liberating identity using windows identity foundation
DESCRIPTION
This presentation was delivered by Simon Evans to the London Connected Systems User Group on 7th December 2010TRANSCRIPT
![Page 1: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/1.jpg)
Liberating Identity with WIF
Simon Evans
London Connected Systems User Group
![Page 2: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/2.jpg)
IDENTITY MATTERSAnd we’ve broken it
![Page 3: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/3.jpg)
My company website
Presentation Logic
Users and Roles
Application Logic
Data Access Logic
Internet Facing Intranet Facing
Customer Service
Service Contract
Service Implementation
Product Service
Service Contract
Service Implementation
CRM System
Presentation Logic
Users and Roles
Application Logic
Data Access Logic
Smart Phone Services
Service Contract
Service Implementation
![Page 4: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/4.jpg)
My company website
Presentation Logic
Users and Roles
Application Logic
Data Access Logic
Internet Facing Intranet Facing
Customer Service
Service Contract
Service Implementation
Product Service
Service Contract
Service Implementation
CRM System
Presentation Logic
Users and Roles
Application Logic
Data Access Logic
Smart Phone Services
Service Contract
Service Implementation
![Page 5: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/5.jpg)
Users are prisoners
![Page 6: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/6.jpg)
The consequences
• Users have to remember lots of credentials• Administrators have to manage user accounts in lots of systems• User access cannot be traced• The “trusted subsystem” anti-pattern• Software blocks opportunity
– Acquisition– Federation
![Page 7: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/7.jpg)
LIBERATING IDENTITYFree your users
![Page 8: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/8.jpg)
Claims
![Page 9: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/9.jpg)
Example Claims
• Firstname• Surname• Date of Birth• Post Code• Email Address• Company Name• Business Unit• Roles
![Page 10: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/10.jpg)
ACCESS CONTROLIs RBACS dead?
![Page 11: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/11.jpg)
Anatomy of a Security Token
![Page 12: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/12.jpg)
Anatomy of a Security Token
• Collection of Claims• Audience• Valid Dates• Issuer with digital signature• Encryption• Various formats (SAML 1.1, SAML 2.0, Custom…)
![Page 13: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/13.jpg)
Issuing Security Tokens
![Page 14: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/14.jpg)
Security Token Services (STS)
• All Security Token Services issue tokens• Identity Provider Security Token Service (IP-STS)
– Stores the identity information about a user– Somehow authenticates a user
• Resource Security Token Service (R-STS)– Transforms claims from one format to another– Relies on at least one IP-STS
• A Relying Party (RP) consumes security tokens issued from a trusted STS
![Page 15: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/15.jpg)
Security Token Services (STS)
R-STS
IP-STS1
IP-STS2
RPTrust
Trust
Trust
![Page 16: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/16.jpg)
Security Token Services (STS)
ACS
ADFS 2.0
OpenID
WebsiteTrust
Trust
Trust
![Page 17: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/17.jpg)
ESTABLISHING TRUSTX.509
![Page 18: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/18.jpg)
The Identity Protocols
• Browser based “Passive” clients– WS-Federation– SAML-P
• Non-Browser based “Active” clients– SOAP
• WS-Trust 1.3– REST
• OAuth WRAP• OAuth 2.0
![Page 19: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/19.jpg)
Identity in the Microsoft Stack
• Windows Identity Foundation (WIF)– Build Relying Parties using WS-Federation and WS-Trust– Build custom Security Token Services
• StarterSTS
• ADFS 2.0– On premise IP-STS or R-STS– Supports WS-Federation, WS-Trust, SAML-P
• Windows Azure AppFabric Access Control Service (ACS)– R-STS in the cloud– Supports OAuth WRAP, WS-Federation, WS-Trust, OpenId, Google, Yahoo and
![Page 20: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/20.jpg)
Platform support for consuming claims
• SharePoint 2010• WF4 Security Activity Pack• WIF provides support for:
– WCF via custom bindings– ASP.NET via HTTP modules
• WCF Data Services
![Page 21: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/21.jpg)
IDENTITY DELEGATIONRemoving the “Trusted Subsystem” anti-pattern
![Page 22: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/22.jpg)
WS-Trust 1.3 Delegation “Act-As”
IP-STS
Service RP
Website RPTrust
Trust
Delegation
![Page 23: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/23.jpg)
Contact Us
• Simon Evans– [email protected]– http://consultingblogs.emc.com/simonevans– http://twitter.com/simonevans
![Page 24: Liberating Identity using Windows Identity Foundation](https://reader033.vdocuments.mx/reader033/viewer/2022061206/54825a0e5806b5ed048b4676/html5/thumbnails/24.jpg)
Copyright © 2009 EMC Corporation. All rights reserved.Copyright © 2009 EMC Corporation. All rights reserved.