saml integration

SAML IntegrationSAML Integration

Doug BayerDoug BayerDirector, Windows SecurityDirector, Windows SecurityMicrosoft CorporationMicrosoft [email protected]@microsoft.com

SAML August 27, 2001 SSAML August 27, 2001 S22

AgendaAgenda Overview of Microsoft authentication & Overview of Microsoft authentication &

authorization plansauthorization plans Problem spaceProblem space

Our understanding of the scenariosOur understanding of the scenarios

Our current approachOur current approach How could we use SAML?How could we use SAML?

Migration?Migration? Integration?Integration?


Windows.NETWindows.NET

Windows.NET Authentication ArchitectureWindows.NET Authentication Architecture Windows.NET Authorization: Extending the Windows.NET Authorization: Extending the

Windows ModelWindows Model Resource-Based Authorization: ACLs & GroupsResource-Based Authorization: ACLs & Groups Application-Based Authorization: RBACApplication-Based Authorization: RBAC

Making It All SecureMaking It All Secure


.NET Process Scenario.NET Process Scenario

MyHS.NETMyHS.NET

MyNotifications.NETMyNotifications.NET

[email protected]@[email protected]@BigCo.com

FredFred OwnerOwner

MaryMary ViewerViewer

RolesRolesmyCalendar.NETmyCalendar.NET

myCalendar.NETmyCalendar.NET

DirectoryDirectoryDirectoryDirectory

KDCKDC

AAAA

AA = AuthenticationAA = Authentication Authority Authority

111111111111

1111

RequestRequestMeetingMeetingRequestRequestMeetingMeeting



MyHS.NETMyHS.NET



FredFred OwnerOwner





KDCKDC

AAAA


2222

2222Query&Query&RequestRequestQuery&Query&RequestRequest



MyHS.NETMyHS.NET



FredFred OwnerOwner





KDCKDC

AAAA


3333

SOAPSOAPMessageMessage

SOAPSOAPMessageMessage



MyHS.NETMyHS.NET



FredFred OwnerOwner





KDCKDC

AAAA


4444AcceptAcceptAcceptAccept4444



MyHS.NETMyHS.NET



FredFred OwnerOwner





KDCKDC

AAAA


Signed Signed Message;Message;AcceptedAccepted

Signed Signed Message;Message;AcceptedAccepted5555


Windows.NET Application Windows.NET Application Security FrameworkSecurity Framework

DMZDMZ

Partner/SupplierPartner/Supplier

Store = Directory or DatabaseStore = Directory or DatabaseAA =Authentication AuthorityAA =Authentication Authority

CustomerCustomer

EmployeeEmployee

EnterpriseEnterprise

InternetInternet

AAAA

StoreStoreStoreStoreDirectDirectTrustTrustDirectDirectTrustTrust

MMSMMSMMSMMS

KerberosKerberosKerberosKerberos

Direct TrustDirect Trust(XCerts, XKMS)(XCerts, XKMS)Direct TrustDirect Trust

(XCerts, XKMS)(XCerts, XKMS)

Signed Signed MessagesMessages

(XMLDSIG, S/MIME, (XMLDSIG, S/MIME, CAPICOM)CAPICOM)

Signed Signed MessagesMessages

(XMLDSIG, S/MIME, (XMLDSIG, S/MIME, CAPICOM)CAPICOM)



DMZDMZ



CustomerCustomer

EmployeeEmployee


InternetInternet

AAAA

StoreStoreStoreStoreDirectDirectTrustTrustDirectDirectTrustTrust

MMSMMSMMSMMS

KerberosKerberosKerberosKerberos

Trust FederationTrust Federation(Passport, Identrus)(Passport, Identrus)Trust FederationTrust Federation(Passport, Identrus)(Passport, Identrus)

