itcamp 2012 - mihai nadas - tackling the single sign-on challenge
TRANSCRIPT
![Page 1: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/1.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Tackling the Single Sign-On Challenge
Mihai Nadăș
Windows Azure MVP
Yonder CTO
@mihainadas
mihainadas.com
![Page 2: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/2.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud ITCamp 2012 sponsors
![Page 3: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/3.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• mihainadas.com
• @mihainadas
• Passionate about technology, background in
the .NET World
• Windows Azure MVP
• Driving Yonder’s appetite for innovation
About myself
![Page 4: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/4.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• As the world becomes more interconnected, security becomes a more important topic
• Holland, 2012 – VCD’s SaaS solution exposed publically information about its user’s medical history
We spend our time searching for security and hate it when we get it.
-John Steinbeck
On security and the future
![Page 5: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/5.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud Passwords and implementations
![Page 6: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/6.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
1. Injection
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session
Management
4. Insecure Direct Object References
5. Cross Site Request Forgery
OWASP’s Top 5
![Page 7: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/7.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
1. Injection
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session
Management
4. Insecure Direct Object References
5. Cross Site Request Forgery
OWASP’s Top 5
![Page 8: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/8.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Claims-Based Identity and Access Control
• The Single Sign-On Challenge and Benefits
• Windows Azure Access Control Service
• Q&A
Agenda
![Page 9: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/9.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
ENOUGH TALKING, LET’S DEMO!
The problem with Identity and Access Control in the Enterprise
![Page 10: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/10.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• A fictious case study of an enterprise called
Adatum
• The whiteboard diagram showing the
situation of the auth/auth problem pre-
claims
• DEMO
What you’ll see?
![Page 11: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/11.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud Adatum Infrastructure Pre-Claims
![Page 12: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/12.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
DEMO
The problem with Identity and Access Control in the Enterprise
![Page 13: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/13.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Users of a-Expense need user/password
• The IT staff have to sync roles between
authentication systems
• a-Order can’t be accessed from the Internet
• No Single Sign-On aka „Credentials Hell”
What’s the problem?
![Page 14: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/14.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud What’s the problem?
![Page 15: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/15.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Adatum’s requirements
– Single Sign-On (SSO) Capabilities
– Enable Adatum employees to access corporate
applications from the Internet (no VPN)
– Plan for the future (cloud, new apps)
• What is your solution?
Be the consultant and please Adatum!
![Page 16: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/16.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Control the digital experience based on
things that are said about one party by the
other
• A party can be – web site, web service,
person, government, organization
Introducing Claims-Based Identiy
![Page 17: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/17.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Mainframes asked about user/password and passed „claims” about them to applications
– uid, gid
– sudo su
• As systems became interconnected we needed ways to identify parties across multiple computers
• Specialized services appeared
– NTML, Kerberos (Windows Integrated Authentication)
– Public Key Infrastructure (PKI)
– Security Assertion Markup Lanaguage (SAML)
Claims are not new!
![Page 18: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/18.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Two major components
1. A single, general notion of claims
2. Concept of issuer / authority
• Terminology
1. Application (Relying Party, Service Provider)
2. User (Subject, Principal)
3. Issuer (Security Token Service, Identity Provider)
4. Rich Client (Active Client)
5. Browser (Passive Client)
The Claims-Based ID Framework
![Page 19: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/19.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud Claim-Based ID in Real World Traveler Check-In Counter Airport Agents
1 Show ID or Passport
2 Give Boarding Card
3 Show Boarding Card to Gain
Access
![Page 20: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/20.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud Claim-Based ID in Real World Traveler Check-In Counter Airport Agents
1 Show ID or Passport
2 Give Boarding Card
3 Show Boarding Card to Gain
Access
Authentication Credentials
User
Claims
Issuer
Application
Authorization
![Page 21: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/21.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Simplified authentication logic
• Decoupled authentication from authorization
• Eliminate redundancy
What are the benefits?
![Page 22: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/22.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• What you need?
– An App (Web Service, Web Site, Mobile App, etc.)
– An Issuer
– Claims-Based Identity Magic
• What are the steps?
