saml integration doug bayer director, windows security microsoft corporation [email protected]
TRANSCRIPT
SAML IntegrationSAML Integration
Doug BayerDoug BayerDirector, Windows SecurityDirector, Windows SecurityMicrosoft CorporationMicrosoft [email protected]@microsoft.com
SAML August 27, 2001 SSAML August 27, 2001 S22
AgendaAgenda Overview of Microsoft authentication & Overview of Microsoft authentication &
authorization plansauthorization plans Problem spaceProblem space
Our understanding of the scenariosOur understanding of the scenarios
Our current approachOur current approach How could we use SAML?How could we use SAML?
Migration?Migration? Integration?Integration?
SAML August 27, 2001 SSAML August 27, 2001 S33
Windows.NETWindows.NET
Windows.NET Authentication ArchitectureWindows.NET Authentication Architecture Windows.NET Authorization: Extending the Windows.NET Authorization: Extending the
Windows ModelWindows Model Resource-Based Authorization: ACLs & GroupsResource-Based Authorization: ACLs & Groups Application-Based Authorization: RBACApplication-Based Authorization: RBAC
Making It All SecureMaking It All Secure
SAML August 27, 2001 SSAML August 27, 2001 S44
.NET Process Scenario.NET Process Scenario
MyHS.NETMyHS.NET
MyNotifications.NETMyNotifications.NET
[email protected]@[email protected]@BigCo.com
FredFred OwnerOwner
MaryMary ViewerViewer
RolesRolesmyCalendar.NETmyCalendar.NET
myCalendar.NETmyCalendar.NET
DirectoryDirectoryDirectoryDirectory
KDCKDC
AAAA
AA = AuthenticationAA = Authentication Authority Authority
111111111111
1111
RequestRequestMeetingMeetingRequestRequestMeetingMeeting
SAML August 27, 2001 SSAML August 27, 2001 S55
.NET Process Scenario.NET Process Scenario
MyHS.NETMyHS.NET
MyNotifications.NETMyNotifications.NET
[email protected]@[email protected]@BigCo.com
FredFred OwnerOwner
MaryMary ViewerViewer
RolesRolesmyCalendar.NETmyCalendar.NET
myCalendar.NETmyCalendar.NET
DirectoryDirectoryDirectoryDirectory
KDCKDC
AAAA
AA = AuthenticationAA = Authentication Authority Authority
2222
2222Query&Query&RequestRequestQuery&Query&RequestRequest
SAML August 27, 2001 SSAML August 27, 2001 S66
.NET Process Scenario.NET Process Scenario
MyHS.NETMyHS.NET
MyNotifications.NETMyNotifications.NET
[email protected]@[email protected]@BigCo.com
FredFred OwnerOwner
MaryMary ViewerViewer
RolesRolesmyCalendar.NETmyCalendar.NET
myCalendar.NETmyCalendar.NET
DirectoryDirectoryDirectoryDirectory
KDCKDC
AAAA
AA = AuthenticationAA = Authentication Authority Authority
3333
SOAPSOAPMessageMessage
SOAPSOAPMessageMessage
SAML August 27, 2001 SSAML August 27, 2001 S77
.NET Process Scenario.NET Process Scenario
MyHS.NETMyHS.NET
MyNotifications.NETMyNotifications.NET
[email protected]@[email protected]@BigCo.com
FredFred OwnerOwner
MaryMary ViewerViewer
RolesRolesmyCalendar.NETmyCalendar.NET
myCalendar.NETmyCalendar.NET
DirectoryDirectoryDirectoryDirectory
KDCKDC
AAAA
AA = AuthenticationAA = Authentication Authority Authority
4444AcceptAcceptAcceptAccept4444
SAML August 27, 2001 SSAML August 27, 2001 S88
.NET Process Scenario.NET Process Scenario
MyHS.NETMyHS.NET
MyNotifications.NETMyNotifications.NET
[email protected]@[email protected]@BigCo.com
FredFred OwnerOwner
MaryMary ViewerViewer
RolesRolesmyCalendar.NETmyCalendar.NET
myCalendar.NETmyCalendar.NET
DirectoryDirectoryDirectoryDirectory
KDCKDC
AAAA
AA = AuthenticationAA = Authentication Authority Authority
