Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation

Post on 23-Feb-2016

34 views 0 download

description

ARC303. Pedro Félix. CCISEL pedrofelix@cc.isel.ipl.pt. Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation. try {. Motivation The claims based model Windows Identity Foundation Identity and claims representation Consumption pipeline - PowerPoint PPT Presentation

Transcript of Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation

Aspectos essenciais no desenvolvimento de aplicações com o

Windows Identity Foundation

ARC303

Pedro FélixCCISELpedrofelix@cc.isel.ipl.pt

4

• Motivation• The claims based model• Windows Identity Foundation• Identity and claims representation• Consumption pipeline• ASP.NET and WCF Integration• Issuance pipeline

try {

5

Motivation

CloudTrack. Create/view issuesView/manage issues

6

Identity and Authorization

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

7

webapp (IssueTracker)

Centralized Solution

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

MembershipProvider

RoleProvider IPrincipal.IsInRole(...)

8

webapp (IssueTracker)

Decentralized Authority

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

webapp::IssueMgr

Contoso Authority

9

Contoso webapp

The Claims Model

creds Contoso::Alice

webapp::IssueView

Contoso::LeadDev

Alice

webapp::IssueMgr

Claims

Security Token

Identity Provider(Issuer)

Identity Consumer(Relying Party)

Accepts

Issues

10

The Claims Model

Consumer/Provider

Identity {Claims}

ConsumerSubject

Provider

Security Tokens

Issue

About

UseIssue

Use

11

Demo

Demo.RP

ADFSDemo.MIP

username+password

Memb.Prov.

RoleProv.

ASP.NET

ASP.NET

WIF

WIFIdentity

Consumer

IdentityTransformer

IdentityProvider

12

Not only for Federation

webapp 2smart cardor

username+passwordwindows authn

AD

webapp 1

13

Not only for Federation

externalapp/service

Partner

windows authn

IdP

AD

webapp 2

webapp 1

smart cardor

username+password

14

Protocols

Browser12

2 3 4

4

IdP

webapp

tkActiveClient

IdP

service

1

21

2

tk

3 3tk

WIF

WIF

WIF

WIF

WIF

Web applicationspassive protocol – WS-Federation

Servicesactive protocol – WS-Trust

WIF

15

• Secure Assertion Markup Language

• Signed by provider (issuer)• (Optionally) Encrypted to consumer • Subject confirmation

• Bearer (passive protocols)• Holder-of-Key (active protocols)

• Audience restrictions (avoid reusage)• Statements (claims)

• Authentication, Authorization and Attributes

SAML Tokens

Certificate configuration

16

• Purpose: automatic configuration• Published by both consumers and providers• Signed XML documents containing• Endpoint addresses• Claims and token types required and offered• Certificates• …

Federation Metadata

17

• Contents• .NET Class Library (Microsoft.IdentityModel.dll)• Visual Studio AddIns

• Purpose• Identity Consumers• Identity Providers • Client helpers – client channels for WCF

Windows Identity Foundation

Unified model for both ASP.NET and WCF

18

• Class model for identity representation• Claims consumption pipeline• Token validation• Identity transformation• Authorization decisions

• Claims issuance pipeline

WIF Essentials

19

Claims Class Model

20

WIF Consumer Pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

21

WIF Consumer Pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

Token Handler

Token Resolver

SerializedToken

Claims Identities

TokenToken

ref

22

WIF Consumer Pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

Token Handler

Token Resolver

SerializedToken

Claims Identities

TokenToken

ref

<microsoft.identityModel> <service> <securityTokenHandlers> <remove type=“…” /> <add type=“…” /> </securityTokenHandlers>

</service></microsoft.identityModel>

23

WIF Consumer Pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

Token Handler

Token Resolver

Issuer NameRegistry

SerializedToken

Claims Identities

TokenIssuerToken

IssuerName

Tokenref

24

WIF Consumer Pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

Token Handler

Token Resolver

Issuer NameRegistry

SerializedToken

Claims Identities

TokenIssuerToken

IssuerName

Tokenref

<issuerNameRegistry type=“…ConfigurationBasedIssuerNameRegistry…"> <trustedIssuers>

<add name="gaviao" thumbprint="a1…74"/> <add name="gaviao.adfs" thumbprint="72…8e"/>

</trustedIssuers></issuerNameRegistry>

25

WIF Consumer Pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

Token Handler

Token Resolver

Issuer NameRegistry

SerializedToken

Claims Identities

Claims Authentication

Manager

ClaimsPrincipal

ClaimsPrincipal

TokenIssuerToken

IssuerName

Tokenref

public override IClaimsPrincipal Authenticate( string endpointUri, IClaimsPrincipal incomingPrincipal) { if (incomingPrincipal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("LeadDeveloper@http://gaviao/demo.mip/issue.aspx"))) { incomingPrincipal.Identities[0].Claims.Add( new Claim(ClaimTypes.Role, "IssueMgr)); } return incomingPrincipal;}

