[2024]Digital Global Overview Report 2024 Meltwater.pdf
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
1. Tackling the
Single Sign-On Challenge
Mihai Nadăș
Windows Azure MVP
Yonder CTO
@mihainadas
mihainadas.com
@ itcampro # itcamp12 Premium conference on Microsoft technologies
2. ITCamp 2012 sponsors Private &
Public Cloud
@ itcampro # itcamp12 Premium conference on Microsoft technologies
3. About myself Private &
Public Cloud
• mihainadas.com
• @mihainadas
• Passionate about technology, background in
the .NET World
• Windows Azure MVP
• Driving Yonder’s appetite for innovation
@ itcampro # itcamp12 Premium conference on Microsoft technologies
4. On security and the future Private &
Public Cloud
• As the world becomes more interconnected, security
becomes a more important topic
• Holland, 2012 – VCD’s SaaS solution exposed publically
information about its user’s medical history
We spend our time searching for security
and hate it when we get it.
-John Steinbeck
@ itcampro # itcamp12 Premium conference on Microsoft technologies
5. Passwords and implementations Private &
Public Cloud
@ itcampro # itcamp12 Premium conference on Microsoft technologies
6. OWASP’s Top 5 Private &
Public Cloud
1. Injection
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session
Management
4. Insecure Direct Object References
5. Cross Site Request Forgery
@ itcampro # itcamp12 Premium conference on Microsoft technologies
7. OWASP’s Top 5 Private &
Public Cloud
1. Injection
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session
Management
4. Insecure Direct Object References
5. Cross Site Request Forgery
@ itcampro # itcamp12 Premium conference on Microsoft technologies
8. Agenda Private &
Public Cloud
• Claims-Based Identity and Access Control
• The Single Sign-On Challenge and Benefits
• Windows Azure Access Control Service
• Q&A
@ itcampro # itcamp12 Premium conference on Microsoft technologies
9. The problem with Identity and Access Control in the Enterprise
ENOUGH TALKING,
LET’S DEMO!
@ itcampro # itcamp12 Premium conference on Microsoft technologies
10. What you’ll see? Private &
Public Cloud
• A fictious case study of an enterprise called
Adatum
• The whiteboard diagram showing the
situation of the auth/auth problem pre-
claims
• DEMO
@ itcampro # itcamp12 Premium conference on Microsoft technologies
12. The problem with Identity and Access Control in the Enterprise
DEMO
@ itcampro # itcamp12 Premium conference on Microsoft technologies
13. What’s the problem? Private &
Public Cloud
• Users of a-Expense need user/password
• The IT staff have to sync roles between
authentication systems
• a-Order can’t be accessed from the Internet
• No Single Sign-On aka „Credentials Hell”
@ itcampro # itcamp12 Premium conference on Microsoft technologies
14. What’s the problem? Private &
Public Cloud
@ itcampro # itcamp12 Premium conference on Microsoft technologies
15. Be the consultant and please Adatum! Private &
Public Cloud
• Adatum’s requirements
– Single Sign-On (SSO) Capabilities
– Enable Adatum employees to access corporate
applications from the Internet (no VPN)
– Plan for the future (cloud, new apps)
• What is your solution?
@ itcampro # itcamp12 Premium conference on Microsoft technologies
16. Introducing Claims-Based Identiy Private &
Public Cloud
• Control the digital experience based on
things that are said about one party by the
other
• A party can be – web site, web service,
person, government, organization
@ itcampro # itcamp12 Premium conference on Microsoft technologies
17. Claims are not new! Private &
Public Cloud
• Mainframes asked about user/password and passed
„claims” about them to applications
– uid, gid
– sudo su
• As systems became interconnected we needed ways
to identify parties across multiple computers
• Specialized services appeared
– NTML, Kerberos (Windows Integrated Authentication)
– Public Key Infrastructure (PKI)
– Security Assertion Markup Lanaguage (SAML)
@ itcampro # itcamp12 Premium conference on Microsoft technologies
18. The Claims-Based ID Framework Private &
Public Cloud
• Two major components
1. A single, general notion of claims
2. Concept of issuer / authority
• Terminology
1. Application (Relying Party, Service Provider)
2. User (Subject, Principal)
3. Issuer (Security Token Service, Identity Provider)
4. Rich Client (Active Client)
5. Browser (Passive Client)
@ itcampro # itcamp12 Premium conference on Microsoft technologies
19. Claim-Based ID in Real World Private &
Public Cloud
Traveler Check-In Counter Airport Agents
1 Show ID or Passport
Give Boarding Card 2
Show Boarding Card to Gain
3 Access
@ itcampro # itcamp12 Premium conference on Microsoft technologies
20. Claim-Based ID in Real World Private &
Public Cloud
Traveler Check-In Counter Airport Agents
User Issuer
Application
1 Show ID or Passport
Authentication
Credentials
Give Boarding Card 2
Claims
Authorization
Show Boarding Card to Gain
3 Access
@ itcampro # itcamp12 Premium conference on Microsoft technologies
21. What are the benefits? Private &
Public Cloud
• Simplified authentication logic
• Decoupled authentication from authorization
• Eliminate redundancy
@ itcampro # itcamp12 Premium conference on Microsoft technologies
22. Implementing Claims-Based Identity Private &
Public Cloud
• What you need?
– An App (Web Service, Web Site, Mobile App, etc.)
– An Issuer
– Claims-Based Identity Magic
• What are the steps?