Signed Signed Message;Message;AcceptedAccepted
Signed Signed Message;Message;AcceptedAccepted5555
SAML August 27, 2001 SSAML August 27, 2001 S99
Windows.NET Application Windows.NET Application Security FrameworkSecurity Framework
DMZDMZ
Partner/SupplierPartner/Supplier
Store = Directory or DatabaseStore = Directory or DatabaseAA =Authentication AuthorityAA =Authentication Authority
CustomerCustomer
EmployeeEmployee
EnterpriseEnterprise
InternetInternet
AAAA
StoreStoreStoreStoreDirectDirectTrustTrustDirectDirectTrustTrust
MMSMMSMMSMMS
KerberosKerberosKerberosKerberos
Direct TrustDirect Trust(XCerts, XKMS)(XCerts, XKMS)Direct TrustDirect Trust
(XCerts, XKMS)(XCerts, XKMS)
Signed Signed MessagesMessages
(XMLDSIG, S/MIME, (XMLDSIG, S/MIME, CAPICOM)CAPICOM)
Signed Signed MessagesMessages
(XMLDSIG, S/MIME, (XMLDSIG, S/MIME, CAPICOM)CAPICOM)
SAML August 27, 2001 SSAML August 27, 2001 S1010
Windows.NET Application Windows.NET Application Security FrameworkSecurity Framework
DMZDMZ
Partner/SupplierPartner/Supplier
Store = Directory or DatabaseStore = Directory or DatabaseAA =Authentication AuthorityAA =Authentication Authority
CustomerCustomer
EmployeeEmployee
EnterpriseEnterprise
InternetInternet
AAAA
StoreStoreStoreStoreDirectDirectTrustTrustDirectDirectTrustTrust
MMSMMSMMSMMS
KerberosKerberosKerberosKerberos
Trust FederationTrust Federation(Passport, Identrus)(Passport, Identrus)Trust FederationTrust Federation(Passport, Identrus)(Passport, Identrus)
Passport, Kerberos, Passport, Kerberos, Basic SSL, Digest, Basic SSL, Digest,
……
Passport, Kerberos, Passport, Kerberos, Basic SSL, Digest, Basic SSL, Digest,
……
SAML August 27, 2001 SSAML August 27, 2001 S1111
Windows.NET Application Windows.NET Application Security FrameworkSecurity Framework
DMZDMZ
Partner/SupplierPartner/Supplier
Store = Directory or DatabaseStore = Directory or DatabaseAA =Authentication AuthorityAA =Authentication Authority
CustomerCustomer
EmployeeEmployee
EnterpriseEnterprise
InternetInternet
AAAA
StoreStoreStoreStore
RBACRBACPolicyPolicy
RBACRBACPolicyPolicy
RBACRBACPolicyPolicy
Threats fromThreats fromInside & DMZInside & DMZ
Threats fromThreats fromInternetInternet
SAML August 27, 2001 SSAML August 27, 2001 S1212
Windows.NET Authentication Windows.NET Authentication Multiple credential typesMultiple credential types
Passwords, tokens, smartcards Passwords, tokens, smartcards Multifactor: Key + biometricMultifactor: Key + biometric
Multiple Client to Server protocols:Multiple Client to Server protocols: Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, …Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, …
Converge on Kerberos & Kerberos/TLS in the futureConverge on Kerberos & Kerberos/TLS in the future Message Signing and Signature verificationMessage Signing and Signature verification
Single Server to Server protocol: Kerberos Single Server to Server protocol: Kerberos w/constrained delegationw/constrained delegation IETF standard, interoperable, scalableIETF standard, interoperable, scalable Secure: mutual authenticationSecure: mutual authentication Extensible credentials supportExtensible credentials support
Passwords, X.509 certificates, tokens,…Passwords, X.509 certificates, tokens,…
Directory independent authenticationDirectory independent authentication
SAML August 27, 2001 SSAML August 27, 2001 S1313
Front EndFront EndApplicationApplication
