understanding claim based authentication
TRANSCRIPT
INTRODUCTION
This presentation will give you short and not very technical
overview about claims-based authentication.
The claims-based authentication will be the way to almost
all Microsoft web-based platforms around. It is more
complex than old username-password method but also
more secure and general.
CLAIMS TO THE RESCUEReuse across applications: Centralized Standards Conformant
Centralize “Who Am I” logic, allow applications to focus on What can I do” Consuming applications never know your password
Allows for B2B Collaboration w/o AD trust
Allows for B2C Collaboration without managing user identities
The cloud demands it
What are claims?
Claim is piece of information that describes given identity on some aspect. Take claim as name-value pair. Claims are held in authentication token that may have also signature so you can be sure that token is not tampered on its way from remote machine to your system. You can think of token as envelop that contains claims about user.
• Token may contain different claims:
• username or user ID in remote system,
• full name of user,
• e-mail address,
• membership in security groups,
• phone number,
• color of eyes.
EXAMPLES
Security Token Signed XML document containing claims
SAML Standard token language, popular in enterprise, self contained spec 1.1 and 2.0
OAuth Another claims standard, more popular on consumer applications
Open ID
JWT (JSON web Token) Open ID method of exchanging tokens
WS* WS-Trust, WS-Federation, WS-Security Policy
Claims-based authentication
Claims-based authentication is more general authentication mechanism that allows users to authenticate on external systems that provide asking system with
claims about user.
The Claims-based authentication flow• User makes request to some
application.
• System redirects user to authentication page of external system (it may also happen after system lets user to select external system where he or she wants to log in).
• After successful authentication external system redirects user back with some information.
• Application makes request to external system to validate user.
• If user is valid then user gets access to application.
Claims-based authentication in practice
Claims-based authentication can be found from many applications:
•Microsoft SharePoint 2010 and 2013,
•Windows Azure Access Control Services (ACS),
•Active Directory Federation Services (ADFS),
•Applications using Windows Identity Foundation (WIF)
What is an IP-STS and what is a RP-STS?There are two kinds of STS: an Identity Provider STS (IP-STS) and a Relying Party STS(RP-STS).
• An IP-STS authenticates a client using, for example, Windows integrated authentication. It creates a SAML token based on the claims provided by the client, and might add its own claims. A Relying Party application (RP) receives the SAML token and uses the claims inside to decide whether to grant the client access to the requested resource.
• An RP-STS does not authenticate the client, but relies on a SAML token provided by an IP-STS that is trusts. Typically, an IP-STS is found in the client’s domain, whereas an RP-STS is found in the RP’s domain. This is shown the following diagram.
NOTE #1
The STS is super important, because it offers the addressable endpoint through which I can interact
with the IP via the negotiation & encapsulation protocol, it is from where I can get the certificate that asserts the IP identity in a cryptographically
strong way; but the identity provider is more than that, it is the set of identities it knows about, its
reputation, its capability of issuing cards (which are NOT tokens, even if they are signed)
NOTE #2
• Sometimes the RP will accept only tokens from a special kind of STS, the authorization STS,
A relying party (RP) is a computer term used to refer to a server providing access to a secure software application.
WHAT IS RP?
What is RP
• Claims-based applications, where a claim is a statement an entity makes about itself in order to establish access, are also called relying party (RP) applications. RPs can also be called “claims aware applications” and “claims-based applications”, and web applications and services can both be RPs.
• With a Security Token Service (STS), the RP is redirected to an STS, which authenticates the RP and issues a security token granting access, instead of the application authenticating the RP directly. The claims are extracted from the tokens and used for identity related tasks.
LET’S MAKE IT COMPLICATED
what it you need to establish multiple identity sources within one application?• Configure your application to allow anonymous users to select their
authentication source (SharePoint does this method)
• Allow for a "Hub" approach where a core IP-STS is also a RP-STS with additional trusted claims provides (ADFS and ACS do this)