1. Setup an Issuer
2. Configure the Issuer to know about the App
3. Add logic to the App to support claims
4. Configure the App to trust the Issuer
Implementing Claims-Based Identity
![Page 23: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/23.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud Claims-Based Identity Lifecycle
![Page 24: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/24.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Windows Identity Foundation
• Framework for building identity-aware applications
• Provides APIs for building ASP.NET or WCF based security token services
• Tools for building claims-aware and federation capable applications
• Now part of .NET Framework 4.5
What’s WIF?
![Page 25: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/25.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
ENOUGH TALKING, LET’S DEMO!
Solving Adatum’s problem using Claims-Based Identity
![Page 26: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/26.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
Adatum Infrastructure Post-Claims
![Page 27: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/27.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Windows Identity Foundation
• Active Directory Federation Services
Technologies at work
![Page 28: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/28.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
DEMO
Solving Adatum’s problem using Claims-Based Identity
![Page 29: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/29.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Welcome Federated Providers!
• Powerful way to provide SSO cross-domains
Going beyond Identity Providers
![Page 30: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/30.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud Adatum meets Litware
![Page 31: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/31.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
ACCESS CONTROL SERVICE
Windows Azure
![Page 32: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/32.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• A feature of Windows Azure Active Directory
• Outsourcing Authentication (no need to write code)
• Works with .NET, PHP, Python, Java and Ruby
• Out-of-the-box support for a variety of identify providers
• Integrates with on-premises Active Directory
Shortly
![Page 33: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/33.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Open industry standards
– Protocols: OAuth 2.0, WS-Trust, WS-Federation
– Token formats: SAML 1.1/2.0 and Simple Web
Token
• $1,99 / 100.000 transactions
Benefits
![Page 34: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/34.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Built-in support for
– Windows Live ID
– Yahoo!
– WS-Federation Identity Providers
• Programatic configuration for
– WS-Trust based (AD FS 2.0)
– OpenID based
Identity Providers
![Page 35: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/35.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• An application that relies on claims
• Implements federated authentication using ACS
• Trusts the ACS namespace
• Can be configured manually or programatically through ACS Management Service
Relying Party Applications
![Page 36: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/36.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud ACS Architecture
![Page 37: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/37.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• ACS does heavy lifting for handling protocols
–WS-Federation
–WS-Trust
–OpenID
–OAuth 2.0, OAuth WRAP
– Facebook Graph
• ACS issues normalized tokens
–SAML
–SWT
ACS - Protocol Handling
![Page 38: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/38.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
ENOUGH TALKING, LET’S DEMO!
Windows Azure ACS
![Page 39: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/39.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
1. Configure your application to outsource authentication to ACS
2. Configure ACS to include the identity providers you want to leverage
3. Configure ACS to process incoming identities and add new claims
4. Modify your application to consume claims from ACS and drive authorization decisions
5. Customize the default authentication user experience provided by ACS
Goals
![Page 40: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/40.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Windows Vista SP2, Windows Server 2008
SP2, Windows Server 2008 R2, or Windows 7
(32-bits or 64-bits)
• Internet Information Services (IIS) 7.0
• .NET Framework 4
• Visual Studio 2010
• Windows Identity Foundation Runtime
• Windows Identity Foundation SDK
Requirements
![Page 41: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/41.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
DEMO
Windows Azure ACS
![Page 42: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/42.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• A feature of Windows Azure Active Directory
• Outsourcing Auth and Auth (no need to write code)
• Works with .NET, PHP, Python, Java and Ruby
• Out-of-the-box support for identify providers like Windows Live ID, Google, Yahoo! and Facebook
• Integrates with on-premises Active Directory
Summary
![Page 43: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/43.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Claims get the job done
• Separate authentication from authorization
• Solves OWASP’s 3rd vulnerability
• How can it work for you?
Conclusions
![Page 44: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/44.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud
• Windows Azure
Training Kit
• claimsid.codeplex.com
References
![Page 45: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/45.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud Check Out AzureWorks.ro
www.azureworks.ro
![Page 46: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/46.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
meetwindowsazure.com
![Page 47: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/47.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Q & A
![Page 48: ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge](https://reader035.vdocuments.mx/reader035/viewer/2022062703/555266d0b4c9052e1f8b4f98/html5/thumbnails/48.jpg)
itcampro @ itcamp12 # Premium conference on Microsoft technologies
Private &
Public Cloud What about Smart Clients?