SlideShare una empresa de Scribd logo

ASP.NET Single Sign-On Protocols and Microsoft Geneva Framework

Descargar como PPTX, PDF
L
leastprivilege

This document discusses single sign-on (SSO) authentication. It begins by explaining the problems that SSO aims to solve, such as having multiple usernames and passwords across different applications. It then covers common SSO protocols like OpenID, SAML, and WS-Federation that enable centralized authentication across domains. Microsoft's Geneva framework is presented as a library for federated authentication with ASP.NET applications. Risks of SSO like becoming an attractive target for attacks are also outlined. The document aims to provide an overview of SSO concepts, protocols, and issues to consider.

1 de 25
http://www.thinktecture.com Dominick Baier | thinktecture dominick.baier@thinktecture.com ASP.NET Single-Sign-On
und Dominick Baier Unterstützung und Consulting von Software-Entwicklernund –Architektenim Windows- und .NET-Umfeld Entwickler-Coaching und –Mentoring Architektur-Consulting und –Prototyping Architektur- und Code-Reviews Fokus auf verteilteAnwendungen, Service-Orientierung, Workflows, Cloud Computing, Interoperabilität, Security, End-to-End-Lösungen Windows Server, .NET, WCF, WF, MSMQ, .NET Services, Windows Azure http://www.thinktecture.com http://www.leastprivilege.com dominick.baier@thinktecture.com 2
Agenda What‘s Single Sign-On? Howdoes HTTP basedauthenticationwork? ASP.NET Forms Authentication Protocolsforthirdpartyauthentication Microsoft „Geneva“ Framework for ASP.NET Dangersof Single Sign-On
Single Sign-On The problem many (historical) applications username/passwordauthentication different accountstores The desire noneedfor separate accounts at least same credentialfor all apps onlysign-in once (a day)
Single Sign-On v0.5 Unified useraccountdatastore pre-requisiteformoving on still separate sign-on processes
Challenge/responsebasedauthentication GET /default.aspx 401 / WWW-Authenticate GET / WWW-Authorize …
Redirect/cookiebasedauthentication GET /default.aspx 302 -> login.aspx POST /login.aspx Set-Cookie
ASP.NET Forms Authentication www.domain.com .domain.com
Forms Authentication scenarios www.domain.com/app1 www.domain.com/app2 app1.domain.com app2.domain.com
Forms Authentication drawbacks ASP.NET encryptsandsignsauthenticationcookies usesrandomkeybydefault must set a sharedkey in all applications Authentication logic must beduplicated Forms Authentication does not supportredirects outside ofthecurrentapplication Cookie domainsare limited applications in different domainscannot „federate“
Forms Authentication non-scenarios www.domain1.com www.domain2.com www.login.com
„Third partyauthentication“ protocols Protocolswithfocus on factoring out andcentralizingauthenticationlogic transmittingauthenticationtokensoverdomainsboundaries Severalpopularstandards OpenID SAML 2.0p WS-Federation
General idea IdentityProvider Trust data exchange 1 2 Client Relying Party
A lookinto a (SAML) token <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" issuer="http://www.login.com"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /> </saml:Assertion> <saml:Conditions> NotBefore, NotOnOrAfter, ApplicationName </saml:Conditions> <saml:AttributeStatement> </saml:AttributeStatement> <saml:AttributeAttributeName="name"> dominick </saml:Attribute> <saml:AttributeAttributeName="email"> dbaier@leastprivilege.com </saml:Attribute>
WS-Federation 2: GET /sts/auth.aspx <form method="POST" action="http://app/default.aspx"> <inputname="wresult" value="[token]" /> … <script > window.setTimeout('document.forms[0].submit()', 0); </script> </form> 1: GET /default.aspx 3: POST /default.aspx
„Geneva“ project ADFS 2 Active Directory integratedidentityprovider enterpriselevelmanagementfeatures Windows Identity Foundation (WIF) extensionsto .NET identity & authorizationinfrastructure direct ASP.NET & WCF integration supportswritingrelyingparties & identityprovider tokenhandlingtoolkit http://www.microsoft.com/geneva
WS-Federation configuration
Geneva extensionstoIPrincipal interfaceIIdentity{ bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } } interfaceIPrincipal{ IIdentity Identity { get; } bool IsInRole(string roleName); } interfaceIClaimsIdentity:IIdentity { ClaimCollectionClaims {get; } stringNameClaimType {get; } stringRoleClaimType{get; } } interfaceIClaimsPrincipal:IPrincipal { ClaimsIdentityCollectionIdentities{get; } }
Claim publicclassClaim { publicvirtualstring ClaimType { get; } publicvirtualstringValue { get; }   publicvirtualstring Issuer { get; } // rest omitted }
Identity provider Normal ASP.NET application Token issuancelogicimplemented in a SecurityTokenServicederivedclass Token servicehosted on .aspxpageusing a web control SecurityTokenService <idfx:FederatedPassiveTokenService /> issue.aspx issue.aspx?wa=wsignin1.0… HTTP Form POST
SecurityTokenService public class MyTokenService : SecurityTokenService { protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request) { // parse request.AppliesTo(and return encryption cert) }   public override IClaimsIdentity GetOutputClaimsIdentity( Scope scope, IClaimsPrincipal principal, RequestSecurityToken request) { // retrieve claims from store and return them as IClaimsIdentity } }
Dangersof Single Sign-On Identity Provider becomesattractivetargetforattacks phishing, spoofing use SSL (andtokenlevelencryption) Users getaccesstoseveralapplicationswith a singlecredential thiscredential must besecured Cross Site Request Forgerybecomes a bigissue
Summary Single Sign-On cansimplifytheuserexperience The lesscredentials a human hasto manage, thebetter ASP.NET has limited built-in support Special protocolsneededtoenableadvancedscenarios Geneva isMicrosoft‘slibraryforfederationwith ASP.NET Single Sign-On also hassomeissues
Resources „Developingmore-secure ASP.NET Applications“ http://tinyurl.com/AspNetSecurity OpenIDfor .NET http://code.google.com/p/dotnetopenid/ Thinktecture Starter STS StarterSTS.codeplex.com Geneva Framework Whitepaper http://tinyurl.com/GenevaWhitepaper Cross Site Request Forgery (CSRF) http://www.owasp.org/index.php/Cross-Site_Request_Forgery AntiCSRF http://AntiCSRF.codeplex.com/
Contactme… dominick.baier@thinktecture.com http://www.leastprivilege.com