Passport, Kerberos, Passport, Kerberos, Basic SSL, Digest, Basic SSL, Digest,

……

Passport, Kerberos, Passport, Kerberos, Basic SSL, Digest, Basic SSL, Digest,

……



DMZDMZ



CustomerCustomer

EmployeeEmployee


InternetInternet

AAAA

StoreStoreStoreStore

RBACRBACPolicyPolicy



Threats fromThreats fromInside & DMZInside & DMZ

Threats fromThreats fromInternetInternet


Windows.NET Authentication Windows.NET Authentication Multiple credential typesMultiple credential types

Passwords, tokens, smartcards Passwords, tokens, smartcards Multifactor: Key + biometricMultifactor: Key + biometric

Multiple Client to Server protocols:Multiple Client to Server protocols: Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, …Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, …

Converge on Kerberos & Kerberos/TLS in the futureConverge on Kerberos & Kerberos/TLS in the future Message Signing and Signature verificationMessage Signing and Signature verification

Single Server to Server protocol: Kerberos Single Server to Server protocol: Kerberos w/constrained delegationw/constrained delegation IETF standard, interoperable, scalableIETF standard, interoperable, scalable Secure: mutual authenticationSecure: mutual authentication Extensible credentials supportExtensible credentials support

Passwords, X.509 certificates, tokens,…Passwords, X.509 certificates, tokens,…

Directory independent authenticationDirectory independent authentication


Front EndFront EndApplicationApplication

Windows.NET Authentication Windows.NET Authentication

Verify Policy: Verify Policy: Allowed-To-Delegate-ToAllowed-To-Delegate-To

UsersUsers

KDCKDC

Back EndBack EndApplicationApplication

TicketTicketTicketTicket

TicketTicketTicketTicket

TrusTrustt

TrusTrustt

PassportPassport

Basic Digest SSLBasic Digest SSL

Signed Messages, S/MIME/SMTPSigned Messages, S/MIME/SMTP

XMLDSIG/HTTPXMLDSIG/HTTP CertCert

KerberosKerberos


Application Classification For Application Classification For AuthorizationAuthorization Resource ManagersResource Managers

Resources are well-defined with persistenceResources are well-defined with persistence Access is controlled to operations on such objectsAccess is controlled to operations on such objects E.g. File system, database, Active Directory, …E.g. File system, database, Active Directory, …

Gatekeepers: Special form of resource managersGatekeepers: Special form of resource managers Resources are other applicationsResources are other applications Controls access to other applicationsControls access to other applications E.g. OS itself, Web Server, VPNs, Firewalls, …E.g. OS itself, Web Server, VPNs, Firewalls, …

Business ProcessesBusiness Processes Resources aren’t well defined; operations, processes & Resources aren’t well defined; operations, processes &

workflows areworkflows are Access is controlled to operations, processes, workflowsAccess is controlled to operations, processes, workflows E.g. LOB applications, Transaction processing, ... E.g. LOB applications, Transaction processing, ...


Authorization: Role Based Authorization: Role Based ModelModel Roles-basedRoles-based

LOB, B2B, B2C and workflow applicationsLOB, B2B, B2C and workflow applications

CharacteristicsCharacteristics No real objects but operations & tasks are well-definedNo real objects but operations & tasks are well-defined Authorizations aren’t simply yes/no on operationAuthorizations aren’t simply yes/no on operation

Operation data & business rules matterOperation data & business rules matter Typically have a state machineTypically have a state machine Where do you ‘hang’ the ACL?Where do you ‘hang’ the ACL?

