Single sign on and authorization - PowerPoint Presentation

Single sign on and authorization Unifying security for the sct product set

Introduction Theory Real life exampleTerminologyProfilesStandardsSCTApplicationsNetwork Topology The why slideProof of ConceptsPrototypeIntroductionUser StoriesProof of ConceptsExperienceADFSApache STS (NotTested).NET Possitives and NegativesJAVA Possitives and NegativesFutureRemaining WorkImpact for existing productsTeam Members Agenda 2

Theory

Real Life Example 4 You need resources, so off to the supermarket to buy some good beer, e.g.The policy of the supermarket is not to sell to minors, hence the photo id requiredYour token is Your token was issued before by the state, a trusted identity provider After verification of your age claim , part of your token, you are authorizedto buy beer

Identity : security principal used to configure security policy (Person)Identity Provider (IdP): producer of assertions (Government)Security Token: a set of claims digitally signed by issuing authority (for example, Windows security tokens or SAML tokens) (Identity Card)Security Token Service (STS) / Issuing Authority: the authentication provider, builds, signs and issues security tokens (for example, ADFS, PingFederate) (Town hall, DMV) Claim : assertion / attribute of an identity (Login name, AD Group, etc.) (Age) Relying Party (RP): application that makes authorization decisions based on claims ( Liquor Store ) Service Provider (SP): consumer of assertions(Liquor Store)Terminology 5

Authentication is the process of verifying a claim made by a subject that it should be allowed to act on behalf of a given principal (person, computer, process, etc.). (Check Identity Card)Authorization involves verifying that an authenticated subject has permission to perform certain operations or access specific resources. (Check Age)Single Sign-On (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. (Use same Identity Card everywhere)Federation describes a scenarios in which no one group or organization manages all users and resources in a distributed application environment. Instead, administrators in diverse domains must manage local security policies. (Passport and Identity Papers across different countries ) Terminology 6

Claim ClaimType IssuerValueValue TypeExample of Claims of Claim TypesFirst nameGenderAge or IsAdultCityExample of Claim Set / Security TokenFirst name = AlexGender = MaleAge = 33 or IsAdult = trueCity = MechelenTerminology - Claim7

Profile – Active The relying party exposes policy that describes its addresses, bindings, and contracts (using WS-Policy). But the policy also includes a list of claims that the relying party needs, for example user name, email address, and role memberships. The policy also tells the smart client the address of the STS (another Web service in the system) where it should retrieve these claims.After retrieving this policy (1), the client now knows where to go to authenticate: the STS. The smart client makes a Web service request (2) to the STS, requesting the claims that the relying party asked for through its policy. The job of the STS is to authenticate the user and return a security token that gives the relying party all of the claims it needs. The smart client then makes its request to the relying party (3), sending the security token along in the security SOAP header . Smart clients are referred to as “active” because they have plumbing (WCF, for example) that can parse policy and implement WS-Trust directly. Web browsers are referred to as “passive” because they can’t typically be modified to do these things directly, so cookies, redirection, and JavaScript are used mimic the WS-Trust protocol in a browser-friendly way.

Profile – Passive The user points her browser at a claims-aware Web application (relying party). WS-FederationThe Web application redirects the browser to the STS so the user can be authenticated. The STS is wrapped by a simple Web application that reads the incoming request, authenticates the user via standard HTTP mechanisms, and then creates a SAML token and emits a bit of JavaScript.This JavaScript causes the browser to initiate an HTTP POST that sends the SAML token back to the relying party.

Standards - Overview Many standards each compiled out of different tokens, protocols and bindings; backed by organizations. Liberty Alliance Project contributed their ID-FF 1.2 into SAML 2.0 OASIS SAML 2.0; successor of 1.1, includes Liberty and Shibboleth 1.2 contributions Internet2 networking consortium Shibboleth 1.2 was merged; their 2.0 is derived from SAML 2.0 WS-Federation backed by Microsoft and IBM, the 1.2 version became an OASIS standard

Questions?

