHandler requireSsl=“true" />
Issuer
Token
Token Handler
Issuer
Name
<wsFederation issuer="https://gaviao/adfs/ls/"
Claims
Claims
realm="http://gaviao/Demo.RP/default.aspx"
requireHttps=“true" /> Authorization
Authentication
Manager
</federatedAuthentication>
Claims
Claims
Serialized
Claims
Principal
Principal
Token
Identities
WSFederationPassive
ClaimsPrincipal
Host Adaptation Layer
AuthenticationModule
HttpModule
SessionAuthentication
Module
Manager
Claims
boolean
Principal
ClaimsAuthorization
Module
ASP.NET
28
ASP.NET Integration
• Using a legacy authentication mechanism
• e.g. Forms authentication
AuthenticateRequest
Post
AuthenticateRequest
AuthorizeRequest
EndRequest
Any Authentication
Module
ClaimsPrincipal
HttpModule
ClaimsAuthorization
Module
Any Authentication
Module
SessionAuthentication
Module
29
ASP.NET Integration
• Using federated authentication
• WS-Federation
AuthenticateRequest
Post
AuthenticateRequest
AuthorizeRequest
WSFedAuthentication
Module
WSFedAuthentication
Module
ClaimsAuthorization
Module
SessionAuthentication
Module
SessionAuthentication
Module
EndRequest
WSFedAuthentication
Module
30
WS-Federation Authn Module (FAM)
RP
HTTP request
HTTP redirect with fed. request message
?
Authorize
FAM
EndRequest
HTTP request with fed. request message
?
Authenticate
HTTP redirect with fed. response message
Security
Token
IdP
RP
HTTP request with fed. response message
Security
Token
FAM
Authenticate
?
Authorize
Handler
31
Module Pipeline Events
• WSFederationAuthenticationModule
•
•
•
•
•
OnAuthorizationFailed
RedirectingToIdentityProvider
SecurityTokenReceived
SecurityTokenValidated
…
• SessionAuthenticationModule
• SessionSecurityTokenCreated
• SessionSecurityTokenReceived
• …
32
Controls
• FederatedPassiveSignIn
• FederatedPassiveSignInStatus
33
WCF Integration
• WCF already supported federation and claims
• System.IdentityModel.dll
• e.g. WS2007FederationHttpBinding binding, Claims class
• WIF
• Builds upon this previous support
• Changes the token processing model
• WCF and ASP.NET uniform model
• Adds client-side features (e.g. explicit token requests)
34
WCF Integration
• FederatedServiceCredentials
• Derives from ServiceCredentials
• Static <extensions>
method
ConfigureServiceHost(ServiceHostBase)
<behaviorExtensions>
“installs” WIF<add
(the
Host Adaptation Layer)
name="federatedServiceHostConfiguration"
type=“…ConfigureServiceHostBehaviorExtensionElement, …"/>
</behaviorExtensions>
</extensions>
• Overrides WCF behavior, namely
• Configuration (e.g. username validation)
<behavior name="Demo.RP.statusBehavior">
• Authorization
policies
<federatedServiceHostConfiguration/>
</behavior>
• Authentication manager
35
WIF Consumer Pipeline (WCF)
Token
Resolver
Token
ref
Token
Issuer Name
Registry
Issuer
Token
Issuer
Name
Token Handler
Serialized
Token
Claims
Identities
Claims
Claims
Authentication
Authorization
Manager
Manager
Claims
Principal
Claims
Principal
SecurityTokenAuthenticator
Host Adaptation Layer
Claims
boolean
Principal
ServiceAuthorization
Manager
WCF
36
Producer Model – host independence
37
Producer Model – issue pipeline
• GetScope
• Creates the Scope
• Scope
• Signing and encrypting creds.
