La présentation est en train de télécharger. S'il vous plaît, attendez

La présentation est en train de télécharger. S'il vous plaît, attendez

IdP Shibboleth RP Sharepoint, OWA, .Net

Présentations similaires


Présentation au sujet: "IdP Shibboleth RP Sharepoint, OWA, .Net"— Transcription de la présentation:

1 IdP Shibboleth RP Sharepoint, OWA, .Net
Bonjour, Présentation… Contexte : Interaction, intégration d’IDP shibboleth avec Microsoft Sharepoint ou plus généralement avec .Net en tant que SP ou Relaying Party Jean Marie THIA

2 Pourquoi les choses évoluent…
Mise en situation des claims - > octobre 2008 annonce de Geneva + Geneva Framework qui devient WIF Windows Identity Foundation + ADFS v2 en novembre 2009 This is one of the facts that leads to the claims based story.

3 As an application designer or developer, imagine a world where you don't have to worry about authentication. Imagine instead that all requests to your application already include the information you need to make access control decisions and to personalize the application for the user. Preface of : A guide to claims-based Identity and Access Control (http://msdn.microsoft.com/en-us/library/ff359103(lightweight).aspx) Deux petites phrases qui font rêver … Autant la première ne pose aucun problème, autant la seconde n’est pas toujours facile à mettre en oeuvre`.

4 Agenda Intégration sans revendications Les revendications
ADFS v1x shib4Net / shib4moss Les revendications Revendication (Claim) WIF / STS / ADFS Interopérabilité ADFS WIF Conclusion Questions Un agenda en 3 points Avant : pour l’existant 2 mots sur les claims L’interopérabilité avec les claims Agenda

5 Intégration sans claims

6 ADFS v1 Patch nécessaire pour IdP 1.3
Patch non préconisé par la fédération. Ne pas utiliser Pas de commentaire avec ADFS 1 ADFS v1

7 shib4net / shib4moss Couche de mapping entre SP et .Net
SP shibboleth pour IIS Sourcesup.cru.fr/shib4net Il vaut mieux utiliser le SP shibboleth. Pour les applications .Net on récuperer les attributs dans l’entête de la requête et les travailler ou Utiliser shib4Net ou shib4moss Shib4moss : transfert authentification, membership provider, role provider shib4net / shib4moss

8 Shib4net - expérience Non utilisé à l’UPMC
Des questions de la part de Novell et SWITCH Projet d’utilisation pour EDUGAIN Création de l’utilisateur dans MOSS Creation de l’utilisateur dans AD EDUGAIN le problème est l’affectation des personnes dans les groupes Sharepoint. Ou du moins comment générer le groupe. Ce point est intéressant et complexe. La difficulté principale est bien l’affectaion d’une personne à un role ou un groupe. Je dois travailler sur le sujet Il existe aussi un produit payant de 9star Research : ActiveShareFS 2007 SSO Cloud Solution Shib4net - expérience

9 Windows Identity Foundation
aka WIF le titre devrait plutôt être Claim Based Identity, par abus de langage En fait WIF, est un modèle de développement, api pour les claims. le runtime contient principalement un modèle objet Microsoft.IdentityModel le sdk contient en autre - fedutil, qui permet la configuration et la gestion des metadonnés - c2WTS transformation de claim en jeton kerberos WIF est compatible WS-FED passive, WS trust

10 Revendication Un ensemble d’informations Dans un jeton de sécurité
Signé par un émetteur L’équivalent des attributs Shibboleth UPN : Roles : GivenName : LastName : isOver21 : thia PM, developper, sysAdmin Jean Marie Thia True Web App/Service A claim is a set of information that the user present to the relaying party. the relaying party is the web application or the web service the user wants to access. It is MS words to designate attribute. The distinction comes from the fact that attributes are information retrieved from the enterprise directory and claims are attributes presented by the user on behalf of an issuer trusted by the Relaying Party. So we don’t fully trust claims. Claims may also contains information about the issuer, the issuer chaining, etc. Revendication

11 Revendications : modèle objet
Toutes les propriétés sont transmises sous forme de chaîne de caratctères Le type de la valeur est défini par la proprité ValueType Microsoft.IdentityModel.ClaimValueTypes est une énumération de ces valeurs (date, datetime, boolean, integer, etc.) IClaimsPrincipal IClaimsIdentity IClaimsIdentity public class Claim { // some members omitted for brevity public virtual string ClaimType { get; } public virtual string Value { get; } public virtual string ValueType { get; } public virtual IDictionnary<string, string> Properties; public virtual string Issuer { get; } public virtual string OriginalIssuer { get; } public virtual string IClaimIdentity Subject { get; } } Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject For simplicity all properties are represented as string. The valueType comes in to helps you determine the format of the value. So we have a Claims principal with a collection of ClaimsIdentity that contains a collection of Claim. Revendications : modèle objet

12 ADFS A Secure Token Service for AD Handles authentication,
Extracts, transforms claims With rule and policy engine Based on WIF ADFS 2 is a Secure Token Service for AD, it is the equivalent of Shibboleth IDP. It the federation service for Active Directory. Authentication is based on : Windows Authentication Form based authentication X509 certificates Cardspaces Adfs can read attributes from AD of course, AD LDS and I suppose any LDAP directory, SQL server Database. This list can be extended by writing a custom attribute store. It also comes with a rule engine to extract, transform, manipulate the attributes from different stores And of course there is a policy engine that finally deliver the claim Wif SDK comes with C2WTS : claims to windows token service ADFS

