Transcript Document

Designing and implementing
a claims-based architecture
Claim type
Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Alex Thissen
http://schemas.microsoft.com/ws/2008/06/identity/claims/email
[email protected]
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Architect Microsoft CC
Alex Thissen | Achmea
About me: Alex Thissen
– Architect with a focus on Microsoft
technologies and products
• Security
• Competencies and learning
– Works at insurance company Achmea
– Trainer/coach in software development
– Most Valuable Professional
for Visual C#
– Regional Director for The Netherlands
www.devreach.com
About The Netherlands
www.devreach.com
The real Netherlands
www.devreach.com
Agenda
•
•
•
•
•
Overview of claims-based security
Design and architecture
Claims-based security at Achmea
Lessons learned
Questions and answers
www.devreach.com
Getting into the basics
OVERVIEW OF
CLAIMS-BASED SECURITY
The need for claims based security
Corporate domain
Partner
domain
Managed
users
Security from
OS or
platform
User
Potentially
other platform
Internet
User
User
Unmanaged
users
www.devreach.com
User
User
Leverage existing identities
Web identities
Corporate identities
Application identities
Issued identities
• Users already have identities
• Reputation of provider
• Capabilities
www.devreach.com
Claims, issuers, subjects and tokens
• Claim is attribute
of identity
• Security token
holds claimsets
• Cryptographically
signed
– Optionally
encrypted
www.devreach.com
Issuer
Claimset
Subject
Token
Claims
Tokens and claims
Indicates who
created this
token and
guards against
changes
Token
Claim 1
Claim 2
Claim 3
...
Claim n
Signature
Example Claims
Name
Group
Older
than 18
<saml:Attribute AttributeName="givenname"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>Gordon</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="privatepersonalidentifier“
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>
wL6Xi5Z5uXQnSu40mRbkpljc5uKvf02HyASCo8uceNk=
</saml:AttributeValue>
</saml:Attribute>
www.devreach.com
Standards to make it all work
Communication
• WS-Trust
• WS-Security
• WS-Secure
Conversation
• WS-SecurePolicy
www.devreach.com
Federation
• WS-Federation
• Passive
requestor
profile
• Active
requestor
profile
Claims
• SAML
• XACML
Elements of claims-based architecture
• Identity Provider
Trust Domain
– Identity store
– Security Token Service
Identity Provider
Account or
attribute
store
• Relying Party (RP)
Identities
– Application using
claims
3
STS
• Subject
– User
– Entity with identity
2 4
5
1
User
www.devreach.com
RP
• Security token
Federation and trust
Trust Domain 1
STS
Trust Domain 2
3
4
2 5
User
1
Federation as an alternative when identity
centralization is not an option
www.devreach.com
Benefits of identity federation
• Allows claims-based security
• Reduce IT pain and risk related to provisioning
and de-provisioning users
• Extend trust to users across domain, corporate
and Internet boundaries
• Support Single Sign-On (SSO)
• Applications can ask
for exactly claims
they need
www.devreach.com
A shift in architecture
DESIGN AND ARCHITECTURE
Design of a claims model
Context-based
profile
• Application attributes
• E.g. roles in application, identity
bound information relevant to
application
Main profile
• Common attributes
• E.g. Email address, user name,
company name
Credentials
• Username/password
• X509 certificate
• Kerberos ticket
• Other security token
Identifier
www.devreach.com
Source: Microsoft Architecture Journal #16
• Unique identifier of identity
• Per domain uniqueness
• E.g. samAccountName, SSN,
certificate ID
Separation of concerns
• Provisioning of identities
and claims issuance by
authoritative source
• Different issuers
– Main profile and
identifier: IP-STS
– Context based profile:
Resource-STS
(aka Federation-STS)
www.devreach.com
Federation pattern primitives
Transformation
Augmentation
Can be combined
www.devreach.com
Migrating to claims
Security model
• Claims-based access control
• Less emphasis on traditional role-based security
Authentication
• Brokered authentication
• Generate claims and token
Authorization
• Use claims instead of other data
• No longer dependent on authentication mechanism
www.devreach.com
