1 / 25

SAML Integration

SAML Integration. Doug Bayer Director, Windows Security Microsoft Corporation dbayer@microsoft.com. Agenda. Overview of Microsoft authentication & authorization plans Problem space Our understanding of the scenarios Our current approach How could we use SAML? Migration? Integration?.

sine
Download Presentation

SAML Integration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAML Integration Doug BayerDirector, Windows SecurityMicrosoft Corporationdbayer@microsoft.com

  2. Agenda • Overview of Microsoft authentication & authorization plans • Problem space • Our understanding of the scenarios • Our current approach • How could we use SAML? • Migration? • Integration?

  3. Windows.NET Windows.NET Authentication Architecture • Windows.NET Authorization: Extending the Windows Model • Resource-Based Authorization: ACLs & Groups • Application-Based Authorization: RBAC • Making It All Secure

  4. Request Meeting 1 1 1 1 .NET Process Scenario Roles MyNotifications.NET myCalendar.NET AA = Authentication Authority Directory AA KDC myCalendar.NET MyHS.NET Fred@TinyCo.com Mary@BigCo.com

  5. Query& Request 2 .NET Process Scenario Roles MyNotifications.NET myCalendar.NET AA = Authentication Authority Directory AA 2 KDC myCalendar.NET MyHS.NET Fred@TinyCo.com Mary@BigCo.com

  6. SOAP Message 3 .NET Process Scenario Roles MyNotifications.NET myCalendar.NET AA = Authentication Authority Directory AA KDC myCalendar.NET MyHS.NET Fred@TinyCo.com Mary@BigCo.com

  7. Accept 4 4 .NET Process Scenario Roles MyNotifications.NET myCalendar.NET AA = Authentication Authority Directory AA KDC myCalendar.NET MyHS.NET Fred@TinyCo.com Mary@BigCo.com

  8. .NET Process Scenario Roles MyNotifications.NET myCalendar.NET AA = Authentication Authority Directory AA Signed Message;Accepted 5 KDC myCalendar.NET MyHS.NET Fred@TinyCo.com Mary@BigCo.com

  9. Direct Trust Direct Trust (XCerts, XKMS) MMS Signed Messages (XMLDSIG, S/MIME, CAPICOM) Kerberos Windows.NET Application Security Framework Partner/Supplier Store AA Internet Enterprise DMZ Customer Employee Store = Directory or Database AA =Authentication Authority

  10. Trust Federation (Passport, Identrus) Direct Trust MMS Kerberos Windows.NET Application Security Framework Partner/Supplier Store AA Internet Passport, Kerberos, Basic SSL, Digest, … Enterprise DMZ Customer Employee Store = Directory or Database AA =Authentication Authority

  11. Threats from Inside & DMZ Threats from Internet RBAC Policy RBAC Policy RBAC Policy Windows.NET Application Security Framework Partner/Supplier Store AA Internet Enterprise DMZ Customer Employee Store = Directory or Database AA =Authentication Authority

  12. Windows.NET Authentication • Multiple credential types • Passwords, tokens, smartcards • Multifactor: Key + biometric • Multiple Client to Server protocols: • Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, … • Converge on Kerberos & Kerberos/TLS in the future • Message Signing and Signature verification • Single Server to Server protocol: Kerberos w/constrained delegation • IETF standard, interoperable, scalable • Secure: mutual authentication • Extensible credentials support • Passwords, X.509 certificates, tokens,… • Directory independent authentication

  13. Windows.NET Authentication KDC Trust Verify Policy: Allowed-To-Delegate-To Ticket Passport Basic Digest SSL Users Ticket Signed Messages, S/MIME/SMTP Kerberos Cert XMLDSIG/HTTP Front End Application Back End Application

  14. Application Classification For Authorization • Resource Managers • Resources are well-defined with persistence • Access is controlled to operations on such objects • E.g. File system, database, Active Directory, … • Gatekeepers: Special form of resource managers • Resources are other applications • Controls access to other applications • E.g. OS itself, Web Server, VPNs, Firewalls, … • Business Processes • Resources aren’t well defined; operations, processes & workflows are • Access is controlled to operations, processes, workflows • E.g. LOB applications, Transaction processing, ...

  15. Authorization: Role Based Model • Roles-based • LOB, B2B, B2C and workflow applications • Characteristics • No real objects but operations & tasks are well-defined • Authorizations aren’t simply yes/no on operation • Operation data & business rules matter • Typically have a state machine • Where do you ‘hang’ the ACL? • Applications enforce access • Users authenticate to Authentication Authority • Application performs authorization • Application has full access to underlying objects

  16. Roles-Based Authorization Manager Gatekeeper Applications (Web Server/URL, VPNs, Firewalls,…) Business Process Applications (E-Commerce, LOB Applications,…) Resource Manager Applications (Document Store, Mail Store,…) Windows Authorization API Windows Authorization API Windows Authorization API Authorization Administration Manager Policy Store Active Directory Or XML (Files, SQL) Common Roles Management UI

  17. Roles-Based Authorization Manager • Scopes • VDirs, URL, Prefix • Tasks • Basic: GET/POST • Dynamic by associating VBscript business rules • Groups • Static • Computed • LDAP query • Roles • Defined by administrators and applications Gatekeeper Applications (Web Server/URL, VPNs, Firewalls,…) URL URL-Based Authorization Windows Authorization API Windows Authorization API IIS Web-Based Application Windows Authorization API Common Roles Management UI

  18. Web Servers KDC Get SAML/Kerberos – Protocol Overview WebAuth Server(s) (Web Sphere) AIX (Windows.NET) (Netscape MAC)

  19. Web Servers KDC SAML/Kerberos Protocol Overview AS-Req TGS-Reg (2) AP-Req (3) Sess-Cookie TGT WebAuth Server(s) SSL Redirect (1) User Name Password

  20. Web Servers KDC SAML/Kerberos Protocol Overview Data Sess-Cookie AP-Req AP-Req (cached) Get AP-Req WebAuth Server(s) Sess-Cookie TGT • Subsequent requests: • Browser sends AP-REQ in cookie • Web Server checks against saved AP-REQ, if OK, returns requested URL

  21. Protocol Overview – Initial Request to Second Web Server • Browser does GET to WebSphere • WebSphere redirects to WebAuth • Redirect contains TGT in cookie • WebAuth does TGS-REQ, then proceeds as before

  22. Web Servers MIT-KDC Directory KDC SAML/Kerberos – Protocol Overview Apache Web Servers Affiliate Site Get WebAuth Server(s) Sess-Cookie TGT

  23. Web Servers Web Servers KDC Directory KDC SAML/Kerberos Protocol Overview Affiliate Site AS-Req AS-Req (2) AP-Req (3) WebAuth Server(s) SSL Redirect (1) Sess-Cookie TGT Sess-Cookie TGT

  24. Web Servers Web Servers KDC Directory KDC SAML/Kerberos – Protocol Overview Affiliate Site AP-Req Sess-Cookie AP-Req Get Data WebAuth Server(s) Sess-Cookie TGT

  25. Questions?

More Related