Recomendados

Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 

Recomendados

Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonKi-Eun Shin
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelAtlassian
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 

Más contenido relacionado

La actualidad más candente

Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonKi-Eun Shin
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 

La actualidad más candente (20)

Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 

Similar a ASP.NET Single Sign-On Protocols and Microsoft Geneva Framework

Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelAtlassian
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Software Security Certification
Software Security CertificationSoftware Security Certification
Software Security CertificationVskills
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahNSConclave
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Whidbey old
Whidbey old Whidbey old
Whidbey old grenaud
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyHaniyama Wataru
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT PlatformWSO2
 
Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Peter Souter
 

Similar a ASP.NET Single Sign-On Protocols and Microsoft Geneva Framework (20)

Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy Model
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Software Security Certification
Software Security CertificationSoftware Security Certification
Software Security Certification
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren Shah
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Whidbey old
Whidbey old Whidbey old
Whidbey old
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
[WSO2Con EU 2017] Building Smart, Connected Products with WSO2 IoT Platform
 
Tdd,Ioc
Tdd,IocTdd,Ioc
Tdd,Ioc
 
Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018
 

ASP.NET Single Sign-On Protocols and Microsoft Geneva Framework

  • 1. http://www.thinktecture.com Dominick Baier | thinktecture dominick.baier@thinktecture.com ASP.NET Single-Sign-On
  • 2. und Dominick Baier Unterstützung und Consulting von Software-Entwicklernund –Architektenim Windows- und .NET-Umfeld Entwickler-Coaching und –Mentoring Architektur-Consulting und –Prototyping Architektur- und Code-Reviews Fokus auf verteilteAnwendungen, Service-Orientierung, Workflows, Cloud Computing, Interoperabilität, Security, End-to-End-Lösungen Windows Server, .NET, WCF, WF, MSMQ, .NET Services, Windows Azure http://www.thinktecture.com http://www.leastprivilege.com dominick.baier@thinktecture.com 2
  • 3. Agenda What‘s Single Sign-On? Howdoes HTTP basedauthenticationwork? ASP.NET Forms Authentication Protocolsforthirdpartyauthentication Microsoft „Geneva“ Framework for ASP.NET Dangersof Single Sign-On
  • 4. Single Sign-On The problem many (historical) applications username/passwordauthentication different accountstores The desire noneedfor separate accounts at least same credentialfor all apps onlysign-in once (a day)
  • 5. Single Sign-On v0.5 Unified useraccountdatastore pre-requisiteformoving on still separate sign-on processes
  • 6. Challenge/responsebasedauthentication GET /default.aspx 401 / WWW-Authenticate GET / WWW-Authorize …
  • 7. Redirect/cookiebasedauthentication GET /default.aspx 302 -> login.aspx POST /login.aspx Set-Cookie
  • 8. ASP.NET Forms Authentication www.domain.com .domain.com
  • 9. Forms Authentication scenarios www.domain.com/app1 www.domain.com/app2 app1.domain.com app2.domain.com
  • 10. Forms Authentication drawbacks ASP.NET encryptsandsignsauthenticationcookies usesrandomkeybydefault must set a sharedkey in all applications Authentication logic must beduplicated Forms Authentication does not supportredirects outside ofthecurrentapplication Cookie domainsare limited applications in different domainscannot „federate“