Shift in architecture
• Decoupling
– Security model from
authentication type
– Authentication
implementation from
application code
• Centralization of
identities
• Federation with other
parties (trust)
www.devreach.com
Authentication logic
Separate identity and
attribute stores
Shift in architecture
• Decoupling
– Security model from
mode of authentication
– Security
implementation from
application code
• Centralization of
identities
• Federation with other
parties (trust)
Centralized
identity
store
Authentication
logic
User
Authentication logic
Multiple web applications
www.devreach.com
Identity and access management
Infrastructure
Microsoft platform, products and frameworks
•
•
Software
•
•
•
•
www.devreach.com
Domain Services
Lightweight Directory
Services
Federation Server 2.0
Certificate Services
Window Identity Foundation
Windows Communication
Foundation
•
•
Unified Access Gateway
Identity Manager 2010 (ILM)
•
•
ASP.NET 3.5
WIF integration
Implementing claims-based security
1. Acquire or build issuer
2. Configure application to
trust issuer
3. Configure issuer to know
about application
4. Add logic to your application
to support claims
www.devreach.com
A real-world example
IDENTITY & ACCESS
MANAGEMENT AT ACHMEA
Achmea target architecture
• Based on Achmea IT vision
– “Inleven, vernieuwen, waarmaken”
• Rationalize existing application landscape
• Leverage products OOB
• Minimize custom implementations
www.devreach.com
Business case
Divisions and labels
Achmea IT
• Adopt to modern internet
usage
• Reduced effort on
creating and provisioning
customer accounts
• Centralizing and providing
generic infrastructure
• Deliver more services at
lower cost and higher
SLA
www.devreach.com
Generic Internet-street Achmea
• Centralizing services for hosting and
securing internet portals
• Reduce costs by standardizing platform
• SharePoint 2010 for building Web Portals
Photo by Paul Keller
www.devreach.com
Identity and access management
Customers
Healthcare Division
Claim
Value
148281337
Claim
Customer
Value Domain
Cn
IP-STS
148281337
Claim
Claim
IdentityValue
Value148281337
Cn
Role
SSN
Identity
SharePoint 2010
148281337
Insured
148281337
Application farm
Email 148281337 [email protected]
Role
Insured
Email
[email protected]
Attributes
Attribute
Identity
SSN
DigiD
www.devreach.com
ADFS 2.0
ResourceSTS
AD
Lightweight
Directory
Services
Identity and access management
Customers
Healthcare
IP-STS
Other Divisions
Customer Domain
ADFS
IP-STS
Intermediaries
Internal
Employees Domain
ADFS
IP-STS
Claim augmentation
AD Domain Services
AD Domain Services
and transformation
Attributes
Attribute
Identity
Access
Control
DigiD
Service
Employees
ADFS 2.0
ResourceSTS
www.devreach.com SharePoint 2010
application
AD
Lightweight
Directory
Services
Lessons learned from a changing security architecture
SOFTER SIDE OF
CLAIMS-BASED SECURITY
IT Environment
• Governance on identities and claims
– Meta model for claims
• Availability of technology
– E.g. currently government IP-STS DigiD does
not have a STS
• Specialized team for Identity & Access
Management is advised
www.devreach.com
Human dynamics
• Encourage to move
towards target
architecture
• Negotiations
− Active vs. passive
authentication
− “Everything is an
attribute”
www.devreach.com
Interaction challenges
• Design of attributes for claims
• Authorization model
What makes a
good claim?
Volatile, main or
context profile?
www.devreach.com
New technologies
• Relative new technologies
– Frameworks
– Products
• Non-trivial standards
• Distributed teams
www.devreach.com
Almost there
WRAPPING UP
Summary
•
•
•
•
Claims-based security as a new paradigm
Needs a different security architecture
Trust and federation are essential
Start transitioning from
role based to
claims based security
architecture!
www.devreach.com
Q&A and discussion
Go ahead and ask
your questions now!
Maybe later?
@alexthissen
@ [email protected]
www.devreach.com
Resources
• Ebook “A guide to Claims-based Identity
and Access Control”
• Microsoft Architecture Journal # 16
• OASIS Standards
• Microsoft resources:
– WIF
– Active Directory Server
www.devreach.com
Thank you!
@alexthissen
blog.alexthissen.nl
www.linkedin.com/in/alexthissen
@ [email protected]
Alex Thissen | Achmea