2. How to create a
uniform login
experience using
Federated Identity Roy
Cornelissen
IT Architect,
Info Support
Marcel
de Vries
TechnologyManager
@marcelv
Xamarin
Evolve
2013
Roy
Cornelissen
ITArchitect
@roycornelissen
10. Problem statement
You want to secure your back end
Your app needs to authenticate before it can access services in your
backend
How are you going to identify the user at the backend?
Roll your own username/password
That’s so 1996….
You already have cloud identities on Facebook, Google, Microsoft, Yahoo!
Why not leverage on those?
So what are our options to integrate with these identity providers?
12. What does an IdP do?
Authenticate against something you know or have
E.g. a password, a smart card, Biometric information
It hands out tokens
Tokens contain claims
E.g. your name, email address, age or role
We can “chain” IdP’s
Each IdP can augment the claim set and with that provide
additional claims to the party that uses the token
13. What does your app need to do?
It needs to do something with the claims
provided by the IdP
E.g. do a lookup on “nameidentifier” claim and
selectively provide access to application resources
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
So an IdP provides an authenticated identity and
some claims about that identity
Your app needs to do smart things to authorize
the user based on those claims
14. Possible solutions
Integrate your app with all different providers out there
Requires trust relationship with each (cloud) identity provider
Requires you to implement the integration with each provider,
using their selected protocol
E.g. OAuth, WS Federation, SAML/P, OpenID, etc.
Every time you want to support a new provider, you need to
add that integration to your app
Use Windows Azure Active Directory
Use the Access Control Service (ACS)
15. You can add any WS-Federation or Open ID
compliant IdP such as a corporate ADFS
Access Control Service (ACS)
You integrate with ACS
ACS handles integration with others:
Facebook, Yahoo, Windows ID, Google ID, …
16.
17. ACS Terminology
STS
Security Token Service
Any party that can issue an authentication token
Identity Provider (IdP)
Party that maintains the user identity, e.g. Windows Live,
Google, Yahoo, etc.
Relying Party
This is the party relying on some IdP to hand over a set of
claims about who that identity is, i.e. your app
Windows live -> Unique id
Google -> Email Address
18. SAML & Cookie based authentication versus Simple
Web Tokens and HTTP header based authentication
SAML or SWT?
You can use SAML or SWT
What are the tradeoffs?
It depends on your services
19. Call a service with SWT
When using rest service, you can simply add a custom
header to your request (HttpClient, WebClient)
When using WCF & SOAP, you need to add a custom
header to the request
string headerValue = string.Format("WRAP access_token="{0}"", token);
client.Headers.Add("Authorization", headerValue);
using (var ctx = new OperationContextScope(proxy.InnerChannel))
{
HttpRequestMessageProperty httpRequestProperty = new HttpRequestMessageProperty();
httpRequestProperty.Headers[HttpRequestHeader.Authorization] =
String.Format("WRAP access_token="{0}"", token);
OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] =
httpRequestProperty;
}
20. Call a service with SAML Token
(cookie based)
When using rest service, you need to add the cookie to
the cookie collection in the header of request
For SOAP using WCF stack simply use CookieContainer
CookieCollection coll = App.AuthenticationCookieContainer;
WebClient webrequest = new WebClient();
String cookiestring ="" ;
foreach (Cookie cookie in coll){ if (count++ > 0){cookiestring += "; ";}
cookiestring += cookie.Name + "=" + cookie.Value;
}
webrequest.Headers[HttpRequestHeader.Cookie] = cookiestring;
EventsServices.EventsDomainServicesoapClient proxy = new
EventsServices.EventsDomainServicesoapClient();
proxy.CookieContainer = App.AuthenticationCookieContainer;
21. Your (web) services (RP)
Identity Providers (IdP)
redirect
ACS (STS)
Authenticate
Get IdP list
Access the service
redirect
Get token/cookie
WIF
< soap/> { json }
Conceptual model
.aspx
Cookie
25. Mobile App ACS
GetIdentityProviders()
Identity Provider
Request to login page
Map claims
Realm
page
ACS Token
Cookie
(containing
ACS token)
Request (with cookie)
IDP Token
Login
Your
Service
Depending on ACS
config for SWT or SAML
you get a header or a
cookie
Authentication flow
30. I want that! NOW!
We’ll publish the code on CodePlex
And depending on demand:
Nuget package and Xamarin Store
31. Wait, what about
Windows Azure Toolkit?
It’s deprecated
Replacement does not provide the
same experience
Our code is a fork of the original
AND works on multiple platforms!