Claims-based Security for Web Apps using WIF 4.5

Transcript

1. None

2. Claims-based security for Web applications using WIF 4.5 Alex Thissen

   Principal Architect, Achmea

3. Agenda Claims-based security primer What are claims all about? Claim

   primitives Federation Protocols Microsoft’s Identity Platform Products Technologies Frameworks Programming in WIF 4.5 Demos Consuming claims Creating Relying Party applications Building an STS

4. Claims, issuers, subjects and tokens • Claim is attribute of

   identity • Security token holds claimsets • Cryptographically signed – Optionally encrypted Issuer Claimset Security token Claims

5. Passive Profile Federation Security Token Service (STS) Identity store Trust

   Autoritative source of identities Federation across organizations credentials Identity Provider Security token 1 2 3 4 Relying Party Web app WIF Security Token Service (STS) Identity store Trust Other IP Can also be mobile app in most cases

6. Microsoft Identity Platform Unified Access Gateway Identity Manager 2010 (ILM)

   .NET Framework 4.5 Windows Communication Foundation 4.5 ASP.NET 4.5 WIF integration Infrastructure Software Domain Services Lightweight Directory Services Federation Server 2.0 Certificate Services Access Control Service Azure Active Directory SharePoint Online Exchange Online Lync Online InTune

7. About WIF 4.5 WIF 4.5 is a framework for building

   identity-aware applications Evolution of WCF IdentityModel and WIF version 1.0

8. WIF 4.5 overview Scenarios supported Federation Identity delegation Step-up authentication

   Capabilities Build claims-aware applications Build a custom STS Custom authorization, token handlers, et cetera Caching of tokens Requirements Windows Vista and above, Windows Server 2008 SP2 and above .NET 4.5 (For WIF 1.0 either .NET 3.5 or 4.0)

9. Security principals in .NET 4.5 • ClaimsPrincipal is now base

   class of all principals • Claims collection property • Multiple identities! Thread.CurrentPrincipal.Identity HttpContext.Current.User Multiple identities Derived from ClaimsPrincipal Claims

10. demo New claim object model Creating and inspecting claims RBAC

    with claims

11. WIF in one minute • Essential claims programming model –

    Claims OM integrated with .NET identity API – Single programming model for ASP.NET and WCF – Configuration driven – Single programming model for on-premise and cloud • Tools for metadata-driven automatic app configuration – Including WS-Federation and WS-Trust protocols • Framework for custom STS development

12. Programming WIF 4.5 1. Configuration 2. Event handling of key

    events 3. Subclassing and overriding Most of WIF 1.0 still applicable Namespaces and assemblies may have changed, not model

13. Tooling of WIF • Identity and Access Tool • Local

    STS Lightweight Identity Provider Project Properties context menu

14. More tooling: Azure AD • Requires VS2012 and ASP.NET Fall

    2012 Update • Creates Service Principal in AD tenant

15. Replaces <microsoft.identityModel> Configuring WIF Metadata driven Passive Federation Configures: •

    SAM • WS-FAM Previously <service> Configures: • Audiences • Issuers • Certificates

16. demo Configuring an Identity Provider Using WIF Tooling Federate with

    Azure AD and Web identities

17. New in WIF 4.5 • WIF part of .NET 4.5

    • New claims model and Principal object – Inside System.Security.Claims namespace • Different assemblies and namespaces Changes: • Project templates for ASP.NET and STS are removed • Web controls not carried forward • Claims can now be used directly from ASP.NET and WCF

18. WS- FAM WSFAM and SAM: a great couple Three specialized

    HTTP Modules: WSFederationAuthenticationModule SessionAuthenticationModule ClaimsAuthorizationModule SAM Claims or Url AuthZ Unauthenticated user request 401 Unauthorized Authenticated Redirect to STS FedAuth cookie Set ClaimsPrincipal POST to site Write cookie STS

19. Interesting events to handle WSFAM and SAM: extensibility Three specialized

    HTTP Modules: WSFederationAuthenticationModule SessionAuthenticationModule ClaimsAuthorizationModule Interesting events to handle Interesting events to handle Interesting events to handle Common extensibility point Example: WSFAM/AuthenticateRequest

20. Custom AuthN and AuthZ ClaimsAuthenticationManager • Transforms incoming claims •

    add, modify, delete claims • Authenticate method ClaimsAuthorizationManager • Authorize or deny incoming requests • CheckAccess method • Derive from base class • Override single method in class • Register in federation configuration (programmatically or config file)

21. demo Authorizing using group claims Create a custom ClaimsAuthenticationManager

22. To use and not to use • Namespace System.Security.Claims •

    System.IdentityModel.dll • System.IdentityModel.Services.dll • Microsoft.IdentityModel.dll • Microsoft.IdentityModel.Web.dll • Old WCF claim types inside namespaces: – System.IdentityModel.Claims – System.IdentityModel.Policy – System.IdentityModel.Selectors

23. WCF for active federation // Acquire security token from STS

    via active profile WS-Federation var factory = new WSTrustChannelFactory(stsBinding, stsAddress); var channel = (WSTrustChannel)trustChannelFactory.CreateChannel(); var rst = new RequestSecurityToken(RequestTypes.Issue); rst.AppliesTo = new EndpointAddress(serviceAddress); RequestSecurityTokenResponse rstr = null; SecurityToken token = channel.Issue(rst, out rstr); // Contact Relying Party service with token for authentication IHelloService serviceChannel = factory.CreateChannelWithIssuedToken<IHelloService>(token); serviceChannel.Hello("Hi!");

24. Summary • Security is moving towards claims • Strong industry

    and standards based support • WIF helps building claims-aware applications and services • Fully integrated in core of .NET Framework • Don’t hide or deny: make shift today!

25. Questions and Answers Maybe later? @alexthissen [email protected]

26. Popquiz What do the letters HRD mean in an MVC

    HrdController class created by the Identity and Access tool? #Achmea Price for 1st twitter with correct answer:

27. Wat kun jij ons vertellen over?

28. Code sample #Growing Arrays Dynamically $arr = 2,3,5,7,11 Write-Host "First

    time around..." for ($i = 0; $i -lt $arr.length; $i++){ Write-Host $arr[$i] } $arr += 13,17,19,29 Write-Host "Second time around..." for ($i = 0; $i -lt $arr.length; $i++){ Write-Host $arr[$i] }

29. Agenda Azure apps Internet apps ADFS 2.0 Firewall Windows Azure

    Active Directory LoB apps Windows Server Active Directory On-premise Internet Other apps 1. Web Single Sign-on Claims, trust, federation 2. On-premise SSO Active Directory 3. Azure AD 4. Migration scenarios Synchronization, federation 5. Questions and answers