WIF e Silverlight 4 – Claims Aware, Federação de Identidade (Passiva e Activa)Nuno Godinho – Independent Consultant

Nuno Filipe GodinhoIndependent Consultant

Mail: Nuno.Godinho@itech4all.comNuno.Godinho@sapo.pt

MSN: Nuno_God@hotmail.com

Blogs: http://pontonetpt.com/blogs/nunogodinhohttp://xamlpt.com/blogs/nunogodinhohttp://weblogs.asp.net/nunogodinhohttp://msmvps.org/blogs/nunogodinho

Twitter: NunoGodinho

About Me

Agenda

• Introduction to Claims-Based Identity• WIF – Windows Identity Foundation– Introduction– Building Claims-Aware Silverlight Applications

• Identity Federation in Silverlight– Passive Federation– Active Federation

• Summary

Agenda

Introduction to Claims-based Identity

• Your Applications are prisioners of Identity Silos

Introduction to Claims-Based Identity

Login.aspx Page1.aspx

CredentialTypes / APIs

CredentialStores

User AttributesStores

• Identification in Real Life Works Pretty Well…How Do We Do That?

Introduction to Claims-Based Identity

ExternalizesAuthentication

Gets user info from a document

• Claims Can Set Your Application Free

Introduction to Claims-Based Identity

Identity Provider

STS

Security Token

Claims Relying Party

Active Directory Federation Services 2.0

WIF – Windows Identity Foundation

• Programming Model– Essential claims programming model• Claims Object Model integrated with the .NET identity API• Single programming model for ASP.NET & WCF• Single programming model for on-premises & cloud• Configuration driven

– Tools for metadata-driven automatic application configuration• WS-Federation, WS-Trust

– Framework for custom STS development– And more…

WIF – Windows Identity Foundation

• Object Model

IClaimsPrincipalIClaimsIdentity

Delegate

Claims

ClaimClaim

IIdentity AuthenticationType IsAuthenticated Name

IPrincipal IsInRole

Identity

IClaimsIdentityIClaimsIdentity

Claim

Subject

Issuer

Value

ClaimType

ValueType

OriginalIssuer

Identity

WIF – Windows Identity Foundation

void Page_Load(object sender, EventArgs e) { IClaimsPrincipal icp = (IClaimsPrincipal) Thread.CurrentPrincipal;

IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;

ageClaimValue = (from c in claimsIdentity.Claims where c.ClaimType == "http://MyNS/AgeClaim" select c.Value ).Single(); }

• How it works– HTTPModule(s) in the ASP.NET pipeline of the application

• They take care of exposing policy, manage protocol redirects, establish sessions…

– WSFederationAuthenticationModule• Implements the WS-Federation redirects protocol

– SessionAuthenticationModule• Takes care of handling sessions (regardless of the sign-in protocol)

– ClaimsPrincipalHttpModule• Provides a hook for injecting claims in the current principal

WIF – Windows Identity Foundation

• WIF ASP.NET Processing Pipeline

WIF – Windows Identity Foundation

WSFAM

SecurityTokenHandler

ClaimsAuthenticationManager

SessionAuthenticationModule

ClaimsAuthorizationManager

• Bindings– UserNameWSTrustBinding– CertificateWSTrustBinding– WindowsWSTrustBinding– KerberosWSTrustBinding– IssuedTokenWSTrustBinding

WIF – Windows Identity Foundation

Identity Federation In Silverlight

• What is Identity Federation?“A user's authentication process across multiple IT systems or even organizations” – via Wikipedia

• What Is the Goal of Identity Federation?“The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration” – via Wikipediahttp://en.wikipedia.org/wiki/Federated_identity

Identity Federation in Silverlight

• What is Passive Federation?

Identity Federation in Silverlight

Identity Provider

Relying Party

Client

Trust Relationship

1. End-user browses to the RP

2. RP Redirects the User to the IdP

3. End-user

logs in

5. IdP issues a Security Token

6. IdP Security Token is presented to the RP

4. Authenticated

End-User

Authenticated

DEMO:Identity Federation in Silverlight (Passive)

Trust Relationship

2. Authenticated

• What is Active Federation?

Identity Federation in Silverlight

Identity Provider

w/ STS

Relying Party

Requestor

1. End-User Requests Security Token

3. IdP issues a Security Token

4. IdP Security Token is presented to the RP

End-User

Authenticated

DEMO:Identity Federation in Silverlight (Active)

Summary

• Claims-based Identity allows us to Free our Applications from Identity Silos

• WIF is allow us to easily implement Claims-based Identity on our Applications

• Identity Federation allows us to authenticate Users accross IT systems and Organizations

Summary

• Two Types of Identity Federation– Passive – Redirection Based– Active - Actively Authenticated against the IdP’s STS

Summary

Free your applications…

Nuno Godinho Partner @ ITech4allNuno.Godinho@sapo.ptNunoGodinho