An introduction to Identity with WIF & AD FS 2.0 About Todd Anderson Principal Consultant, CAthreads.net Expertise in WF 4, AppFabric & WIF Co-Developed AppFabric Training Kit for MS & ISV Starter Kit Email me: Todd@CAthreads.NET About Zoiner Tejada President TejadaNET Software Consultant Author, Trainer & Speaker Microsoft Influencer & CSD Advisor 10+ years experience Architecture SIG CS Degree Stanford University Email me: ZoinerTejada@TejadaNET.com Windows Identity Foundation This presentation will focus on how WIF: Can be used with websites as well as web services. Makes life much easier for the developer. Opens up possibilities that normally have been prohibitively complex. Now to introduce the participants of this presentation: The Ultimate Surfboard... The WIFboard WIF (Windows Identity Foundation)– It’s not just about Federation, it’s about outsourcing security decisions Designed to integrate with ASP.NET and WCF applications. The Surf Spot Relying Party (RP) Replying parties are your applications: Web Sites WIF is used with a passive client, the browser. Web Services WIF is used in an Active manner. The Kahuna STS / Identity Provider Kahuna is the Hawaiian term for Authority The same goes for a Security Token Service. A Security Token Service is an authority on providing identity for the relying party. An STS is generally a web service. The Surf Spot expects to know how to talk with the Kahuna. Various standards at play to achieve this. The Shaka Security Tokens Security Tokens contain claims. These claims are information the RP needs to know about the user. For permission to surf at the spot, the surfer must go to that spot’s Kahuna and ask for a shaka, then present this shaka to the surf spot. The Surfer (user) In order to have authorization to surf at a surf spot (RP), the surfer must get shakas from the Kahuna (STS) and present them. Some surf spots require a closer look at the shakas (security token claims) from the Kahuna. This surfer’s claim indicates he’s ridden ten foot barrels! He can surf here. The Surf Mobile FedUtil.exe FedUtil.exe is a configuration wizard that’s run against your application (RP) It tells the surf spot to trust the Kahuna To use FedUtil.exe in Visual Studio Right-click your website or web service select "Add STS Reference...“ Provide information about The location of your RP What STS to use Certificate settings Demo Create a claims enabled web site that utilizes a simple STS Create a claims enabled web service that utilizes a simple STS All you need to go surf A standards compliant Kahuna (STS) A surf spot (RP) The Surf Mobile (FedUtil.exe) A trusty WIFboard Passive Federation WSFAM - WSFederationAuthenticationModule Enables passive authentication SAM - SessionAuthenticationModule Handles sessions. CAM - ClaimsAuthorizationModule (CAM) You configure your claims-based authorization here. DEMO Converting a membership/role provider based website to a claims based one Federating identity How would a surf spot trust the authority of Kahunas from other islands? When your RP wants to authorize users from multiple IP-STSs, you use an FP-STS as an intermediary between the IP-STSs and your RP. Federation Provider A Federation Provider is also an STS, but it passes thru or transforms claims The FP-STS accepts the tokens from the IP-STSs and if necessary, can transform the claims in these tokens before providing them to the RP. Where is my Kahuna Home Realm Discovery (HRD) When there is more than one Kahuna for a user to authenticate at.. Upon arriving at the RP, you need to be redirected to the correct IP-STS for authentication. Two approaches Indicate which Kahuna via URL Have user pick from list Delegation Without WIF, it is similar to needing a different surfboard for each condition you may encounter. Trusted Subsystem is a security risk When Johnny Utah logs into the web application, he is actually using Brodiliah’s admin account to be able to access the backend data. With some clever tricks, Johnny could be able to gain access to information he’s not supposed to be able to reach. The solution? Keep passing the original users credentials with delegation, tacking on other claims as needed downstream. Federating Non-Claims Aware Apps Claims to Windows Token Service (C2WTS) C2WTS enables use of legacy or 3rd party systems that rely on Windows Integrated Authorization and cannot be migrated to using claims. Claims presented are converted to an impersonated Windows identity on the local box and the target application works as before. e.g., SQL Server let’s look at AD FS 2.0... What is AD FS 2.0? LDAP MS SQL Website Web Service Claims Engine Federation Server Proxy Management Snap-in Other Claims Providers Federation Server CA IBM SUN WIF Other STS Windows Server 2003, 2008 SP2, 2008 R2 Windows 7, Vista SP2 WIF Windows Internal DB .NET 3.5 SP1 IIS 6/7 Relying Parties Active Directory AD FS 2.0 Major Components Attribute Stores AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web Browser Apps Smart Clients Web Services ADFS 2.0 Benefits Benefits of SSO reduce administrative overhead reduce security vulnerabilities as a result of lost or stolen passwords improve user productivity Intra-Enterprise: provide SSO for all your web sites and applications Pan-Enterprise: provide SSO experiences for your users to access apps in other organizations provide SSO experience for users from external organizations to access your apps Easily externalize authentication & authorization Rich claims rules processing engine Management & Configuration Tools Why even consider AD FS 2.0? Building a production-ready STS is hard. The Visual Studio STS templates are just starters for trivial dev scenarios. Lot's of config to manage, UI's to present in real world STS! Moving to ADFS Configure the RP to trust AD FS Configure AD FS to trust RP Configure Rules • Issuance Transform rules • Issuance Authorization rules DEMO Migrating from a development STS to AD FS 2.0 Other Scenarios Delegation Federating with another Claims Provider Leveraging Attribute Stores other than Active Directory Useful Links Blog: http://TheWorkflowElement.com WIF Dev Center - http://msdn.microsoft.com/en- us/security/aa570351.aspx For WIF SDK LABS link to Online STS (AD FS 2) https://ip-sts-01.federatedidentity.net/federationmetadata/200706/federationmetadata.xml There's a few links floating around that are wrong...this is the correct one. C2WTS - http://msdn.microsoft.com/en- us/library/ee517278.aspx ADFS How to Guides - http://technet.microsoft.com/enus/library/dd727938(WS.10).aspx ( ) Self-STS - http://code.msdn.microsoft.com/SelfSTS