View
4.390
Download
0
Category
Preview:
DESCRIPTION
This presentation was delivered by Simon Evans to the London Connected Systems User Group on 7th December 2010
Citation preview
Liberating Identity with WIF
Simon Evans
London Connected Systems User Group
IDENTITY MATTERSAnd we’ve broken it
My company website
Presentation Logic
Users and Roles
Application Logic
Data Access Logic
Internet Facing Intranet Facing
Customer Service
Service Contract
Service Implementation
Product Service
Service Contract
Service Implementation
CRM System
Presentation Logic
Users and Roles
Application Logic
Data Access Logic
Smart Phone Services
Service Contract
Service Implementation
My company website
Presentation Logic
Users and Roles
Application Logic
Data Access Logic
Internet Facing Intranet Facing
Customer Service
Service Contract
Service Implementation
Product Service
Service Contract
Service Implementation
CRM System
Presentation Logic
Users and Roles
Application Logic
Data Access Logic
Smart Phone Services
Service Contract
Service Implementation
Users are prisoners
The consequences
• Users have to remember lots of credentials• Administrators have to manage user accounts in lots of systems• User access cannot be traced• The “trusted subsystem” anti-pattern• Software blocks opportunity
– Acquisition– Federation
LIBERATING IDENTITYFree your users
Claims
Example Claims
• Firstname• Surname• Date of Birth• Post Code• Email Address• Company Name• Business Unit• Roles
ACCESS CONTROLIs RBACS dead?
Anatomy of a Security Token
Anatomy of a Security Token
• Collection of Claims• Audience• Valid Dates• Issuer with digital signature• Encryption• Various formats (SAML 1.1, SAML 2.0, Custom…)
Issuing Security Tokens
Security Token Services (STS)
• All Security Token Services issue tokens• Identity Provider Security Token Service (IP-STS)
– Stores the identity information about a user– Somehow authenticates a user
• Resource Security Token Service (R-STS)– Transforms claims from one format to another– Relies on at least one IP-STS
• A Relying Party (RP) consumes security tokens issued from a trusted STS
Security Token Services (STS)
R-STS
IP-STS1
IP-STS2
RPTrust
Trust
Trust
Security Token Services (STS)
ACS
ADFS 2.0
OpenID
WebsiteTrust
Trust
Trust
ESTABLISHING TRUSTX.509
The Identity Protocols
• Browser based “Passive” clients– WS-Federation– SAML-P
• Non-Browser based “Active” clients– SOAP
• WS-Trust 1.3– REST
• OAuth WRAP• OAuth 2.0
Identity in the Microsoft Stack
• Windows Identity Foundation (WIF)– Build Relying Parties using WS-Federation and WS-Trust– Build custom Security Token Services
• StarterSTS
• ADFS 2.0– On premise IP-STS or R-STS– Supports WS-Federation, WS-Trust, SAML-P
• Windows Azure AppFabric Access Control Service (ACS)– R-STS in the cloud– Supports OAuth WRAP, WS-Federation, WS-Trust, OpenId, Google, Yahoo and
Platform support for consuming claims
• SharePoint 2010• WF4 Security Activity Pack• WIF provides support for:
– WCF via custom bindings– ASP.NET via HTTP modules
• WCF Data Services
IDENTITY DELEGATIONRemoving the “Trusted Subsystem” anti-pattern
WS-Trust 1.3 Delegation “Act-As”
IP-STS
Service RP
Website RPTrust
Trust
Delegation
Contact Us
• Simon Evans– simon.evans@emc.com– http://consultingblogs.emc.com/simonevans– http://twitter.com/simonevans
Copyright © 2009 EMC Corporation. All rights reserved.Copyright © 2009 EMC Corporation. All rights reserved.
Recommended