1. Welcome!

2. How to create a
uniform login
experience using
Federated Identity Roy
Cornelissen
IT Architect,
Info Support
Marcel
de Vries
TechnologyManager
@marcelv
Xamarin
Evolve
2013
Roy
Cornelissen
ITArchitect
@roycornelissen

9. Your app Demo’s
Problem Solutions

10. Problem statement
You want to secure your back end
Your app needs to authenticate before it can access services in your
backend
How are you going to identify the user at the backend?
Roll your own username/password
That’s so 1996….
You already have cloud identities on Facebook, Google, Microsoft, Yahoo!
Why not leverage on those?
So what are our options to integrate with these identity providers?

11. Enterprise IdP’s
Microsoft Active Directory
&
Active Directory Federation
Services
(ADFS)
Social IdP’s
Identity Providers (IdP)

12. What does an IdP do?
Authenticate against something you know or have
E.g. a password, a smart card, Biometric information
It hands out tokens
Tokens contain claims
E.g. your name, email address, age or role
We can “chain” IdP’s
Each IdP can augment the claim set and with that provide
additional claims to the party that uses the token

13. What does your app need to do?
It needs to do something with the claims
provided by the IdP
E.g. do a lookup on “nameidentifier” claim and
selectively provide access to application resources
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
So an IdP provides an authenticated identity and
some claims about that identity
Your app needs to do smart things to authorize
the user based on those claims

14. Possible solutions
Integrate your app with all different providers out there
Requires trust relationship with each (cloud) identity provider
Requires you to implement the integration with each provider,
using their selected protocol
E.g. OAuth, WS Federation, SAML/P, OpenID, etc.
Every time you want to support a new provider, you need to
add that integration to your app
Use Windows Azure Active Directory
Use the Access Control Service (ACS)

15. You can add any WS-Federation or Open ID
compliant IdP such as a corporate ADFS
Access Control Service (ACS)
You integrate with ACS
ACS handles integration with others:
Facebook, Yahoo, Windows ID, Google ID, …

17. ACS Terminology
STS
Security Token Service
Any party that can issue an authentication token
Identity Provider (IdP)
Party that maintains the user identity, e.g. Windows Live,
Google, Yahoo, etc.
Relying Party
This is the party relying on some IdP to hand over a set of
claims about who that identity is, i.e. your app
Windows live -> Unique id
Google -> Email Address

18. SAML & Cookie based authentication versus Simple
Web Tokens and HTTP header based authentication
SAML or SWT?
You can use SAML or SWT
What are the tradeoffs?
It depends on your services

19. Call a service with SWT
When using rest service, you can simply add a custom
header to your request (HttpClient, WebClient)
When using WCF & SOAP, you need to add a custom
header to the request
string headerValue = string.Format("WRAP access_token="{0}"", token);
client.Headers.Add("Authorization", headerValue);
using (var ctx = new OperationContextScope(proxy.InnerChannel))
{
HttpRequestMessageProperty httpRequestProperty = new HttpRequestMessageProperty();
httpRequestProperty.Headers[HttpRequestHeader.Authorization] =
String.Format("WRAP access_token="{0}"", token);
OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] =
httpRequestProperty;
}

20. Call a service with SAML Token
(cookie based)
When using rest service, you need to add the cookie to
the cookie collection in the header of request
For SOAP using WCF stack simply use CookieContainer
CookieCollection coll = App.AuthenticationCookieContainer;
WebClient webrequest = new WebClient();
String cookiestring ="" ;
foreach (Cookie cookie in coll){ if (count++ > 0){cookiestring += "; ";}
cookiestring += cookie.Name + "=" + cookie.Value;
}
webrequest.Headers[HttpRequestHeader.Cookie] = cookiestring;
EventsServices.EventsDomainServicesoapClient proxy = new
EventsServices.EventsDomainServicesoapClient();
proxy.CookieContainer = App.AuthenticationCookieContainer;

21. Your (web) services (RP)
Identity Providers (IdP)
redirect
ACS (STS)
Authenticate
Get IdP list
Access the service
redirect
Get token/cookie
WIF
< soap/> { json }
Conceptual model
.aspx
Cookie

24. ISKE Events App

25. Mobile App ACS
GetIdentityProviders()
Identity Provider
Request to login page
Map claims
Realm
page
ACS Token
Cookie
(containing
ACS token)
Request (with cookie)
IDP Token
Login
Your
Service
Depending on ACS
config for SWT or SAML
you get a header or a
cookie
Authentication flow

27. SignInWebView
Delegate
SignIn
ViewController
SignInController ACS
JSON
IdentityProvider
DiscoveryClient
Relying Party
ACS namespace
Realm
HttpCookieContainer
Identity
Provider

28. LoginView
WebView
WebBrowser
AccessControlService
SignIn control
ACS
JSON
IdentityProvider
DiscoveryClient
Relying Party
ACS namespace
Realm
HttpCookieContainer
Identity
Provider

29. SignInActivity
SignInWebView
IdentityProvider
ListActivity
SignInController ACS
JSON
IdentityProvider
DiscoveryClient
Relying Party
[navigate]
ACS namespace
Realm
HttpCookieContainer
Identity
Provider

30. I want that! NOW!
We’ll publish the code on CodePlex
And depending on demand:
Nuget package and Xamarin Store

31. Wait, what about
Windows Azure Toolkit?
It’s deprecated
Replacement does not provide the
same experience
Our code is a fork of the original
AND works on multiple platforms!

32. @roycornelissen
roycornelissen.wordpress.com
Thank you!
@marcelv
blogs.infosupport.com/marcelv
Come see us again,
tomorrow at 1.30 PM