1 / 52

Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation

ARC303. Pedro Félix. CCISEL pedrofelix@cc.isel.ipl.pt. Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation. try {. Motivation The claims based model Windows Identity Foundation Identity and claims representation Consumption pipeline

wesley-miles
Download Presentation

Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ARC303 Pedro Félix CCISEL pedrofelix@cc.isel.ipl.pt Aspectos essenciais no desenvolvimento de aplicações com o Windows IdentityFoundation

  2. try { • Motivation • The claims based model • Windows Identity Foundation • Identity and claims representation • Consumption pipeline • ASP.NET and WCF Integration • Issuance pipeline

  3. Motivation CloudTrack . View/manage issues Create/view issues

  4. Identity and Authorization creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView

  5. Centralized Solution webapp (IssueTracker) creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Membership Provider Role Provider IPrincipal.IsInRole(...)

  6. Decentralized Authority webapp (IssueTracker) creds Contoso:: Alice Contoso:: LeadDev webapp:: IssueMgr webapp:: IssueView Contoso Authority

  7. The Claims Model Claims Contoso webapp Contoso:: LeadDev Alice creds Contoso:: Alice webapp:: IssueMgr webapp:: IssueView Security Token Identity Provider (Issuer) Accepts Identity Consumer (Relying Party) Issues

  8. The Claims Model Provider Consumer/ Provider Issue Use Issue Identity {Claims} About Security Tokens Use Subject Consumer

  9. Demo Memb. Prov. Role Prov. Identity Transformer ASP.NET Identity Provider Demo.MIP ADFS Identity Consumer WIF ASP.NET Demo.RP username+password WIF

  10. Not only for Federation AD webapp 1 smart card or username+password webapp 2 windows authn

  11. Not only for Federation AD external app/service IdP Partner webapp 1 smart card or username+password webapp 2 windows authn

  12. Protocols Web applications passive protocol – WS-Federation Services active protocol – WS-Trust IdP IdP WIF WIF 2 3 4 1 2 tk WIF tk WIF 1 2 Browser webapp Active Client service tk 4 3 3 2 1 WIF WIF

  13. SAML Tokens Certificate configuration • Secure Assertion Markup Language • Signed by provider (issuer) • (Optionally) Encrypted to consumer • Subject confirmation • Bearer (passive protocols) • Holder-of-Key (active protocols) • Audience restrictions (avoid reusage) • Statements (claims) • Authentication, Authorization and Attributes

  14. Federation Metadata • Purpose: automatic configuration • Published by both consumers and providers • Signed XML documents containing • Endpoint addresses • Claims and token types required and offered • Certificates • …

  15. Windows Identity Foundation Unified model for both ASP.NET and WCF • Contents • .NET Class Library (Microsoft.IdentityModel.dll) • Visual Studio AddIns • Purpose • Identity Consumers • Identity Providers • Client helpers – client channels for WCF

  16. WIF Essentials • Class model for identity representation • Claims consumption pipeline • Token validation • Identity transformation • Authorization decisions • Claims issuance pipeline