26

WIF Consumer Pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

Token Handler

Token Resolver

Issuer NameRegistry

SerializedToken

Claims Identities

Claims Authentication

Manager

Claims Authorization

Manager

ClaimsPrincipal

ClaimsPrincipal

AuthorizationContext boolean

TokenIssuerToken

IssuerName

Tokenref

public override bool CheckAccess(AuthorizationContext context) { var resource = new Uri(context.Resource.First().Value); if(resource.AbsolutePath.Equals("/demo.rp/issues.aspx")) { return context.Principal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("IssueMgr")); }

return true;}

[ClaimsPrincipalPermission( SecurityAction.Demand, Operation = "Get", Resource = "ViewIssues")]

private void ViewIssues(){ …}

27

WIF Consumer Pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

Token Handler

Token Resolver

Issuer NameRegistry

SerializedToken

Claims Identities

Claims Authentication

Manager

Claims Authorization

Manager

ClaimsPrincipal

ClaimsPrincipal

ClaimsPrincipal boolean

TokenIssuerToken

IssuerName

Tokenref

28

WIF Consumer Pipeline (ASP.NET)

ASP.NET

Host Adaptation Layer

Token Handler

Token Resolver

Issuer NameRegistry

SerializedToken

Claims Identities

Claims Authentication

Manager

Claims Authorization

Manager

ClaimsPrincipal

ClaimsPrincipal

ClaimsPrincipal boolean

TokenIssuerToken

IssuerName

Tokenref

ClaimsAuthorizationModule

ClaimsPrincipalHttpModule

WSFederationPassiveAuthenticationModule

SessionAuthenticationModule

<federatedAuthentication>

<cookieHandler requireSsl=“true" /> <wsFederation issuer="https://gaviao/adfs/ls/" realm="http://gaviao/Demo.RP/default.aspx" requireHttps=“true" />

</federatedAuthentication>

29

ASP.NET Integration

AuthenticateRequest PostAuthenticateRequest AuthorizeRequest EndRequest

Any AuthenticationModule

ClaimsPrincipalHttpModule

ClaimsAuthorizationModule

Any AuthenticationModule

SessionAuthenticationModule

• Using a legacy authentication mechanism• e.g. Forms authentication

30

ASP.NET Integration

AuthenticateRequest PostAuthenticateRequest AuthorizeRequest EndRequest

WSFedAuthenticationModule

ClaimsAuthorizationModule

WSFedAuthenticationModule

WSFedAuthenticationModule

SessionAuthenticationModule

SessionAuthenticationModule

• Using federated authentication• WS-Federation

31

WS-Federation Authn Module (FAM)

?Authenticate

FAMEndRequest

IdP

FAMAuthenticate

HTTP request

HTTP request with fed. request message

HTTP redirect with fed. response message

HTTP redirect with fed. request message

HTTP request with fed. response message

?Authorize

?Authorize

RP

RP

Security Token

Security Token

Handler

32

• WSFederationAuthenticationModule• OnAuthorizationFailed• RedirectingToIdentityProvider• SecurityTokenReceived• SecurityTokenValidated• …

• SessionAuthenticationModule• SessionSecurityTokenCreated• SessionSecurityTokenReceived• …

Module Pipeline Events

33

• FederatedPassiveSignIn

• FederatedPassiveSignInStatus

Controls

34

• WCF already supported federation and claims• System.IdentityModel.dll• e.g. WS2007FederationHttpBinding binding, Claims class

• WIF• Builds upon this previous support• Changes the token processing model

• WCF and ASP.NET uniform model• Adds client-side features (e.g. explicit token requests)

WCF Integration

35

• FederatedServiceCredentials• Derives from ServiceCredentials• Static method ConfigureServiceHost(ServiceHostBase)

“installs” WIF (the Host Adaptation Layer)• Overrides WCF behavior, namely• Configuration (e.g. username validation)• Authorization policies• Authentication manager

WCF Integration

<extensions> <behaviorExtensions> <add name="federatedServiceHostConfiguration" type=“…ConfigureServiceHostBehaviorExtensionElement, …"/> </behaviorExtensions></extensions>

<behavior name="Demo.RP.statusBehavior"> <federatedServiceHostConfiguration/></behavior>

36

WIF Consumer Pipeline (WCF)

