Whiteboard discussion of
This presentation is the property of its rightful owner.
Sponsored Links
1 / 9

Whiteboard discussion of WS-Fed and WS-Trust PowerPoint PPT Presentation


  • 180 Views
  • Uploaded on
  • Presentation posted in: General

Whiteboard discussion of WS-Fed and WS-Trust. WS-* Metasystem Protocol. Client Application. Identity Selector. Relying Party. Identity Provider. WS-MEX GetMetadata Request. Policy. 1. WS-MEX GetMetadata Response. WS-Security Policy. 2. GetToken (RP Policy). 3.

Download Presentation

Whiteboard discussion of WS-Fed and WS-Trust

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ws metasystem protocol

Whiteboard discussion of

WS-Fed and WS-Trust


Ws metasystem protocol

WS-* Metasystem Protocol

ClientApplication

Identity

Selector

Relying

Party

Identity

Provider

WS-MEX GetMetadata Request

Policy

1

WS-MEX GetMetadata Response

WS-Security Policy

2

GetToken(RP Policy)

3

Select Identity

4

WS-MEX GetMetadata Request

Identity needs credentials

5

WS-MEX GetMetadata Response

6

WS-Trust RST Request (user credentials)

7

WS-Trust RSTR Response (security token)

8

Token

Returnsecuritytoken

9

Access Resourcewithsecurity token (WS-Security)

10


Browser metasystem protocol

Browser Metasystem Protocol

ClientBrowser

Identity

Selector

Relying

Party

Identity

Provider

HTTP/GET to protected page

1a

HTTP/redirect to login page

1b

HTTPS/GET to login page

2a

HTTPS login page

2c

Policy

2b

Click

GetBrowserToken(RP Policy)

3

HTML information card tag

Select Identity

4

WS-MEX GetMetadata Request

5

Identity needs credentials

WS-MEX GetMetadata Response

6

WS-Trust RST Request (user credentials)

7

WS-Trust RSTR Response (security token)

8

Returnsecuritytoken

Token

9

HTTPS/POSTwithsecurity token

10

HTTP/redirect with session cookie

11


Token encrypted to rp

Token Encrypted to RP

May have established a relationship out-of-band

CardSpace

Express desire to conveyRP’s identity to the IP

Identity Provider

Relying Party

Include RP’s identityin the request

Decrypt

<tokenParameters> <xmlElement>

<wsp:Policy>

<ic:RequireAppliesTo />

</wsp:Policy> </xmlElement> …</tokenParameters>

RP’s key is knownto IP

Generate a message

Response security token

IP encrypts the token

with RP’s key

app.config

Generate a response message

Encryptto the client


Token not encrypted to rp

Token not Encrypted to RP

CardSpace

Token requirements

Identity Provider

Relying Party

Request security

token

Decrypt

RP’s key is not knownto IP

Encrypt token with RP’s key

Response security token

Token is not encrypted

Generate message

Generate a response message

Encryptto the client


Proof token symmetric key

Proof Token: Symmetric Key

Relying Party

CardSpace

verify signature

token requirementskeyType: SymmetrickeySize: 128 tokenType: SAML1.1

Request for security token

Identity Provider

Decrypt

Send the message to RP

Generate a message

Generate a key

Response with security token

Generate a token

include key in the token

include key as part of proof tokenin the message

Sign with the

proofkey

Generate a response message

encryptto the client


Proof token asymmetric key

Proof Token: Asymmetric Key

Relying Party

CardSpace

verify signature

token requirementskeyType: AsymmetrickeySize: 2048 tokenType: SAML1.1

Request for security token

Identity Provider

Generate key-pair

Decrypt

include the key in

the request

Send the message to RP

Generate a message

include key in the token

Generate a token (SAML)

Response with security token

Sign with

the other key

Generate a response message

Encryptto the client


Adfs ws fed

ADFS WS-Fed

GETappURL

302fs-rURL?wa=…&wreply=AppURL&wctx=appURL

Detect user’s home realm

302 fs-aURL?wa=...&wtrealm=fs-rURI&wctx=AppURL/appURL

Authenticate User

200<FORM ACTION=fs-rURLMETHOD=POST <INPUT…NAME=wresult VALUE=[fs-a token]>…>

200<FORM ACTION=AppURL METHOD=POST <INPUT…NAME=wresult VALUE=[fs-r token]>…>

302 appURL [HttpResponseHeader=SetCookie]

Browser

Client

FS-A

STS

Web

Server

FS-R

STS


Ws metasystem protocol

Requestor

Client

Identity ProviderSTS

Target

Service

Relying PartySTS

HTTPS GET

HTTPS 302 – Redirect to RP STS

HTTPS GET Home Realm Discovery Page

HTTPS 200 (CardSpace Icon)

CardSpace Selection

WS-Trust RST

WS-Fed

WS-Trust RSTR

Authenticate token. extract claims, create, encrypt and sign new token

HTTPS POST Security Token

HTTP 200 (javascript to send token to Target Service)

HTTPS POST Security Token


  • Login