  17. Claims Class Model

  18. WIF Consumer Pipeline HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  19. WIF Consumer Pipeline Token Resolver Token ref Token TokenHandler Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  20. WIF Consumer Pipeline <microsoft.identityModel> <service> <securityTokenHandlers> <remove type=“…” /> <addtype=“…” /> </securityTokenHandlers> </service> </microsoft.identityModel> Token Resolver Token ref Token TokenHandler Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  21. WIF Consumer Pipeline Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  22. WIF Consumer Pipeline <issuerNameRegistry type=“…ConfigurationBasedIssuerNameRegistry…"> <trustedIssuers> <addname="gaviao" thumbprint="a1…74"/> <addname="gaviao.adfs" thumbprint="72…8e"/> </trustedIssuers> </issuerNameRegistry> Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  23. WIF Consumer Pipeline Token Resolver IssuerName Registry publicoverrideIClaimsPrincipalAuthenticate( stringendpointUri, IClaimsPrincipalincomingPrincipal) { if (incomingPrincipal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("LeadDeveloper@http://gaviao/demo.mip/issue.aspx"))) { incomingPrincipal.Identities[0].Claims.Add( newClaim(ClaimTypes.Role, "IssueMgr)); } returnincomingPrincipal; } Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Principal Claims Principal Serialized Token Claims Identities HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  24. WIF Consumer Pipeline publicoverrideboolCheckAccess(AuthorizationContext context) { var resource = newUri(context.Resource.First().Value); if(resource.AbsolutePath.Equals("/demo.rp/issues.aspx")) { returncontext.Principal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("IssueMgr")); } returntrue; } Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager [ClaimsPrincipalPermission( SecurityAction.Demand, Operation = "Get", Resource = "ViewIssues")] privatevoidViewIssues(){ … } Claims Principal Claims Principal Authorization Context Serialized Token Claims Identities boolean HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  25. WIF Consumer Pipeline Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal Serialized Token Claims Identities boolean HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  26. WIF Consumer Pipeline (ASP.NET) <federatedAuthentication> <cookieHandlerrequireSsl=“true" /> <wsFederationissuer="https://gaviao/adfs/ls/" realm="http://gaviao/Demo.RP/default.aspx" requireHttps=“true" /> </federatedAuthentication> Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal Serialized Token Claims Identities boolean WSFederationPassive AuthenticationModule ClaimsPrincipal HttpModule ClaimsAuthorization Module HostAdaptationLayer SessionAuthentication Module ASP.NET

  27. ASP.NET Integration AuthenticateRequest Post AuthenticateRequest AuthorizeRequest EndRequest Any Authentication Module ClaimsPrincipal HttpModule ClaimsAuthorization Module Any Authentication Module SessionAuthentication Module • Using a legacy authentication mechanism • e.g. Forms authentication

  28. ASP.NET Integration AuthenticateRequest Post AuthenticateRequest AuthorizeRequest EndRequest WSFedAuthentication Module WSFedAuthentication Module ClaimsAuthorization Module WSFedAuthentication Module SessionAuthentication Module SessionAuthentication Module • Using federated authentication • WS-Federation

  29. WS-Federation Authn Module (FAM) RP HTTP request ? Authorize HTTP redirect with fed. request message FAM EndRequest HTTP request with fed. request message IdP ? Authenticate HTTP redirect with fed. response message Security Token RP HTTP request with fed. response message FAM Authenticate ? Authorize Handler Security Token

  30. Module Pipeline Events • WSFederationAuthenticationModule • OnAuthorizationFailed • RedirectingToIdentityProvider • SecurityTokenReceived • SecurityTokenValidated • … • SessionAuthenticationModule • SessionSecurityTokenCreated • SessionSecurityTokenReceived • …

  31. Controls FederatedPassiveSignIn FederatedPassiveSignInStatus

  32. WCF Integration • WCF already supported federation and claims • System.IdentityModel.dll • e.g. WS2007FederationHttpBinding binding, Claims class • WIF • Builds upon this previous support • Changes the token processing model • WCF and ASP.NET uniform model • Adds client-side features (e.g. explicit token requests)

  33. WCF Integration <extensions> <behaviorExtensions> <addname="federatedServiceHostConfiguration" type=“…ConfigureServiceHostBehaviorExtensionElement, …"/> </behaviorExtensions> </extensions> <behaviorname="Demo.RP.statusBehavior"> <federatedServiceHostConfiguration/> </behavior> • FederatedServiceCredentials • Derives from ServiceCredentials • Static method ConfigureServiceHost(ServiceHostBase) “installs” WIF (the Host Adaptation Layer) • Overrides WCF behavior, namely • Configuration (e.g. username validation) • Authorization policies • Authentication manager