WCF

Host Adaptation Layer

Token Handler

Token Resolver

Issuer NameRegistry

SerializedToken

Claims Identities

Claims Authentication

Manager

Claims Authorization

Manager

ClaimsPrincipal

ClaimsPrincipal

ClaimsPrincipal boolean

TokenIssuerToken

IssuerName

Tokenref

ServiceAuthorizationManagerSecurityTokenAuthenticator

37

Producer Model – host independence

38

Producer Model – issue pipelineIssue Pipeline

ValidateRequestGetScopeCreateSecurityTokenDescriptorGetSecurityTokenHandlerGetIssuerNameGetTokenLifetimeGetProofTokenGetOutputClaimsIdentityCreateTokenGetDisplayTokenGetResponse

• GetScope• Creates the Scope

• Scope• Signing and encrypting creds.• reply to address

• GetOutputClaimsIdentity• Creates the issued claims identity• Defines the issued claims

• Other non-mandatory extensibility points• ValidateRequest, …

39

Producer Model – ASP.NETprotected void Page_Load(object sender, EventArgs e) {

FederatedPassiveSecurityTokenServiceOperations.ProcessRequest( Page.Request, Page.User, new SimpleSecurityTokenService( new SimpleSecurityTokenServiceConfiguration()), Page.Response); }

40

Producer Model - WCF<%@ ServiceHost Language="C#" Debug="true" Factory =

"Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory,…" Service = "Demo.MIP.SimpleSecurityTokenServiceConfiguration" %>

<binding name="MessageIssueBinding"> <security> <message clientCredentialType="UserName" …/> </security></binding>

<services> <service behaviorConfiguration=“…" name="Microsoft.IdentityModel….WSTrustServiceContract"> <endpoint address=“” … bindingConfiguration="MessageIssueBinding" contract="Microsoft.IdentityModel….IWSTrust13SyncContract" /> …</services>

41

Producer Model – WCF integration

42

• Identity and Access Control Management• Claims Model Relevance• WIF• Class library for both identity providers and consumers• Multiple hosts: ASP.NET and WCF

} finally {

43

Q & A

45

46

47

• ClaimsPrincipalHttpModule• Hooks on the PostAuthenticateRequest event• Translate, into the claims-model, the authentication performed by

another module

• ClaimsAuthorizationModule• Hooks on the AuthorizeRequest event• If current user is authenticated, then calls the authorization manager

• Action = HTTP method, Resource = raw URL• If authorization is denied, complete request with a 401 status code

ASP.NET integration

48

ASP.NET integration

• WSFederationAuthenticationModule• Hooks on the AuthenticateRequest

• If request is a sign-in federation message, process it• Hooks on the PostAuthenticateRequest

• Behavior similar to the ClaimsAuthorizationModule• Hooks on the EndRequest

• If response status code is 401 and request is not authenticated, then redirect to identity provider with a sign-in request message

49

ASP.NET integration

• SessionAuthenticationModule• Hooks on the AuthenticateRequest event• Try to read and validate session token from a cookie• If successful, then sets the current principal with the

session token info

• Uses a CookieHandler to read and write from cookies

50

Authorization Model - Enforcement

• Called automatically in the pipeline• ASP.NET – In a HTTP Module (ClaimsAuthorizationModule)• WCF – In the service dispatcher

• Called explicitly via permission demand• Similar to PrincipalPermission and PrincipalPermissionAttribute• ClaimsPrincipalPermission and

ClaimsPrincipalPermissionAttribute

51

WIF consumer pipeline

Host (e.g. ASP.NET, WCF)

Host Adaptation Layer

Token Handler

Token Resolver

Issuer NameRegistry

SerializedToken

Claims Identities

Claims Authentication

Manager

Claims Authorization

Manager

ClaimsPrincipal

ClaimsPrincipal

ClaimsPrincipal boolean

TokenIssuerToken

IssuerName

Tokenref

52

A taxonomy of claims• Primordial vs. Substantive claims

• Primordial – proof (e.g. shared secret) presentable by only one subject• Substantive – produced by claims providers

• Claim types• Static – properties of the subject

• National Identifier Number; Date-of-Birth• Derived – derived from other claims

• Portuguese Citizen; Over-18• Membership – role or group membership, relation with other subject

• Administrator; Lead Developer; Purchase Officer• Capability – authorization to something

• Can-emit-purchase-order; Can-admin-CI-server• Contextual – information about the context

• Authentication method, location and time

53

Security Token Analogies

• National Identity Card• Claims: Name, DoB, PoB, Address• Subject binding: picture and signature• Issuer binding: physical anti-tampering measures• Consumer binding: omni-directional identity

• Train Ticket• Claims: authorization to travel in a specific train/place• Subject binding: holder, claim• Issuer binding: physical anti-tampering measures, signature• Consumer binding: authorization details

54

Authorization Model

• “Old” model (PrincipalPermission)• PrincipalPermission constructed with the required identity names

and/or roles• Association between the permission and the users is hard-coded

• “New” model (ClaimsPrincipalPermission)• ClaimsPrincipalPermission constructed with the resource and action

characterization• Association between the permission and the required identity is external