.NET ServicesAccess Control Service Drilldown

Justin Smith Sr. Program Manager

Microsoft Corporation

BB28

Azure™ Services PlatformMicrosoft SharePoint Services

Microsoft Dynamics CRM Services

PLACEHOLDER FOR ALL UP IDENTITY SLIDE

Motivation .NET Access Control Service Guided Tour Requesting and Processing Tokens Architecture Futures

Agenda

Note: this is a bit of a trick question, and it has to do with security….

What are the 1st two questions an application has to answer?

Pop Quiz

The 2 questions are hard to answer and virtually everyone has to answer them

Common ISV question: “How do I integrate with existing business assets?”

Customers need to work in a federated world with Live Identity Services, Active Directory, Tivoli, OpenID, Certs, …

What Were You Thinking?

In A Nutshell – Diagram – Update

Your CustomersYour App

Msg WF

.NET

Acc

ess

Cont

rol S

ervi

ce

<Any ID Provider>

Live ID Users

XYZ Domain Users

Data

Who is the caller?

What can they do?

Web

Automates federation for a wide-range of identity providers and technologies

Factors the access control logic from the application into manageable collection of rules

Is an easy-to-use framework that ensures correct token processing

Works for web services and web applications

In A Nutshell – Words

SQL Server Data Services Accepts Username & Password and a token

produced by Access Control Service .NET Service Bus .NET Workflow Service The Portals More to come

Where Is It Currently Used?

NOTE: The Service Bus and the Workflow Service share code for token processing

Portal A UI for creating and managing collections of

access control rules Client API

Provides a programmatic way to manage collections of access control rules

Service (STS) A hosted service that issues tokens Developers interact with the service via the

“Geneva” Framework

Basic Anatomy

Access Control Service Interactions – Update

Your Access Control Service

Account(Managed STS)

Relying Party(Your App)

2. Send Claims4. Send Token

(output claims from 4)

5. Send Messagew/token

0. Cert|Secret exchange; periodically refreshed

Requestor(Your Customer)

1. Define access control rules for a customer

6.Claims checked in

Relying Party

3. Map input claims to output claims based on access control rules

Access Control Service Guided Tour

Justin Smith

Demo

Assigned when you sign up Access Control Service currently has a

credential store Solution Name/Solution Password X509 Certificates CardSpace v1 Self Issued Cards

Access Control Service has no plans to become an Identity Provider

The Access Control Service plan of record is to use Live Identity Services as the credential store in future releases

About the Solution Name And Password

Requesting and Processing Tokens Geneva Framework is the simplest way WCF in .NET 3.5 Any WS-Trust 1.3 stack (Sun Metro, etc.) Service Bus and Workflow Service also have

types in the SDK that request tokens Managing Rules

a simple API for managing rules use the Client API or the REST endpoints You can also use the Access Control

Service Portal Examples in the .NET Services SDK

Developer Surface Area

Intended for any HTTP redirect aware client E.g. Browsers

For the Web Application: Redirect to Access Control Service, process the

returned token, then issue a session cookie .NET Services Portals do this today

Access Control Service can federate with Live Identity Service and “Geneva” Server today More 3rd party WS-Federation support to come 100% commitment from our team

Passive Federation And Access Control Service

Host address + Solution Name + Fed Target Also requires query string parameters

Live ID federation endpoint:https://accesscontrol.windows.net/passivests/

{solutionName}/LiveFederation.aspx General federation endpoint:https://accesscontrol.windows.net/passivests/

{solutionName}/Federation.aspx The two will converge in future versions

Passive Federation Endpoints

Describe scope, reply to address, and address of the identity provider

Example: wa=wsignin1.0&wtrealm={scope}&wreply={replyTo}& whr={identityProvider} Automatically handled by the

“Geneva” Framework

Passive Federation Query String

Intended for smart clients and web services E.g. WPF and WCF apps

For the Requesting application: Send claims to Access Control Service in an RST,

send the RSTR to the relying party Examples in the .NET Services SDK

Interaction is WS-Trust 1.3 Supported by WCF in .NET 3.5 and several

Java stacks

Active Mode And Access Control Service

Endpoints for each type of credential type Also one for tokens from other IPs

Host Name + Solution Name + Cred Type Username / Password:

http://accesscontrol.windows.net/sts/{solutionName}/username_for_certificate

X509 Certificate:http://accesscontrol.windows.net/sts/{solutionName}/certificate

Windows CardSpace:http://accesscontrol.windows.net/sts/{solutionName}/issued_for_certificate

Active Mode Endpoints

The target developer experience for Access Control Service

Defines types that simplify requesting and processing tokens, including Access Control Service tokens Both Active and Passive scenarios

Available as part of the “Geneva” Framework SDK Microsoft.IdentityModel.dll defines most of the types

you will want to use for Access Control Service interactions

NOTE: Access Control Service was built using this assembly

The "Geneva" Framework And The Access Control Service

WS2007FederationHttpBinding implements WS-Trust 1.3 for the WCF stack Active Case Send RST to Access Control

Service, then send Token + Payload to relying party (your app)

When using the credential store in Access Control Service, the RST can contain your solution credentials

Examples in the .NET Services SDK for Solution Name / Password and CardSpace

VS Add Service Reference & svcutil work for CardSpace

WCF In .NET 3.5 And Access Control Service

Requesting And Processing Access Control Service Tokens

Justin Smith

Demo

Consists of 4 services: STS for token issuance, Rule Management

Service, a Rule Processing Engine, and Portal STS and Rule Mgmt service have public API

Access Control Service Architecture

Storage

Data Model

Rule Processing

STSPortal

Rule Mgmt

A View Into the STS

Security Token Service

Custom Handlers, Authenticators, Policies …

IDFX

SOAP Client HTTP Client

Internet

WS-Trust WS-Federation(Passive)

Security Token Service

Custom Handlers, Authenticators, Policies …

IDFX

STSCustom Handlers, Authenticators, Policies …

“Geneva” Framework

WCF Front-End

Access Control Service And Storage

Foo Account Container

Foo Rule Container 1

Scopes

Scope 1 ptrScope 2 ptr

Scope N ptr

Scope 1

Rule 1

Rule 2

Foo Rule Container N

Scope N

.

.

.

.

.

.

Foo Rule Container 2

Scope 2

Acce

ss C

ontr

ol S

ervi

ce C

ontr

olle

d Au

thor

ities

in S

QL

Serv

er D

ata

Serv

ices

REST RST / RSTR support We are working out the details, but this is a

common request to increase reach Support for the Federation Gateway Live ID as the credential store Hosting in Windows Strata Custom policy support

The Crystal Spheroid

.NET Services Sessions Other Identity Sessions

Other Sessions

.NET Services SDK Marketing Portal Dev Center Portal Forums

Resources

Evals & Recordings

Please fill

out your

evaluation for

this session at:

This session will be available as a recording at:

www.microsoftpdc.com

Please use the microphones provided

Q&A

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.