1 / 19

An Authorization Service using .NET Passport ™ as underlying Authentication Scheme

Technion – Israel Institute of Technology. An Authorization Service using .NET Passport ™ as underlying Authentication Scheme. Bar-Hen Ron Hochberger Daniel Winter 2002. Motivations.

mahsa
Download Presentation

An Authorization Service using .NET Passport ™ as underlying Authentication Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Technion – Israel Institute of Technology An Authorization Service using .NET Passport™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002

  2. Motivations Creating a generic Authorization service for the Technion which takes advantage of the .NET Passport ™ Authentication Scheme: • Building a generic Administrator Software for setting permissions • Finding an interesting real-world application and integrating it into the application: The Software Systems Lab – users are students, instructors, lecturers, secretaries, administrators and so on… • Creating participating sites which support multiple levels of access: A “Grades” system in which students see their grades, instructors and lecturers set grades, and secretaries create new projects.

  3. Prerequisites • Learn Microsoft™ .NET environment • Learn the C# Programming Language • Be familiar with the concepts of ADO.NET • Study Microsoft™ Passport SDK • Learn how to configure a new participating site

  4. Authentication vs. Authorization • Authentication: are you who you pretend you are? • performed by .NET Passport • Authorization: if you are who you pretend you are, do you have access to a given page? • performed locally by the participating site’s authorization scheme

  5. How Microsoft Passport™ works? • Participating sites should register their URL and returned URL to be assigned a site ID and a secret encryption key shared with Microsoft. • Users should have an account on Microsoft Passport: a universal login name and a password used for accessing each participating site. • users are identified by a Unique User ID (PUID).

  6. How Microsoft Passport ™ works? (cont.) • When a user clicks the sign in logo or tries to access a protected webpage, a silent “HTTP redirect” displays the sign in page. If the user has previously log in to a .NET Passport participating site (namely, he has valid cookies), all the process described below is silent. • On the sign in page, the user is asked to enter his sign in name and password. If they match an entry in the Microsoft database, the user is authenticated and the Passport login server creates three .NET Passport cookies which include the PUID of the user, a timestamp, and other required information. • The browser automatically redirects the user to the participating site, and the encrypted .NET Passport cookies are passed to the participating site as query string parameters.  The participating site decrypts cookie information, receives the PUID which authenticates the user and can process the authorization scheme using PUID.

  7. How Microsoft Passport ™ works? (cont.)

  8. Authentication and Authorization implementation • Each time a page is loaded, it performs silent authentication: • the authentication process is implemented in the base class of all the frames in the site using .NET Passport function calls. • if the page is not restricted, this page will be opened even if no user is signed-in, but in case it is restricted, the user will be forced to sign-in and the authorization process will take place

  9. Authentication and Authorization implementation (cont.) • A user which has no passport will be denied to access a restricted page. • A new user which attempt to access a restricted page for the first time, has a legal Passport account, but is still not a registered user of the Lab. is redirected to a special web form, asking him to enter his details. This user, referred to as a "Pending User", will become a legal user only when an administrator will allow him through the Administrator program. • A legal user of the Lab. attempting to access a restricted page is checked against the Authorization Database to decide whether he is allowed to view it. If this is not the case, he is redirected to a "Permission denied" page, otherwise, the restricted page is opened.

  10. Data repository Permissions repository Involved entities

  11. Registration Form

  12. Administrator S/W GUI(users related)

  13. Administrator S/W GUI (groups related)

  14. Administrator S/W GUI (total permissions)

  15. The “Grades” System • A special restricted page, typically accessible by secretaries, permits to create new projects, fixing the two students, the instructor and the lecturer participating to this project. • A restricted page called "Grades" presents to the currently signed-in user all the grades he is allowed to view or to set according to the Data Repository database and the group he belongs to as specified in the Authorization database. • Typically, a student should be able to see his grades, an instructor and a lecturer should be able respectively to set 90% and 10% of the grade of each one of their students. • The grade system is totally generic: an instructor can be a student, a lecturer can be an instructor and so on: in all the cases, the currently logged in user can view or set only what he is allowed to and all this appears in one single table.

  16. Create project page

  17. The grades page

More Related