Windows.NET Authentication Windows.NET Authentication
Verify Policy: Verify Policy: Allowed-To-Delegate-ToAllowed-To-Delegate-To
UsersUsers
KDCKDC
Back EndBack EndApplicationApplication
TicketTicketTicketTicket
TicketTicketTicketTicket
TrusTrustt
TrusTrustt
PassportPassport
Basic Digest SSLBasic Digest SSL
Signed Messages, S/MIME/SMTPSigned Messages, S/MIME/SMTP
XMLDSIG/HTTPXMLDSIG/HTTP CertCert
KerberosKerberos
SAML August 27, 2001 SSAML August 27, 2001 S1414
Application Classification For Application Classification For AuthorizationAuthorization Resource ManagersResource Managers
Resources are well-defined with persistenceResources are well-defined with persistence Access is controlled to operations on such objectsAccess is controlled to operations on such objects E.g. File system, database, Active Directory, …E.g. File system, database, Active Directory, …
Gatekeepers: Special form of resource managersGatekeepers: Special form of resource managers Resources are other applicationsResources are other applications Controls access to other applicationsControls access to other applications E.g. OS itself, Web Server, VPNs, Firewalls, …E.g. OS itself, Web Server, VPNs, Firewalls, …
Business ProcessesBusiness Processes Resources aren’t well defined; operations, processes & Resources aren’t well defined; operations, processes &
workflows areworkflows are Access is controlled to operations, processes, workflowsAccess is controlled to operations, processes, workflows E.g. LOB applications, Transaction processing, ... E.g. LOB applications, Transaction processing, ...
SAML August 27, 2001 SSAML August 27, 2001 S1515
Authorization: Role Based Authorization: Role Based ModelModel Roles-basedRoles-based
LOB, B2B, B2C and workflow applicationsLOB, B2B, B2C and workflow applications
CharacteristicsCharacteristics No real objects but operations & tasks are well-definedNo real objects but operations & tasks are well-defined Authorizations aren’t simply yes/no on operationAuthorizations aren’t simply yes/no on operation
Operation data & business rules matterOperation data & business rules matter Typically have a state machineTypically have a state machine Where do you ‘hang’ the ACL?Where do you ‘hang’ the ACL?
Applications enforce accessApplications enforce access Users authenticate to Authentication AuthorityUsers authenticate to Authentication Authority Application performs authorizationApplication performs authorization Application has full access to underlying objectsApplication has full access to underlying objects
SAML August 27, 2001 SSAML August 27, 2001 S1616
Roles-Based Authorization Roles-Based Authorization ManagerManager
Windows Authorization Windows Authorization APIAPI
Gatekeeper Applications
(Web Server/URL,VPNs, Firewalls,…)
Resource Manager Applications
(Document Store, Mail Store,…)
Business Process Applications(E-Commerce,
LOB Applications,…)
Windows Authorization Windows Authorization APIAPI
Windows Authorization Windows Authorization APIAPI
Authorization Authorization Administration Administration
ManagerManager
Common RolesCommon RolesManagement UIManagement UI
PolicyPolicyStoreStorePolicyPolicyStoreStore
Active DirectoryActive DirectoryOr XML (Files, SQL)Or XML (Files, SQL)
SAML August 27, 2001 SSAML August 27, 2001 S1717
Roles-Based Authorization Roles-Based Authorization ManagerManager
Windows Authorization Windows Authorization APIAPI