13 ADFS : Architecture Active Directory Federation Services (AD FS) 2.0
Account & Attribute Stores Configuration Database Active Directory Federation Services (AD FS) 2.0 Management APIs and UX WMI Provider Protocol Hosting (WS-*, SAML 2.0) Identity Store Interface Policy Store Interface Windows Identity Foundation (WIF) API Information Card Issuance Service Metadata/Policy Management Service Token/Claim Issuance Service ADSF is built on top of WIF ADFS : Architecture

14 Interopérabilité avec claims
Le modèle d’avenir

15 ADFS v2 Compatible SAML 2 Protocole SAML 2.0
Adaptateur de protocole pour WIF Protocole SAML 2.0 IdP / SP Lite GSA 1.5 Indispensable avec Shibboleth 2 Interopérabilité : Sun, Oracle, CA, Novell, Ping Identity STS pour AD gère les authentifications, l’extraction et la transformation des revendication avec un moteur de règle basé sur WIF Pas d’utilisation des métadata de la fédération -> One to one connection. Il existe un pendant pour windows AZURE qui aussi en compte OAUTH, OpenID. ADFS v2

16 ADFS v2 - Guides Sharepoint 2010 Outlook Web Access 2010 In Common
Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies guides%28WS.10%29.aspx Outlook Web Access 2010 Exposing OWA 2010 with AD FS 2.0 to other organizations In Common AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation ADFS v2 - Guides

17 .Net IsInRole fonctionne toujours
Un mapping à déclarer dans web.config Compatibilité avec l’existant From the programmer point of view the result is an extension to the Principal and Identity objects. And as you may guess, moving to claims does not mean a change in your application I you were already using Context.User.IsInRole ou Context.User.Identity.Name. The claims that represent the roles and the names are set, as usual, in the config.web files .Net

18 IClaimsIdentity id =((IClaimsPrincipal)Thread. CurrentPrincipal)
IClaimsIdentity id =((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0]; // you can use a simple foreach loop to find a claim... string users = null; foreach (Claim c in id.Claims) { if (c.ClaimType == System.IdentityModel.Claims.ClaimTypes. ) Users = c.Value; break; } // you can also use LINQ to find a claim string usersFirstName = (from c in id.Claims where c.ClaimType == System.IdentityModel.Claims.ClaimTypes.GivenName select c).First().Value; Thread.CurrentPrincipal is for WCF, for ASP.NET web app we usually use Http-Context.User.Identity or Page.User Linq is a very nice way to fetch for claim. I did not had the opportunity to use it, but I love it. .Net : Revendication

19 WIF : What is it ? A framework for identity aware applications
A unified programming model for ASP.NET and WCF A shield for the underlying protocol and cryptography WIF is the heart of MS’s Identity and Access Platform It is a set of .Net classes that is build on top of WCF’s plumbing that implement WS-Trust. It takes care of all the cryptographic heavy lifting for the security token, signature validation, etc. WIF is now released as a DSK, that comes with all the libraries and also a set of templates and wizard for Visual Studio. It is only avaible for C# projects. The framework allows any application to be claim aware. This is done very easily with a wizard. But there is no magic, the application should modified to take advantage of the claims. WIF : What is it ?

20 WIF : Authorization WIF can model the authorization data like
[ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "Directory", Operation = "Browse")] private bytes[] GetVideoFile(string path) {} WIF can model the authorization data like A ressource the subject wants to access The actions the suject wants to realize on the ressource This is an AuthorizationContext This policy can be stored in the stored in the application’s web.config file. It can be consume by the ClaimsAuthorizationManager class, a WIF extension point. Hook for authorization logic Define your CheckAccess implementation Attributes for authorization Since ASP.NET2, Microsoft introduced Code Access Security also known as CAS. It is based on annotation to statically authorization access to a piece of code. I have not investigate this domain yet, but it is definitively where I want to go as it is a clean way to declare authorization instructions. Having thing statically written allows simple parsing of all authorization needs. This is highly interesting, if these values turn out to be action. I will talk more about that in the to-do list WIF : Authorization

21 Conclusion Plus d’écueil technique solution mature
WIF non SAML 2 Guides d’interopérabilité Principale difficulté Les autorisations I will attend the developer’s day and will show up in Marvin’s table to talk about The .Net Cas client. Conclusion

22 Patterns & Practices : A guide to claims-based to Identity and Access Control us/library/ff aspx MSDN WIF : IdM : Technet Microsoft connect https://connect.microsoft.com/site642 Blogs Geneva team - Dominick Baier - Vittorio Bertocci - Quelques liens

23 Contributions Cas4net Shib4net http://sourcesup.cru.fr/cas4net/
http module for ASP.NET IIS7 http module for CAS Shib4net Contributions

24 Questions ? Jean-Marie.THIA@upmc.fr
- Dire que a été cassifié par MS France.

25 Merci de votre attention


Télécharger ppt "IdP Shibboleth RP Sharepoint, OWA, .Net"

Présentations similaires


Annonces Google