SCT Structured Content Technologies

Live Content (LC) Web application for dynamic content publishing Can Search inside the structure of the content Support DITA1.2 standardTrisoft (TS)Dita repositoryPublisherClient Tools for Editing and Management. (In process)Web Tools for …(Browser)XOPUS (XS)XML Editor (Browser)Content Source from Trisoft and Live ContentGlobal Authoring Management System (GAMS)Client component Integrates with Authoring Environments to check GrammarStyleTranslation memory TerminologyServer Component acts as Shared Profile RepositoryXPP Automated XML publishing enginePublish technical documentation for financial, government, high tech, aerospace and defense industries. Applications 13

XO-Client XO-Web Topology – Current TS-CT XO-Web TS-WS TS-Web GAMS-CT LC-Web XPP GAMS-Lib WS TMS Trados MT SDLX Appz Domains/XSS DataFlow (Protocols/arrows) Firewalls STS/IdP Browser GAMS-Profile XO-Client Browser Browser Thick Client Web Client Web Sites Services App/Data layer TMS-CC TS-CMS Arrows with preconfigured or hardcoded authentication Trusted subsystem

Arrows with Identity Delegation LC-JS-Client LC-.NET-Client LC-JS-Client GAMS-JS-Client XO-Web Topology - Desired TS-CT TS-WS TS-Web GAMS-CT LC-Web XPP GAMS-WCF WS TMS Trados MT SDLX Browser GAMS-Web XO-JS-Client Browser Browser Thick Client Web Client Web Sites Services App/Data layer TMS-CC TS-CMS Dash-Web Browser IDP STS

The why Slide!! Unify Authentication across SCT products Provide Single Sign On experience to usersLeverage any Identity Provider a customer has.Stop being a trusted subsystemStop using preconfigured or hardcoded authentication on arrowsProvide more security on the platformStop being responsible for every kind of Identity ProviderNot responsible for security informationNot responsible for customer individual policies e.g. Password policyAdopt Industry Standards for protocols and tokensOpen suite for future trust with other productsProvide infrastructure for new applications in the Suite (Dashboard)Future compatibility.Everything points to this direction.Cloud compatibility

Proof of Concepts Passive Profile Browser LogonCross domain Display of Content and transparent Java Script executionActive Profile In process application makes requests to web serviceIdentity DelegationApplication makes requests to other applicationBackground task executes on behalf of user

Questions?

Prototyp e

Introduction - Story Travel Agency Profiled Based Vacation BrowsingBook VacationDisplay Booking DetailsCustom UsersAirlineElectronic Check InDisplay Flight StatusCustom Users

Introduction - Enhancements Authentication Single Sign OnTravel Agency Books also Flight when booking VacationShows also Flight Status with Book DetailsShows also if Electronic Check in has been made with Book DetailsSend Emails based on Booking Details.AirlineInforms Travel Agency when customer made electronic Check InProvides live information about Flight Status

Introduction – Domains Travel Agency .NET ( Red)  (Trisoft)Agency: MVC Web ApplicationBookingService: WCF Web ServicesAgent: Desktop ApplicationEmailService: Console ApplicationAirline JAVA (Green)  (Live Content)Web ApplicationSVC Restful APIIdentity Providers Active DirectoryOpen LDAPSTS ADFS 2.0 Ping Federate

Prototype Relation with SCT Suite

User Stories Profile Based Vacation Browsing Book VacationDisplay Booking DetailsE-CheckInEmail (Not yet implemented)Display Claims

Demo Servers MECDEVAPP02@Global located in Mechelen hosting Agency and BookingServiceWKENSV0306@Global located in Wakefield hosting Airlinestrts01@ams.dev located in Amsterdam hosting ADFSDEMOAgency (https://mecdevapp02.global.sdl.corp/Agency/)eCheckin (https://wkensv0306.global.sdl.corp:8443/Airline/code/Welcome.jsp)Agent (\\mecdevapp02\C$\WebSites\TravelAgency\Agent\Desktop.exe)

Browser Rich Client Topology Client Agent Browser (Agency) Browser (Airline) Web App Agency Services Airline Web Svc Booking Service Background Services E-Mail Service Browser Web STS Not Yet Implemented

User Story – Profile Based Vacation Browsing Browser User enters the Agency application through his web browser.If the user is not authenticated, the user is redirected to the proper STS and after a successful sign on he is returned to the travel agency's applicationThe user navigates among available vacations that are optimized for his profile. "Browse" pageApplicationUser starts the Agent from his desktop.User enters credentials and the application silently authenticates him on the STSThe user makes " Browse" request to Agency and  navigates among available vacations that are optimized for his profile. ( Not yet implemented ) Agent Browser (Agency) Agency