• reply to address
• GetOutputClaimsIdentity
• Creates the issued claims identity
• Defines the issued claims
• Other non-mandatory extensibility
points
• ValidateRequest, …
Issue Pipeline
ValidateRequest
GetScope
CreateSecurityTokenDescriptor
GetSecurityTokenHandler
GetIssuerName
GetTokenLifetime
GetProofToken
GetOutputClaimsIdentity
CreateToken
GetDisplayToken
GetResponse
38
Producer Model – ASP.NET
protected void Page_Load(object sender, EventArgs e) {
FederatedPassiveSecurityTokenServiceOperations.ProcessRequest(
Page.Request,
Page.User,
new SimpleSecurityTokenService(
new SimpleSecurityTokenServiceConfiguration()),
Page.Response);
}
39
Producer Model - WCF
<%@ ServiceHost Language="C#" Debug="true"
Factory = "Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory,…"
Service = "Demo.MIP.SimpleSecurityTokenServiceConfiguration" %>
<binding name="MessageIssueBinding">
<security>
<message clientCredentialType="UserName" …/>
</security>
</binding>
<services>
<service behaviorConfiguration=“…"
name="Microsoft.IdentityModel….WSTrustServiceContract">
<endpoint address=“” … bindingConfiguration="MessageIssueBinding"
contract="Microsoft.IdentityModel….IWSTrust13SyncContract" />
…
</services>
40
Producer Model – WCF integration
41
} finally {
• Identity and Access Control Management
• Claims Model Relevance
• WIF
• Class library for both identity providers and consumers
• Multiple hosts: ASP.NET and WCF
42
Q&A
43
A sua opinião é importante!
Complete o questionário de avaliação e devolva-o à saida.
45
46
ASP.NET integration
• ClaimsPrincipalHttpModule
• Hooks on the PostAuthenticateRequest event
• Translate, into the claims-model, the authentication performed by
another module
• ClaimsAuthorizationModule
• Hooks on the AuthorizeRequest event
• If current user is authenticated, then calls the authorization manager
• Action = HTTP method, Resource = raw URL
• If authorization is denied, complete request with a 401 status code
47
ASP.NET integration
• WSFederationAuthenticationModule
• Hooks on the AuthenticateRequest
• If request is a sign-in federation message, process it
• Hooks on the PostAuthenticateRequest
• Behavior similar to the ClaimsAuthorizationModule
• Hooks on the EndRequest
• If response status code is 401 and request is not authenticated,
then redirect to identity provider with a sign-in request message
48
ASP.NET integration
• SessionAuthenticationModule
• Hooks on the AuthenticateRequest event
• Try to read and validate session token from a cookie
• If successful, then sets the current principal with the
session token info
• Uses a CookieHandler to read and write from
cookies
49
Authorization Model - Enforcement
• Called automatically in the pipeline
• ASP.NET – In a HTTP Module (ClaimsAuthorizationModule)
• WCF – In the service dispatcher
• Called explicitly via permission demand
• Similar to PrincipalPermission and PrincipalPermissionAttribute
• ClaimsPrincipalPermission and
ClaimsPrincipalPermissionAttribute
50
WIF consumer pipeline
Token
Resolver
Token
ref
Token
Issuer Name
Registry
Issuer
Token
Issuer
Name
Token Handler
Serialized
Token
Claims
Identities
Claims
Claims
Authentication
Authorization
Manager
Manager
Claims
Principal
Claims
Principal
Claims
Principal
boolean
Host Adaptation Layer
Host (e.g. ASP.NET, WCF)
51
A taxonomy of claims
•
Primordial vs. Substantive claims
•
•
•
Primordial – proof (e.g. shared secret) presentable by only one subject
Substantive – produced by claims providers
Claim types
•
Static – properties of the subject
•
•
Derived – derived from other claims
•
•
Can-emit-purchase-order; Can-admin-CI-server
Contextual – information about the context
•
52
Administrator; Lead Developer; Purchase Officer
Capability – authorization to something
•
•
Portuguese Citizen; Over-18
Membership – role or group membership, relation with other subject
•
•
National Identifier Number; Date-of-Birth
Authentication method, location and time
Security Token Analogies
• National Identity Card
•
•
•
•
Claims: Name, DoB, PoB, Address
Subject binding: picture and signature
Issuer binding: physical anti-tampering measures
Consumer binding: omni-directional identity
• Train Ticket
•
•
•
•
53
Claims: authorization to travel in a specific train/place
Subject binding: holder, claim
Issuer binding: physical anti-tampering measures, signature
Consumer binding: authorization details
Authorization Model
• “Old” model (PrincipalPermission)
• PrincipalPermission constructed with the required identity
names and/or roles
• Association between the permission and the users is hard-coded
• “New” model (ClaimsPrincipalPermission)
• ClaimsPrincipalPermission constructed with the resource and
action characterization
• Association between the permission and the required identity is
external
54
