SlideShare uma empresa Scribd logo

Federation, SSO, Claims (Under 40 chars

Transferir como PPTX, PDF
Volkan Uzun
Volkan Uzun

This document discusses identity federation and claims-based authentication. It explains that identity federation allows decoupling authentication from applications/services and enables single sign-on. Claims contain information about a subject issued by an identity provider. Security token services issue and sign tokens containing claims. Common token types are SAML, JWT, and SWT. Claims-based identity provides applications with any user information needed from the identity provider via claims in tokens.

InternetTecnologia
1 de 24
Federation, SSO,Claims Volkan Uzun
About Me Software Dev Staff Engineer @ Dell @ RD Working on Identity Management Applications Blog: http://volkanuzun.com/blog Twitter: @volkanuzun Email: volkan.uzun@gmail.com
Authentication/Authorization
Why Identity Federation? • Decouple authentication mechanism from applications and services • Go claims-based • Reduce IT pain and risk related to provisioning and de-provisioning users • Extend trust to users across domain, corporate and Internet boundaries • Support Single Sign-On (SSO)
Decouple Authentication • Windows/Kerberos • Forms authentication • HTTP basic authentication • SSL Certificates • WS-Fed • WS-Trust • SAML • OAuth (authorization , people use it wrong!) • OpenID (authentication)
Claims Any information about a subject from a provider. Identity providers typically issue claims based on the user’s identity Authenticate
Claims Applications may transform identity claims into application-specific claims Transform
Token • Contains the claims • The signature • Information about the issuer • May be encrypted • In XML format • Has an expiration date • SAML 1.1/2.0, Simple Web Token, JSON Web Token
Token Types • SAML XML based, encryption and signature with asymmetric or symmetric, processing power • Simple Web Token (SWT) URL/Form encoded, symmetric signature only • JSON Web Token (JWT) The new cool guy, symmetric or asymmetric, JSON encoded
Claims-based Identity Pros Before Claims-based: • App authenticated the user or relies on 3rd party to authenticate such as AD • App gets simple information from user, such user name. After Claims-based: • Authentication is outsourced to STS • App gets any information it needs
STS • Security Token Service • Claims are issued by a provider (STS) • A security token service (STS) is the service component that builds, signs, and issues security tokens • Client applications trust STS • The basic flow is: Client requests token, issuer issues token, resource consumes the token
Passive Federation IdP DomainRP Domain 2SignIn Web Site (RP) Authorize Access 7 Quest STS (IdP) 5Authenticate / Issue Token Browser (requestor) Login Page POST Credentials 3 41 POST SignIn Response 6 User (subject)
Active Federation RP DomainIdP Domain Rich Client Identity Provider (IdP) Application (Relying Party, RP) 1 3 4 2 Authenticate / Issue 5 Authorize Credentials Security Token / Claims
Certificate • Token is signed with certificate • Same cert maybe used for encrypting the message • Same cert maybe used for cookie encryption • Cert Type
.NET help me please RBAC (Since 2002) IIdentity IPrincipal IIdentity: IsAuthenticated; AuthenticationType; Name IPrincipal: IIdentity; IsInRole(string roleName); Thread.CurrentPrincipal
DEMO Old style 
First Attempt: WIF Windows Identity Foundation • Hooks into ASP.NET pipeline • Not a new solution: Claims • Embedded into the .NET 4.5
ClaimsIdentity, ClaimsPrincipal ClaimsIdentity:IIdentity {IEnumerable<Claim>Claims} ClaimsPrincipal:IPrincipal {ReadOnlyCollection<ClaimsIdentity>Identities}
DEMO Visual Studio 2010 Demo with WIF Visual Studio 2012 Demo with .NET 4.5
SSO • Client applications are responsible for authorization (cookie) • STS is responsible for user authentication. (cookie) • STS can generate the session token from the cookie • STS can reissue the session token from the cookie
Log Out • More difficult than login • STS has to delete its own cookie • Each client application must be notified for a logout
Partner Federation • Your STS acts as a client application for another STS • When your STS doesn’t have the user identity • Client application still trusts only your STS • Your STS does claims transformation
Home Realm Redirection IdP DomainApplication Domain Browser 1 2 3 11 Sign-In Request 5 4 POST Credentials Set Cookie 7 IdP SAML 9 Web Site Authorize Access 10 Quest STS 8 IdP STS 6Authenticate / Issue Token Login Page Sign-In Request Gather Attributes/ Issue Assertion Keystone Assertion w/ Session Token
Warnings • Caching SessionSecurityToken • Cookie size may be an issue (even with chunking) • Infinite loops (cookie issue) • Load balancer issue (cookie issue) • Use SSL • QueryString length may be an issue

