This document discusses single sign-on (SSO) authentication. It begins by explaining the problems that SSO aims to solve, such as having multiple usernames and passwords across different applications. It then covers common SSO protocols like OpenID, SAML, and WS-Federation that enable centralized authentication across domains. Microsoft's Geneva framework is presented as a library for federated authentication with ASP.NET applications. Risks of SSO like becoming an attractive target for attacks are also outlined. The document aims to provide an overview of SSO concepts, protocols, and issues to consider.
2. und Dominick Baier Unterstützung und Consulting von Software-Entwicklernund –Architektenim Windows- und .NET-Umfeld Entwickler-Coaching und –Mentoring Architektur-Consulting und –Prototyping Architektur- und Code-Reviews Fokus auf verteilteAnwendungen, Service-Orientierung, Workflows, Cloud Computing, Interoperabilität, Security, End-to-End-Lösungen Windows Server, .NET, WCF, WF, MSMQ, .NET Services, Windows Azure http://www.thinktecture.com http://www.leastprivilege.com dominick.baier@thinktecture.com 2
3. Agenda What‘s Single Sign-On? Howdoes HTTP basedauthenticationwork? ASP.NET Forms Authentication Protocolsforthirdpartyauthentication Microsoft „Geneva“ Framework for ASP.NET Dangersof Single Sign-On
4. Single Sign-On The problem many (historical) applications username/passwordauthentication different accountstores The desire noneedfor separate accounts at least same credentialfor all apps onlysign-in once (a day)
5. Single Sign-On v0.5 Unified useraccountdatastore pre-requisiteformoving on still separate sign-on processes
10. Forms Authentication drawbacks ASP.NET encryptsandsignsauthenticationcookies usesrandomkeybydefault must set a sharedkey in all applications Authentication logic must beduplicated Forms Authentication does not supportredirects outside ofthecurrentapplication Cookie domainsare limited applications in different domainscannot „federate“
20. Identity provider Normal ASP.NET application Token issuancelogicimplemented in a SecurityTokenServicederivedclass Token servicehosted on .aspxpageusing a web control SecurityTokenService <idfx:FederatedPassiveTokenService /> issue.aspx issue.aspx?wa=wsignin1.0… HTTP Form POST
21. SecurityTokenService public class MyTokenService : SecurityTokenService { protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request) { // parse request.AppliesTo(and return encryption cert) } public override IClaimsIdentity GetOutputClaimsIdentity( Scope scope, IClaimsPrincipal principal, RequestSecurityToken request) { // retrieve claims from store and return them as IClaimsIdentity } }
22. Dangersof Single Sign-On Identity Provider becomesattractivetargetforattacks phishing, spoofing use SSL (andtokenlevelencryption) Users getaccesstoseveralapplicationswith a singlecredential thiscredential must besecured Cross Site Request Forgerybecomes a bigissue
23. Summary Single Sign-On cansimplifytheuserexperience The lesscredentials a human hasto manage, thebetter ASP.NET has limited built-in support Special protocolsneededtoenableadvancedscenarios Geneva isMicrosoft‘slibraryforfederationwith ASP.NET Single Sign-On also hassomeissues