  34. WIF Consumer Pipeline (WCF) Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal Serialized Token Claims Identities boolean SecurityTokenAuthenticator ServiceAuthorization Manager HostAdaptationLayer WCF

  35. Producer Model – host independence

  36. Producer Model – issue pipeline • GetScope • Creates the Scope • Scope • Signing and encrypting creds. • reply to address • GetOutputClaimsIdentity • Creates the issued claims identity • Defines the issued claims • Other non-mandatory extensibility points • ValidateRequest, …

  37. Producer Model – ASP.NET protectedvoidPage_Load(object sender, EventArgs e) { FederatedPassiveSecurityTokenServiceOperations.ProcessRequest( Page.Request, Page.User, newSimpleSecurityTokenService( newSimpleSecurityTokenServiceConfiguration()), Page.Response); }

  38. Producer Model - WCF <bindingname="MessageIssueBinding"> <security> <messageclientCredentialType="UserName" …/> </security> </binding> <services> <servicebehaviorConfiguration=“…" name="Microsoft.IdentityModel….WSTrustServiceContract"> <endpointaddress=“” … bindingConfiguration="MessageIssueBinding" contract="Microsoft.IdentityModel….IWSTrust13SyncContract" /> … </services> <%@ ServiceHostLanguage="C#" Debug="true" Factory = "Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory,…" Service= "Demo.MIP.SimpleSecurityTokenServiceConfiguration" %>

  39. Producer Model – WCF integration

  40. } finally { • Identity and Access Control Management • Claims Model Relevance • WIF • Class library for both identity providers and consumers • Multiple hosts: ASP.NET and WCF

  41. ASP.NET integration • ClaimsPrincipalHttpModule • Hooks on the PostAuthenticateRequestevent • Translate, into the claims-model, the authentication performed by another module • ClaimsAuthorizationModule • Hooks on the AuthorizeRequest event • If current user is authenticated, then calls the authorization manager • Action = HTTP method, Resource = raw URL • If authorization is denied, complete request with a 401 status code

  42. ASP.NET integration • WSFederationAuthenticationModule • Hooks on the AuthenticateRequest • If request is a sign-in federation message, process it • Hooks on the PostAuthenticateRequest • Behavior similar to the ClaimsAuthorizationModule • Hooks on the EndRequest • If response status code is 401 and request is not authenticated, then redirect to identity provider with a sign-in request message

  43. ASP.NET integration • SessionAuthenticationModule • Hooks on the AuthenticateRequest event • Try to read and validate session token from a cookie • If successful, then sets the current principal with the session token info • Uses a CookieHandler to read and write from cookies

  44. Authorization Model - Enforcement • Called automatically in the pipeline • ASP.NET – In a HTTP Module (ClaimsAuthorizationModule) • WCF – In the service dispatcher • Called explicitly via permission demand • Similar to PrincipalPermission and PrincipalPermissionAttribute • ClaimsPrincipalPermissionandClaimsPrincipalPermissionAttribute

  45. WIF consumer pipeline Token Resolver IssuerName Registry Token ref Issuer Token Issuer Name Token TokenHandler Claims Authentication Manager Claims Authorization Manager Claims Principal Claims Principal Claims Principal Serialized Token Claims Identities boolean HostAdaptationLayer Host (e.g. ASP.NET, WCF)

  46. A taxonomy of claims • Primordial vs. Substantive claims • Primordial – proof (e.g. shared secret) presentable by only one subject • Substantive – produced by claims providers • Claim types • Static – properties of the subject • National Identifier Number; Date-of-Birth • Derived – derived from other claims • Portuguese Citizen; Over-18 • Membership – role or group membership, relation with other subject • Administrator; Lead Developer; Purchase Officer • Capability – authorization to something • Can-emit-purchase-order; Can-admin-CI-server • Contextual – information about the context • Authentication method, location and time

More Related