1. Setup an Issuer
2. Configure the Issuer to know about the App
3. Add logic to the App to support claims
4. Configure the App to trust the Issuer
@ itcampro # itcamp12 Premium conference on Microsoft technologies
24. What’s WIF? Private &
Public Cloud
• Windows Identity Foundation
• Framework for building identity-aware applications
• Provides APIs for building ASP.NET or WCF based
security token services
• Tools for building claims-aware and federation
capable applications
• Now part of .NET Framework 4.5
@ itcampro # itcamp12 Premium conference on Microsoft technologies
25. Solving Adatum’s problem using Claims-Based Identity
ENOUGH TALKING,
LET’S DEMO!
@ itcampro # itcamp12 Premium conference on Microsoft technologies
26. Adatum Infrastructure Post- Private &
Claims
Public Cloud
@ itcampro # itcamp12 Premium conference on Microsoft technologies
27. Technologies at work Private &
Public Cloud
• Windows Identity Foundation
• Active Directory Federation Services
@ itcampro # itcamp12 Premium conference on Microsoft technologies
28. Solving Adatum’s problem using Claims-Based Identity
DEMO
@ itcampro # itcamp12 Premium conference on Microsoft technologies
29. Going beyond Identity Providers Private &
Public Cloud
• Welcome Federated Providers!
• Powerful way to provide SSO cross-domains
@ itcampro # itcamp12 Premium conference on Microsoft technologies
30. Adatum meets Litware Private &
Public Cloud
@ itcampro # itcamp12 Premium conference on Microsoft technologies
31. Windows Azure
ACCESS CONTROL SERVICE
@ itcampro # itcamp12 Premium conference on Microsoft technologies
32. Shortly Private &
Public Cloud
• A feature of Windows Azure Active Directory
• Outsourcing Authentication (no need to write
code)
• Works with .NET, PHP, Python, Java and Ruby
• Out-of-the-box support for a variety of identify
providers
• Integrates with on-premises Active Directory
@ itcampro # itcamp12 Premium conference on Microsoft technologies
33. Benefits Private &
Public Cloud
• Open industry standards
– Protocols: OAuth 2.0, WS-Trust, WS-Federation
– Token formats: SAML 1.1/2.0 and Simple Web
Token
• $1,99 / 100.000 transactions
@ itcampro # itcamp12 Premium conference on Microsoft technologies
34. Identity Providers Private &
Public Cloud
• Built-in support for
– Windows Live ID
– Facebook
– Google
– Yahoo!
– WS-Federation Identity Providers
• Programatic configuration for
– WS-Trust based (AD FS 2.0)
– OpenID based
@ itcampro # itcamp12 Premium conference on Microsoft technologies
35. Relying Party Applications Private &
Public Cloud
• An application that relies on claims
• Implements federated authentication using
ACS
• Trusts the ACS namespace
• Can be configured manually or
programatically through ACS Management
Service
@ itcampro # itcamp12 Premium conference on Microsoft technologies
36. ACS Architecture Private &
Public Cloud
@ itcampro # itcamp12 Premium conference on Microsoft technologies
37. ACS - Protocol Handling Private &
Public Cloud
• ACS does heavy lifting for handling protocols
– WS-Federation
– WS-Trust
– OpenID
– OAuth 2.0, OAuth WRAP
– Facebook Graph
• ACS issues normalized tokens
– SAML
– SWT
@ itcampro # itcamp12 Premium conference on Microsoft technologies
38. Windows Azure ACS
ENOUGH TALKING,
LET’S DEMO!
@ itcampro # itcamp12 Premium conference on Microsoft technologies
39. Goals Private &
Public Cloud
1. Configure your application to outsource authentication
to ACS
2. Configure ACS to include the identity providers you want
to leverage
3. Configure ACS to process incoming identities and add
new claims
4. Modify your application to consume claims from ACS
and drive authorization decisions
5. Customize the default authentication user experience
provided by ACS
@ itcampro # itcamp12 Premium conference on Microsoft technologies
40. Requirements Private &
Public Cloud
• Windows Vista SP2, Windows Server 2008
SP2, Windows Server 2008 R2, or Windows 7
(32-bits or 64-bits)
• Internet Information Services (IIS) 7.0
• .NET Framework 4
• Visual Studio 2010
• Windows Identity Foundation Runtime
• Windows Identity Foundation SDK
@ itcampro # itcamp12 Premium conference on Microsoft technologies
41. Windows Azure ACS
DEMO
@ itcampro # itcamp12 Premium conference on Microsoft technologies
42. Summary Private &
Public Cloud
• A feature of Windows Azure Active Directory
• Outsourcing Auth and Auth (no need to write code)
• Works with .NET, PHP, Python, Java and Ruby
• Out-of-the-box support for identify providers like
Windows Live ID, Google, Yahoo! and Facebook
• Integrates with on-premises Active Directory
@ itcampro # itcamp12 Premium conference on Microsoft technologies
43. Conclusions Private &
Public Cloud
• Claims get the job done
• Separate authentication from authorization
• Solves OWASP’s 3rd vulnerability
• How can it work for you?
@ itcampro # itcamp12 Premium conference on Microsoft technologies
44. References Private &
Public Cloud
• Windows Azure
Training Kit
• claimsid.codeplex.com
@ itcampro # itcamp12 Premium conference on Microsoft technologies
45. Check Out AzureWorks.ro Private &
Public Cloud
www.azureworks.ro
@ itcampro # itcamp12 Premium conference on Microsoft technologies