User Story – Book Vacation Browser Signed on user books a vacation from browser.Agency Web Application sends "Book" request to Booking Service with identity delegationBooking Service executed internal business flow (Issue of persisting user's token))Booking Service send "Book" request to Airline Rest Service with identity delegationBook (Application) Signed on user books a vacation from Agent . Application sends " Book " request to Booking Service with user's tokenBooking Service executed internal business flow (Issue of persisting user's token))Booking Service send "Book" request to Airline Rest Service with identity delegation Agent Browser (Agency) Agency Airline Web Svc Booking Service

User Story – Display Booking Details Browser Signed on user requests details for his travel plans from browserBrowser enters "BookingDetails" PageBrowser requests data from Agency which makes "Detail" request to Booking Service with identity delegationBrowser makes "FlightStatus" request data to Airline Rest Service using Single Sign On. (Not yet implemented) Application Signed on user requests details for his travel plans from Agent Application makes " Detail " request to Booking ServiceApplication creates requests token for Airline Rest Service from STSApplication makes "FlightStatus" request to Airline Rest Service passing proper token. Agent Agency Airline Web Svc Booking Service Browser Web

User Story – eCheckIn Browser (Web Brower SSO Profile - SP initiated: Redirect -> POST binding) User tries to access Airline's application resources through web browser.If the user is not authenticated, he is redirected to the STS and challenged for credentials. After user enter his credentials, STS sends browser SAMLResponse token. Browser send SAMLRespone token to Airline application through HTTP POST.Airline application validate token and allow user access e-checkin service. Airline Web Application executes request and handles internal business flow Airline Web Application makes " CheckIn " request to Booking Service with identity delegation. (Not yet implemented) Browser (Airline) Airline Web Svc Booking Service

User Story – Email ( Not yet implemented )Periodic EventService gets activatedService polls for pending emails. If no pending e-mails are found, service is deactivated for specific periodService acquires (persist strategy needs to be defined) related user's authorization tokenService executes "Detail" request to Booking Service using this tokenService executes "FlightStatus " request to Airline Rest Service using this token Service sends e-mail. Airline Web Svc Booking Service E-Mail Service

User Story – Display Claims Browser Signed on user clicks Claims from browser.Agency calculates claim set for Agency DomainAgency Web Application sends "TransformClaimsPrincipalToModel" request to Booking Service with identity delegationBooking Service calculates claim set and returns dataUser sees report for the two claim sets. Browser (Agency) Agency Booking Service

Claim Types Common e-Mail (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)UsernameTravel AgencyUsername (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)DisplayName (http://TravelAgency/identity/claims/DisplayName)Country (http://TravelAgency/identity/claims/Country) (Transformation on Service Provider using Group claim type)AirlineUsername (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier)Title (http://schemas.microsoft.com/ws/2008/06/identity/claims/role) Department (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department) Claims Transformations on STS

Proof of Concepts Passive Profile Browser Logon (Profile Based Vacation Browsing, eCheckIn)Cross domain Display of Content and transparent Java Script execution(Display Booking Details with FlightStatus). (Not yet implemented)Active Profile In process application makes requests to web service (Profile Based Vacation Browsing) Identity Delegation.NET Application makes requests to .NET application ( Book Vacation, Booking Details, Claims). .NET Application makes requests to JAVA application (Book Vacation).JAVA Application makes requests to .NET WCF Service (e- CheckIn) (Not yet implemented)Background task executes on behalf of user (Email Service). ( Not yet implemented)

Questions?

Experience

ADFS Positives FreeUI Configuration of Relying PartiesSupport for WS-Federation and SAML1.1 and SAML2 tokensPowered by .NET Windows Service and .NET Web ApplicationBased on WIFCan interact with other federation services as federation partners that are WS-* and SAML 2.0 compliantNegativesDifficult Syntax for custom claims transformation rulesOnly Active Directory Domain Services can be used as an identity providerStill UnknownsNo hands on experience with scaling out.

