SAML August 27, 2001 S10 Windows.NET
Download
Report
Transcript SAML August 27, 2001 S10 Windows.NET
SAML Integration
Doug Bayer
Director, Windows Security
Microsoft Corporation
[email protected]
Agenda
Overview
of Microsoft authentication &
authorization plans
Problem space
Our understanding of the scenarios
Our
current approach
How could we use SAML?
Migration?
Integration?
SAML August 27, 2001 S2
Windows.NET
Windows.NET Authentication Architecture
Windows.NET Authorization: Extending the
Windows Model
Resource-Based Authorization: ACLs & Groups
Application-Based Authorization: RBAC
Making It All Secure
SAML August 27, 2001 S3
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred
Mary
Owner
Viewer
AA = Authentication
Authority
Directory
AA
Request
Meeting
KDC
1
1
1
[email protected]
1
myCalendar.NET
MyHS.NET
[email protected]
SAML August 27, 2001 S4
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred
Mary
Owner
Viewer
AA = Authentication
Authority
Directory
AA
2
Query&
Request
2
KDC
myCalendar.NET
[email protected]
MyHS.NET
[email protected]
SAML August 27, 2001 S5
.NET Process Scenario
MyNotifications.NET
Roles
SOAP
Message
myCalendar.NET
3
Fred
Mary
Owner
Viewer
AA = Authentication
Authority
Directory
AA
KDC
myCalendar.NET
[email protected]
MyHS.NET
[email protected]
SAML August 27, 2001 S6
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred
Mary
Owner
Viewer
AA = Authentication
Authority
Directory
AA
4
Accept
4
KDC
myCalendar.NET
[email protected]
MyHS.NET
[email protected]
SAML August 27, 2001 S7
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred
Mary
Owner
Viewer
AA = Authentication
Authority
Directory
AA
5
Signed
Message;
Accepted
KDC
myCalendar.NET
[email protected]
MyHS.NET
[email protected]
SAML August 27, 2001 S8
Windows.NET Application
Security Framework
Partner/Supplier
Direct Trust
Direct
Trust
Store
(XCerts, XKMS)
AA
MMS
Internet
Signed
Messages
Kerberos
Enterprise
DMZ
(XMLDSIG, S/MIME,
CAPICOM)
Customer
Store = Directory or Database
AA =Authentication Authority
Employee
SAML August 27, 2001 S9
Windows.NET Application
Security Framework
Partner/Supplier
Trust Federation
Direct
Trust
(Passport, Identrus)
Store
AA
MMS
Internet
Kerberos
Enterprise
DMZ
Passport, Kerberos,
Basic SSL, Digest,
…
Customer
Store = Directory or Database
AA =Authentication Authority
Employee
SAML August 27, 2001 S10
Windows.NET Application
Security Framework
Threats from
Inside & DMZ
Threats from
Internet
Partner/Supplier
Store
AA
RBAC
Policy
RBAC
Policy
Enterprise
DMZ
RBAC
Policy
Internet
Customer
Store = Directory or Database
AA =Authentication Authority
Employee
SAML August 27, 2001 S11
Windows.NET Authentication
Multiple credential types
Multiple Client to Server protocols:
Today: Basic, NTLM, Passport, Digest, SSL, Kerberos, …
Converge on Kerberos & Kerberos/TLS in the future
Message Signing and Signature verification
Single Server to Server protocol: Kerberos
w/constrained delegation
Passwords, tokens, smartcards
Multifactor: Key + biometric
IETF standard, interoperable, scalable
Secure: mutual authentication
Extensible credentials support
Passwords, X.509 certificates, tokens,…
Directory independent authentication
SAML August 27, 2001 S12
Windows.NET Authentication
Trust
KDC
Ticket
Verify Policy:
Allowed-To-Delegate-To
Passport
Users
Basic
Digest
SSL
Ticket
Signed Messages, S/MIME/SMTP
XMLDSIG/HTTP
Kerberos
Cert
Front End
Application
Back End
Application
SAML August 27, 2001 S13
Application Classification For
Authorization
Resource Managers
Gatekeepers: Special form of resource managers
Resources are well-defined with persistence
Access is controlled to operations on such objects
E.g. File system, database, Active Directory, …
Resources are other applications
Controls access to other applications
E.g. OS itself, Web Server, VPNs, Firewalls, …
Business Processes
Resources aren’t well defined; operations, processes &
workflows are
Access is controlled to operations, processes, workflows
E.g. LOB applications, Transaction processing, ...