Recomendados

ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign Onleastprivilege
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 

Recomendados

ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign Onleastprivilege
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonKi-Eun Shin
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Claims based identity second edition device
Claims based identity second edition deviceClaims based identity second edition device
Claims based identity second edition deviceSteve Xu
 
1 7 16 think
1 7 16 think1 7 16 think
1 7 16 thinkTim Richardson
 

Mais conteúdo relacionado

Mais procurados

Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonKi-Eun Shin
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 

Mais procurados (20)

Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 

Destaque

Claims based identity second edition device
Claims based identity second edition deviceClaims based identity second edition device
Claims based identity second edition deviceSteve Xu
 
29mei nas
29mei nas29mei nas
29mei nasepaper
 
great Frank lloyd wright
great Frank lloyd wright great Frank lloyd wright
great Frank lloyd wright Saroj Sahoo
 
12jun nas
12jun nas12jun nas
12jun nasepaper
 
Journalism Today #2 - slideshare
Journalism Today #2 - slideshareJournalism Today #2 - slideshare
Journalism Today #2 - slideshareJill Falk
 
Leadership functions and organizational learning in tecnalia javier ruiz
Leadership functions and organizational learning in tecnalia javier ruizLeadership functions and organizational learning in tecnalia javier ruiz
Leadership functions and organizational learning in tecnalia javier ruizJavier Ruiz
 
The Ultimate Player's Coach
The Ultimate Player's CoachThe Ultimate Player's Coach
The Ultimate Player's Coachmfielden
 
Seminario con Humberto Maturana en Bilbao. Notas Junio 2004
Seminario con Humberto Maturana en Bilbao. Notas Junio 2004Seminario con Humberto Maturana en Bilbao. Notas Junio 2004
Seminario con Humberto Maturana en Bilbao. Notas Junio 2004Javier Ruiz
 
Journalism today1 - slideshare
Journalism today1 - slideshareJournalism today1 - slideshare
Journalism today1 - slideshareJill Falk
 
The 5 worst viruses of all time
The 5 worst viruses of all timeThe 5 worst viruses of all time
The 5 worst viruses of all timekanika sharma
 
NEEL2015 challenge summary
NEEL2015 challenge summaryNEEL2015 challenge summary
NEEL2015 challenge summaryGiuseppe Rizzo
 
Guia clinica hem posparto may2009
Guia clinica hem posparto may2009Guia clinica hem posparto may2009
Guia clinica hem posparto may2009jenniefer
 
Lect 8 env sustainability in oe 2013
Lect 8 env sustainability in oe 2013Lect 8 env sustainability in oe 2013
Lect 8 env sustainability in oe 2013Geoff Adams
 
Journalism Today - update
Journalism Today - updateJournalism Today - update
Journalism Today - updateJill Falk
 
10jun aceh
10jun aceh10jun aceh
10jun acehepaper
 
Waspada 8 Ags Ach
Waspada 8 Ags AchWaspada 8 Ags Ach
Waspada 8 Ags Achepaper
 
La curva de aprendizaje en los negocios online
La curva de aprendizaje en los negocios onlineLa curva de aprendizaje en los negocios online
La curva de aprendizaje en los negocios onlineDiego Del Pizzo
 