.NET Possitives and Negatives Positives Windows Identity Foundation (WIF)Windows Communication Foundation (WCF)Federation Utility from WIF SDK really helps with development and deployment.Possible Compatibility with Windows Workflow (WF)Active Profile completely transparent. No dependency on WIFEasily Implement Identity Delegation between .NET domains.NegativesMainly SAML1 and WS-FederationWIF is lacking complete support of SAML2. Nothing official about new release.Active Profile is mainly based on WS-Federation protocols.Difficult to deploy because of certificate dependency.

.JAVA Possitives and Negatives Positives OpenSAML APIs available to build SAML token consumerFlexible to work with different STSsNegativesTakes time to build – No suitable frame workNo clear industry directions available - Need lots of research and test

Summary Positives Overcome The Double-Hop Problem with Identity DelegationApplications do not use Windows Principal through the execution contextInstead a claim set is available that describes user’s potentialSpecify/Limit actors for identity delegationAuthentication agnostic.No need to care for AuthenticationNo Need to maintain Identity Providers. Not responsible for persisting security sensitive information. Not responsible for enforcing different password policies.Just get claims through a token.Token Encryption through certificates.Flexibility in Authorization. Customization with Claim Rules TransformationsFuture trust and extension with third party applications NegativesSteep learning curveRequired some theory and experience with certificates Required more theory and experience with security. Special care for User Provisioning needed. Define best scenario that minimize how stale is data and how to securely persist tokens. Required certificate provisioning

Future

Remaining Work Passive Profile Browser Logon (Profile Based Vacation Browsing, eCheckIn)Cross domain Display of Content and transparent Java Script execution(Display Booking Details with FlightStatus). (Not yet implemented)Active Profile In process application makes requests to web service (Profile Based Vacation Browsing)Identity Delegation.NET Application makes requests to .NET application ( Book Vacation, Booking Details, Claims).. NET Application makes requests to JAVA application ( Book Vacation). JAVA Application makes requests to .NET WCF Service ( e- CheckIn ) (Not yet implemented)Background task executes on behalf of user (Email Service). (Not yet implemented )

Remaining Work Finish rest of Proof of Concepts STSCheck with alternative STS (Ping Federate)Identity ProviderCheck with Open LDAP

Impact on products Trisoft Find a solution that works for both technologies for the transition period, without compromising WCF/Claims potentialGradually migrate VB6 stack to .NET.Keep backwards compatibility.Verify that active profile can work with .NET3.5 for the client toolsFind a solution for user provisioning.Live ContentSeparate authentication module and authorization module from existing codeImplement authentication module using newly developed libraryImplement claim aware REST web service API for Trisoft using Java(Using one end point and handling URL parameter is challenging)Implement claim aware Java active call to Trisoft .NET WCF ServiceXOPUSImport Cross Site Scripting functionality GAMSImplement new .NET based Services with Claims Awareness

Trisoft 2011R2 – Current State Authentication Context only contains ApplicationName which identifies your repository and configurationa UserId as a unique identifier within your repositorya last modified Timestamp indicating your last successful actionApp25.Login(appName, TrisoftUserName, TrisoftPassword, out authContext)TrisoftAuthenticationHidden behind security set up in IIS App25.Authenticate(appName, out authContext ) Windows Authentication through IIS Ldap Authentication through Trisoft.Security.dll as a IIS HttpModuleHidden behind security set up in IISBased on IIdentity.Name to look up a Trisoft user profile via field FEXTERNALIDDocumentObj25.EveryOtherFunction(ref authContext, …)Hidden behind security set up in IIS

Trisoft Future – Ideal State DocumentObj35.EveryOtherFunction(…) Hidden behind security set up in IISApp25.Login(appName, TrisoftUserName, TrisoftPassword, out authContext)TrisoftAuthenticationHidden behind security set up in IISApp25.Authenticate(appName, out authContext)Windows Authentication through IISLdap Authentication through Trisoft.Security.dll as a IIS HttpModule Hidden behind security set up in IISBased on IIdentity.Name to look up a Trisoft user profile via field FEXTERNALID

Team Members Andrew Trese Dave De MeyerGina ChoiNatalia BalatskovaSangeeta NarayanShawn LindermanMartin GillJeroen LaridonAlex Sarafian

Questions?