SAML August 27, 2001 S14
Authorization: Role Based
Model
Roles-based
Characteristics
LOB, B2B, B2C and workflow applications
No real objects but operations & tasks are well-defined
Authorizations aren’t simply yes/no on operation
Operation data & business rules matter
Typically have a state machine
Where do you ‘hang’ the ACL?
Applications enforce access
Users authenticate to Authentication Authority
Application performs authorization
Application has full access to underlying objects
SAML August 27, 2001 S15
Roles-Based Authorization
Manager
Gatekeeper
Applications
Business Process
Applications
Resource Manager
Applications
(Web Server/URL,
VPNs, Firewalls,…)
(E-Commerce,
LOB Applications,…)
(Document Store,
Mail Store,…)
Windows Authorization
API
Windows Authorization
API
Windows Authorization
API
Authorization
Administration
Manager
Common Roles
Management UI
Policy
Store
Active Directory
Or XML (Files, SQL)
SAML August 27, 2001 S16
Roles-Based Authorization
Manager
Gatekeeper
Applications
URL
(Web Server/URL,
VPNs, Firewalls,…)
URL-Based
Authorization
Windows Authorization
API
IIS
Windows
Authorization API
Web-Based
Application
Windows
Authorization API
Common Roles
Management UI
Scopes
• VDirs, URL,
Prefix
Tasks
• Basic: GET/POST
• Dynamic by
associating
VBscript
business rules
Groups
• Static
• Computed
• LDAP query
Roles
• Defined by
administrators
and applications
SAML August 27, 2001 S17
SAML/Kerberos – Protocol Overview
Web Servers
KDC
Get
(Web Sphere)
AIX
WebAuth
Server(s)
(Windows.NET)
(Netscape
MAC)
SAML August 27, 2001 S18
SAML/Kerberos Protocol Overview
Web Servers
KDC
Sess-Cookie
TGT
SSL
AP-Req
(3)
Redirect
(1)
AS-Req
TGS-Reg
(2)
WebAuth
Server(s)
User Name
Password
SAML August 27, 2001 S19
SAML/Kerberos Protocol Overview
Web Servers
Sess-Cookie
AP-Req
AP-Req
Sess-Cookie
TGT
Dat
a
Get
KDC
AP-Req
(cached)
WebAuth
Server(s)
Subsequent requests:
• Browser sends AP-REQ in cookie
• Web Server checks against saved
AP-REQ, if OK, returns requested
URL
SAML August 27, 2001 S20
Protocol Overview – Initial
Request to Second Web Server
Browser
does GET to WebSphere
WebSphere redirects to WebAuth
Redirect contains TGT in cookie
WebAuth does TGS-REQ, then proceeds as
before
SAML August 27, 2001 S21
SAML/Kerberos – Protocol Overview
Apache
Web Servers
MIT-KDC
Directory
Affiliate Site
Web Servers
KDC
Get
WebAuth
Server(s)
Sess-Cookie
TGT
SAML August 27, 2001 S22
SAML/Kerberos Protocol Overview
Web Servers
KDC
Directory
Affiliate Site
AS-Req
Web Servers
KDC
AS-Req
AP-Req
(3)
SSL
Sess-Cookie
TGT
Redirect
(1)
(2)
WebAuth
Server(s)
Sess-Cookie
TGT
SAML August 27, 2001 S23
SAML/Kerberos – Protocol Overview
Web Servers
KDC
Directory
Affiliate Site
Web Servers
Sess-CookieAP-Req
AP-Req
KDC
Get
Dat
a
WebAuth
Server(s)
Sess-Cookie
TGT
SAML August 27, 2001 S24
Questions?
SAML August 27, 2001 S25