  • 11. Forms Authentication non-scenarios www.domain1.com www.domain2.com www.login.com
  • 12. „Third partyauthentication“ protocols Protocolswithfocus on factoring out andcentralizingauthenticationlogic transmittingauthenticationtokensoverdomainsboundaries Severalpopularstandards OpenID SAML 2.0p WS-Federation
  • 13. General idea IdentityProvider Trust data exchange 1 2 Client Relying Party
  • 14. A lookinto a (SAML) token <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" issuer="http://www.login.com"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /> </saml:Assertion> <saml:Conditions> NotBefore, NotOnOrAfter, ApplicationName </saml:Conditions> <saml:AttributeStatement> </saml:AttributeStatement> <saml:AttributeAttributeName="name"> dominick </saml:Attribute> <saml:AttributeAttributeName="email"> dbaier@leastprivilege.com </saml:Attribute>
  • 15. WS-Federation 2: GET /sts/auth.aspx <form method="POST" action="http://app/default.aspx"> <inputname="wresult" value="[token]" /> … <script > window.setTimeout('document.forms[0].submit()', 0); </script> </form> 1: GET /default.aspx 3: POST /default.aspx
  • 16. „Geneva“ project ADFS 2 Active Directory integratedidentityprovider enterpriselevelmanagementfeatures Windows Identity Foundation (WIF) extensionsto .NET identity & authorizationinfrastructure direct ASP.NET & WCF integration supportswritingrelyingparties & identityprovider tokenhandlingtoolkit http://www.microsoft.com/geneva
  • 18. Geneva extensionstoIPrincipal interfaceIIdentity{ bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } } interfaceIPrincipal{ IIdentity Identity { get; } bool IsInRole(string roleName); } interfaceIClaimsIdentity:IIdentity { ClaimCollectionClaims {get; } stringNameClaimType {get; } stringRoleClaimType{get; } } interfaceIClaimsPrincipal:IPrincipal { ClaimsIdentityCollectionIdentities{get; } }
  • 19. Claim publicclassClaim { publicvirtualstring ClaimType { get; } publicvirtualstringValue { get; }   publicvirtualstring Issuer { get; } // rest omitted }
  • 20. Identity provider Normal ASP.NET application Token issuancelogicimplemented in a SecurityTokenServicederivedclass Token servicehosted on .aspxpageusing a web control SecurityTokenService <idfx:FederatedPassiveTokenService /> issue.aspx issue.aspx?wa=wsignin1.0… HTTP Form POST
  • 21. SecurityTokenService public class MyTokenService : SecurityTokenService { protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request) { // parse request.AppliesTo(and return encryption cert) }   public override IClaimsIdentity GetOutputClaimsIdentity( Scope scope, IClaimsPrincipal principal, RequestSecurityToken request) { // retrieve claims from store and return them as IClaimsIdentity } }
  • 22. Dangersof Single Sign-On Identity Provider becomesattractivetargetforattacks phishing, spoofing use SSL (andtokenlevelencryption) Users getaccesstoseveralapplicationswith a singlecredential thiscredential must besecured Cross Site Request Forgerybecomes a bigissue
  • 23. Summary Single Sign-On cansimplifytheuserexperience The lesscredentials a human hasto manage, thebetter ASP.NET has limited built-in support Special protocolsneededtoenableadvancedscenarios Geneva isMicrosoft‘slibraryforfederationwith ASP.NET Single Sign-On also hassomeissues
  • 24. Resources „Developingmore-secure ASP.NET Applications“ http://tinyurl.com/AspNetSecurity OpenIDfor .NET http://code.google.com/p/dotnetopenid/ Thinktecture Starter STS StarterSTS.codeplex.com Geneva Framework Whitepaper http://tinyurl.com/GenevaWhitepaper Cross Site Request Forgery (CSRF) http://www.owasp.org/index.php/Cross-Site_Request_Forgery AntiCSRF http://AntiCSRF.codeplex.com/