Destaque (20)

Claims based identity second edition device
Claims based identity second edition deviceClaims based identity second edition device
Claims based identity second edition device
 
1 7 16 think
1 7 16 think1 7 16 think
1 7 16 think
 
29mei nas
29mei nas29mei nas
29mei nas
 
Rukun Iman
Rukun ImanRukun Iman
Rukun Iman
 
great Frank lloyd wright
great Frank lloyd wright great Frank lloyd wright
great Frank lloyd wright
 
12jun nas
12jun nas12jun nas
12jun nas
 
Journalism Today #2 - slideshare
Journalism Today #2 - slideshareJournalism Today #2 - slideshare
Journalism Today #2 - slideshare
 
Leadership functions and organizational learning in tecnalia javier ruiz
Leadership functions and organizational learning in tecnalia javier ruizLeadership functions and organizational learning in tecnalia javier ruiz
Leadership functions and organizational learning in tecnalia javier ruiz
 
The Ultimate Player's Coach
The Ultimate Player's CoachThe Ultimate Player's Coach
The Ultimate Player's Coach
 
Seminario con Humberto Maturana en Bilbao. Notas Junio 2004
Seminario con Humberto Maturana en Bilbao. Notas Junio 2004Seminario con Humberto Maturana en Bilbao. Notas Junio 2004
Seminario con Humberto Maturana en Bilbao. Notas Junio 2004
 
Journalism today1 - slideshare
Journalism today1 - slideshareJournalism today1 - slideshare
Journalism today1 - slideshare
 
The 5 worst viruses of all time
The 5 worst viruses of all timeThe 5 worst viruses of all time
The 5 worst viruses of all time
 
NEEL2015 challenge summary
NEEL2015 challenge summaryNEEL2015 challenge summary
NEEL2015 challenge summary
 
Guia clinica hem posparto may2009
Guia clinica hem posparto may2009Guia clinica hem posparto may2009
Guia clinica hem posparto may2009
 
Lect 8 env sustainability in oe 2013
Lect 8 env sustainability in oe 2013Lect 8 env sustainability in oe 2013
Lect 8 env sustainability in oe 2013
 
Journalism Today - update
Journalism Today - updateJournalism Today - update
Journalism Today - update
 
10jun aceh
10jun aceh10jun aceh
10jun aceh
 
Waspada 8 Ags Ach
Waspada 8 Ags AchWaspada 8 Ags Ach
Waspada 8 Ags Ach
 
Hillsta Fact Sheet
Hillsta Fact SheetHillsta Fact Sheet
Hillsta Fact Sheet
 
La curva de aprendizaje en los negocios online
La curva de aprendizaje en los negocios onlineLa curva de aprendizaje en los negocios online
La curva de aprendizaje en los negocios online
 

Semelhante a Federation, SSO, Claims (Under 40 chars

NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraMorgan Simonsen
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Joris Poelmans
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...Liam Cleary [MVP]
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point Thorbjørn Værp
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?Liam Cleary [MVP]
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationLiam Cleary [MVP]
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnSaloni Shah
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxzmulani8
 
ESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationEdin Kapic
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
 

Semelhante a Federation, SSO, Claims (Under 40 chars (20)

NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
SPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSPSBE 2013 Claims for devs
SPSBE 2013 Claims for devs
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptx
 
ESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and Authorization
 
Presentation
PresentationPresentation
Presentation
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 

Último

TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 

Último (11)

TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 

Federation, SSO, Claims (Under 40 chars

  • 2. About Me Software Dev Staff Engineer @ Dell @ RD Working on Identity Management Applications Blog: http://volkanuzun.com/blog Twitter: @volkanuzun Email: volkan.uzun@gmail.com
  • 4. Why Identity Federation? • Decouple authentication mechanism from applications and services • Go claims-based • Reduce IT pain and risk related to provisioning and de-provisioning users • Extend trust to users across domain, corporate and Internet boundaries • Support Single Sign-On (SSO)
  • 5. Decouple Authentication • Windows/Kerberos • Forms authentication • HTTP basic authentication • SSL Certificates • WS-Fed • WS-Trust • SAML • OAuth (authorization , people use it wrong!) • OpenID (authentication)
  • 6. Claims Any information about a subject from a provider. Identity providers typically issue claims based on the user’s identity Authenticate
  • 7. Claims Applications may transform identity claims into application-specific claims Transform
  • 8. Token • Contains the claims • The signature • Information about the issuer • May be encrypted • In XML format • Has an expiration date • SAML 1.1/2.0, Simple Web Token, JSON Web Token
  • 9. Token Types • SAML XML based, encryption and signature with asymmetric or symmetric, processing power • Simple Web Token (SWT) URL/Form encoded, symmetric signature only • JSON Web Token (JWT) The new cool guy, symmetric or asymmetric, JSON encoded
  • 10. Claims-based Identity Pros Before Claims-based: • App authenticated the user or relies on 3rd party to authenticate such as AD • App gets simple information from user, such user name. After Claims-based: • Authentication is outsourced to STS • App gets any information it needs
  • 11. STS • Security Token Service • Claims are issued by a provider (STS) • A security token service (STS) is the service component that builds, signs, and issues security tokens • Client applications trust STS • The basic flow is: Client requests token, issuer issues token, resource consumes the token
  • 12. Passive Federation IdP DomainRP Domain 2SignIn Web Site (RP) Authorize Access 7 Quest STS (IdP) 5Authenticate / Issue Token Browser (requestor) Login Page POST Credentials 3 41 POST SignIn Response 6 User (subject)
  • 13. Active Federation RP DomainIdP Domain Rich Client Identity Provider (IdP) Application (Relying Party, RP) 1 3 4 2 Authenticate / Issue 5 Authorize Credentials Security Token / Claims
  • 14. Certificate • Token is signed with certificate • Same cert maybe used for encrypting the message • Same cert maybe used for cookie encryption • Cert Type
  • 15. .NET help me please RBAC (Since 2002) IIdentity IPrincipal IIdentity: IsAuthenticated; AuthenticationType; Name IPrincipal: IIdentity; IsInRole(string roleName); Thread.CurrentPrincipal
  • 17. First Attempt: WIF Windows Identity Foundation • Hooks into ASP.NET pipeline • Not a new solution: Claims • Embedded into the .NET 4.5
  • 19. DEMO Visual Studio 2010 Demo with WIF Visual Studio 2012 Demo with .NET 4.5
  • 20. SSO • Client applications are responsible for authorization (cookie) • STS is responsible for user authentication. (cookie) • STS can generate the session token from the cookie • STS can reissue the session token from the cookie
  • 21. Log Out • More difficult than login • STS has to delete its own cookie • Each client application must be notified for a logout
  • 22. Partner Federation • Your STS acts as a client application for another STS • When your STS doesn’t have the user identity • Client application still trusts only your STS • Your STS does claims transformation
  • 23. Home Realm Redirection IdP DomainApplication Domain Browser 1 2 3 11 Sign-In Request 5 4 POST Credentials Set Cookie 7 IdP SAML 9 Web Site Authorize Access 10 Quest STS 8 IdP STS 6Authenticate / Issue Token Login Page Sign-In Request Gather Attributes/ Issue Assertion Keystone Assertion w/ Session Token
  • 24. Warnings • Caching SessionSecurityToken • Cookie size may be an issue (even with chunking) • Infinite loops (cookie issue) • Load balancer issue (cookie issue) • Use SSL • QueryString length may be an issue

Notas do Editor

  1. World was smallAuthentication was easy (or was it?)Apps has/d their own directoriesThere weren&apos;t many outsiders
  2. IIDentity=&gt;IsAuthenticated, NameIprincipal=&gt; IsInRole, IIDentityWCF model is different???