Applications enforce accessApplications enforce access Users authenticate to Authentication AuthorityUsers authenticate to Authentication Authority Application performs authorizationApplication performs authorization Application has full access to underlying objectsApplication has full access to underlying objects


Roles-Based Authorization Roles-Based Authorization ManagerManager

Windows Authorization Windows Authorization APIAPI

Gatekeeper Applications

(Web Server/URL,VPNs, Firewalls,…)

Resource Manager Applications

(Document Store, Mail Store,…)

Business Process Applications(E-Commerce,

LOB Applications,…)



Authorization Authorization Administration Administration

ManagerManager

Common RolesCommon RolesManagement UIManagement UI

PolicyPolicyStoreStorePolicyPolicyStoreStore

Active DirectoryActive DirectoryOr XML (Files, SQL)Or XML (Files, SQL)


Roles-Based Authorization Roles-Based Authorization ManagerManager


Gatekeeper Applications

(Web Server/URL,VPNs, Firewalls,…)

Common RolesCommon RolesManagement UIManagement UI

URL-BasedAuthorization

ScopesScopes• VDirs, URL, VDirs, URL,

PrefixPrefix

TasksTasks• Basic: Basic:

GET/POSTGET/POST• Dynamic by Dynamic by

associating associating VBscript VBscript business business rulesrules

GroupsGroups• StaticStatic• ComputedComputed• LDAP queryLDAP query

RolesRoles• Defined by Defined by

administratoradministrators and s and applicationsapplications

URLURL

Windows Windows Authorization APIAuthorization API

Web-BasedApplication

Windows Windows Authorization APIAuthorization API

IISIIS


SAML/Kerberos – Protocol OverviewSAML/Kerberos – Protocol Overview

Web ServersWeb Servers

KDCKDC

WebAuthWebAuthServer(s)Server(s)

GetGetGetGet

(Netscape (Netscape MAC)MAC)

(Web Sphere)(Web Sphere)AIXAIX

(Windows.NET)(Windows.NET)


SAML/Kerberos Protocol OverviewSAML/Kerberos Protocol Overview


KDCKDC

WebAuthWebAuthServer(s)Server(s)RedirectRedirect

(1)(1)RedirectRedirect

(1)(1)SSLSSL

User NameUser NamePasswordPassword

AS-ReqAS-ReqTGS-RegTGS-Reg

(2)(2)

AS-ReqAS-ReqTGS-RegTGS-Reg

(2)(2)Sess-CookieSess-CookieTGTTGT

AP-ReqAP-Req(3)(3)

AP-ReqAP-Req(3)(3)




KDCKDC


GetGetGetGet

Sess-CookieSess-CookieTGTTGT

AP-ReqAP-ReqAP-ReqAP-Req

Sess-CookieSess-CookieAP-ReqAP-Req

DataDataDataDataAP-ReqAP-Req(cached)(cached)

Subsequent requests:• Browser sends AP-REQ in cookie• Web Server checks against saved

AP-REQ, if OK, returns requested URL


Protocol Overview – Initial Protocol Overview – Initial Request to Second Web ServerRequest to Second Web Server

Browser does GET to WebSphereBrowser does GET to WebSphere WebSphere redirects to WebAuthWebSphere redirects to WebAuth Redirect contains TGT in cookieRedirect contains TGT in cookie WebAuth does TGS-REQ, then proceeds as WebAuth does TGS-REQ, then proceeds as

beforebefore




KDCKDC


MIT-KDCMIT-KDC

ApacheApacheWeb ServersWeb Servers


GetGetGetGet


Affiliate SiteAffiliate Site




KDCKDC


KDCKDCWeb ServersWeb Servers

WebAuthWebAuthServer(s)Server(s)RedirectRedirect

(1)(1)RedirectRedirect

(1)(1)SSLSSL


AS-ReqAS-Req(2)(2)

AS-ReqAS-Req(2)(2)AP-ReqAP-Req

(3)(3)AP-ReqAP-Req

(3)(3)


AS-ReqAS-ReqAS-ReqAS-ReqAffiliate SiteAffiliate Site




KDCKDC


KDCKDCWeb ServersWeb Servers


GetGetGetGet


Affiliate SiteAffiliate Site

AP-ReqAP-ReqAP-ReqAP-ReqSess-CookieSess-CookieAP-ReqAP-Req

DataDataDataData


Questions?Questions?

saml integration

Documents

authentication authoritysaml

authentication authority2saml

active directory

server protocols

web server

application classification

kerberos kerberostls

basic ssl