Gatekeeper Applications
(Web Server/URL,VPNs, Firewalls,…)
Common RolesCommon RolesManagement UIManagement UI
URL-BasedAuthorization
ScopesScopes• VDirs, URL, VDirs, URL,
PrefixPrefix
TasksTasks• Basic: Basic:
GET/POSTGET/POST• Dynamic by Dynamic by
associating associating VBscript VBscript business business rulesrules
GroupsGroups• StaticStatic• ComputedComputed• LDAP queryLDAP query
RolesRoles• Defined by Defined by
administratoradministrators and s and applicationsapplications
URLURL
Windows Windows Authorization APIAuthorization API
Web-BasedApplication
Windows Windows Authorization APIAuthorization API
IISIIS
SAML August 27, 2001 SSAML August 27, 2001 S1818
SAML/Kerberos – Protocol OverviewSAML/Kerberos – Protocol Overview
Web ServersWeb Servers
KDCKDC
WebAuthWebAuthServer(s)Server(s)
GetGetGetGet
(Netscape (Netscape MAC)MAC)
(Web Sphere)(Web Sphere)AIXAIX
(Windows.NET)(Windows.NET)
SAML August 27, 2001 SSAML August 27, 2001 S1919
SAML/Kerberos Protocol OverviewSAML/Kerberos Protocol Overview
Web ServersWeb Servers
KDCKDC
WebAuthWebAuthServer(s)Server(s)RedirectRedirect
(1)(1)RedirectRedirect
(1)(1)SSLSSL
User NameUser NamePasswordPassword
AS-ReqAS-ReqTGS-RegTGS-Reg
(2)(2)
AS-ReqAS-ReqTGS-RegTGS-Reg
(2)(2)Sess-CookieSess-CookieTGTTGT
AP-ReqAP-Req(3)(3)
AP-ReqAP-Req(3)(3)
SAML August 27, 2001 SSAML August 27, 2001 S2020
Web ServersWeb Servers
SAML/Kerberos Protocol OverviewSAML/Kerberos Protocol Overview
KDCKDC
WebAuthWebAuthServer(s)Server(s)
GetGetGetGet
Sess-CookieSess-CookieTGTTGT
AP-ReqAP-ReqAP-ReqAP-Req
Sess-CookieSess-CookieAP-ReqAP-Req
DataDataDataDataAP-ReqAP-Req(cached)(cached)
Subsequent requests:• Browser sends AP-REQ in cookie• Web Server checks against saved
AP-REQ, if OK, returns requested URL
SAML August 27, 2001 SSAML August 27, 2001 S2121
Protocol Overview – Initial Protocol Overview – Initial Request to Second Web ServerRequest to Second Web Server
Browser does GET to WebSphereBrowser does GET to WebSphere WebSphere redirects to WebAuthWebSphere redirects to WebAuth Redirect contains TGT in cookieRedirect contains TGT in cookie WebAuth does TGS-REQ, then proceeds as WebAuth does TGS-REQ, then proceeds as
beforebefore
SAML August 27, 2001 SSAML August 27, 2001 S2222
SAML/Kerberos – Protocol OverviewSAML/Kerberos – Protocol Overview
Web ServersWeb Servers
KDCKDC
DirectoryDirectoryDirectoryDirectory
MIT-KDCMIT-KDC
ApacheApacheWeb ServersWeb Servers
WebAuthWebAuthServer(s)Server(s)
GetGetGetGet
Sess-CookieSess-CookieTGTTGT
Affiliate SiteAffiliate Site
SAML August 27, 2001 SSAML August 27, 2001 S2323
SAML/Kerberos Protocol OverviewSAML/Kerberos Protocol Overview
Web ServersWeb Servers
KDCKDC
DirectoryDirectoryDirectoryDirectory
KDCKDCWeb ServersWeb Servers
WebAuthWebAuthServer(s)Server(s)RedirectRedirect
(1)(1)RedirectRedirect
(1)(1)SSLSSL
Sess-CookieSess-CookieTGTTGT
AS-ReqAS-Req(2)(2)
AS-ReqAS-Req(2)(2)AP-ReqAP-Req
(3)(3)AP-ReqAP-Req
(3)(3)
Sess-CookieSess-CookieTGTTGT
AS-ReqAS-ReqAS-ReqAS-ReqAffiliate SiteAffiliate Site
SAML August 27, 2001 SSAML August 27, 2001 S2424
SAML/Kerberos – Protocol OverviewSAML/Kerberos – Protocol Overview
Web ServersWeb Servers
KDCKDC
DirectoryDirectoryDirectoryDirectory
KDCKDCWeb ServersWeb Servers
WebAuthWebAuthServer(s)Server(s)
GetGetGetGet
Sess-CookieSess-CookieTGTTGT
Affiliate SiteAffiliate Site
AP-ReqAP-ReqAP-ReqAP-ReqSess-CookieSess-CookieAP-ReqAP-Req
DataDataDataData