This relates to, but I'm quite sure does not duplicate, my question: Looking for a secure and robust STS implementation
Since asking that, some input from business, and some research, has led me to believe that instead of implementing a secure token service to wrap my custom identity provider, I can delegate the issuing of tokens to the identity provider itself.
The identity provider is a WCF service that returns a collection of claims when it successfully authenticates a user, based on some identifying data for the user. E.g.
[ServiceContract(Namespace = "http://namespace")]
public interface IIdService
{
[FaultContract(typeof(IdServiceFault))]
[OperationContract]
ICollection<Claim> Authenticate(string idDatum1, string idDatum2);
}
where Claim is Microsoft.IdentityModel.Claims.Claim. I am currently stuck with a an example only quality STS implementation, as a web site project, but if at all possible, I would like to simply move the task of issuing and signing tokens into the identity provider, and eventually qualify it as a WS-Federation Identity Provider, that I can later include in my Azure Access Control's providers.
If this is possible, what do I need to do in the WCF service?
"One doesn't just knock together a WS-Federation Identity Provider" - there are a lot of necessary complexities involved, mostly to ensure the security, integrity and provability of the claims being asserted.
You do NOT want to get this stuff wrong - look at what happened at Target, Home Depot, Sony and others of late!
I strongly encourage you to read and re-read Michele Leroux Bustamante's "Building A Custom Security Token Service" article until you thoroughly understand the role of an STS and the various complexities involved in doing so.
Note that in order to build a secure STS you'll need to support SAML, WS-Security, WS-Trust, WS-Federation and use SSL for secure transport of tokens and data. You'll need to carefully implement the various stages of the communication protocol necessary to permit the federation of identity information.
Once you've deeply grokked the subject matter, you'll have a much better understanding of why it's likely a good idea to build an STS as a façade service that sits alongside/in-front-of your existing Identity service - rather than "pollute" your existing service with the considerable complexities involved in building an STS.
If this all seems like a heck of a lot of work, it is (and it should be - security is really, REALLY hard!).
I would strongly recommend you consider using Thinktecture's Identity Server instead of building your own. The awesome Dominick Baier & team have done an awesome job of building a robust, well engineered, open-source Identity Server that supports WS-Fed as well as OpenID, OAUTH, etc.
Related
I'm trying to implement SSO with SAML 2.0 in a dynamic web app whose frontend and backend-for-frontend are outsourced and hence not maintained by my company. At the same time, this dashboard is to be used by external organizations so federation with SAML 2.0 is a requirement.
I've been reading a lot on SAML integrations but the vast majority of them involve making changes in the Service Provider itself (in other words, the web app) but, as I mentioned earlier, doing this would require making many changes in the outsourced codebase which – for business reasons – is a no go.
To avoid this, I would like to have an authentication service to handle as much SAML logic as possible. This way, we would be able to easily scale on the amount of identity providers and even SSO protocols in the future while minimizing the modifications on the frontends.
Find sketched sequence diagram here
After sketching the sequence diagram up, I realized I don't quite understand a few things yet:
Is the Service Provider receiving meaningful cookies once the Identity Provider successfully authenticates the user? If so, would it be wise to use them from the Service Provider and the Authentication Service to determine whether the user is authenticated or not?
If not, then the only possible way for a Service Provider to know whether a federated session is already established or not is to ask the Identity Provider every time, on each request it receives to a protected resource, right? Wouldn't this delay each request's response time too much?
Thank you!
I'm struggling with these concepts and having trouble finding good resources on the web.
We are looking for ways to switch out custom implementations tightly integrated into our application for standards based authentication and authorization.
Our scenario is as follows:
A simple web site (may be an app in the nearby future)
A user must log in or otherwise gain access (i.e. there's no "guest" content or other things you can do as a guest)
The site uses its own web services (REST and/or SOAP) on the backend, but it might use 3rd party web services or exposes its own services as 3rd party services for other applications
Authentication may very well be done by an external provider: Users carry a smartcard and we'd like to have one simple identity provider which reads the smartcard information and sends it back to my simple web site (so I know who the user is and what his role is for instance)
Other sites might use other methods of authentication (simple username/password for instance), so we might need a configurable Service Provider??
I'm currently looking at OAuth (2) to implement for authorizing use of our REST Services (is it also useful for SOAP?) to our web site, perhaps with a simple "Client Credentials Grant" type.
But for authentication, I'm still none the wiser. There is OpenID, but is it easy enough to build your own OpenID Identity Provider? There is Shibboleth, but it seems to have a steep learning curve for doing custom stuff. And I've looked at just building something from scratch based on the SAML Authentication Request Protocol with an HTTP Post binding. Are there any other options?
Please keep in mind that we want to be flexible with our authentication. For a certain site, we might want to do the smartcard thing, but for another maybe simple username/password login with LDAP.
If it's helpful still, I personally thought about doing it myself, then discovered a bunch of third parties. I compared (5/18/2015):
Auth0
AuthRocket
UserApp
DailyCred
Conclusion for me was Auth0, because while all the features are very similar, it felt the most legitimate, as in it's not a start-up that might disappear in a few months. Now, the reason that was super important for me was because login is a foundational requirement, so I need to believe as a customer that the Authentication as a Service will be up for as long as I will be.
Here's the full comparison story:
https://medium.com/#bsemaj/authentication-as-a-service-comparison-5-quick-lessons-for-b2b-businesses-e7587275824c
I'm working on a WCF project that will be our new service layer.
These services will be called by 2 separate clients, the first of which is a WPF application and the other is an ASP.Net web application. The WPF client will be run by internal users and will authenticate with the service via domain authentication and run under the context of that user. The other will be used by external users and needs to authenticate using some separate mechanism then impersonate a "WebUser" account on our domain.
I'm reading a bit about Windows Identity Foundation and it sounds like this might be a good fit. Am I right in thinking I could have 2 token services, one for domain authentication and one for something like ASP.Net membership authentication (Or some similar equivalent) and have each client get it's token from the relevant STS and pass that along to the WCF service?
I'm assuming there is an STS I can use out of the box for domain authentication, but will I have to implement the second one myself to authenticate web users? I can't find a lot of information on this.
Am I thinking along the right lines or should I just be creating duel endpoints for each service each with a different authentication mechanism? Or should I be doing something completely different?
Thanks
The big advantage of using Claims-Based authentication / WIF is that both the task of authenticating the user AND the administration of the user's properties are moved way from the applications to the STS/Identity provider.
You are developing a service layer but the true benefits of using WIF will be for the applications written on top of your layer. The WPF application will no longer need to connect to the AD and fetch the user's groups to figure out what they are allowed to do. The groups will already be visible as claims in the token the user/WIF provides.
The web application (is it just one web application or more?) will no longer need the ASP.Net Membership database with accompanying user administration. This functionality gets moved to the STS.
There is a cost. (There always is, somehow...) Claims-Based authentication has a rather steep learning curve. It takes a while for the quarter to drop for all people involved.
So the answer to your question depends on what kind of users the web application(s?) built upon your service layer have and how many. And how much they wish to know about them. Can you perhaps trust Google / Facebook / Windows Live for authentication? Are the users already in an existing database within your domain? How much work will it take to maintain the user directories? Do your marketing people wish to send them emails regularly? Et cetera.
This is probably not just for the service layer's developers to decide, but something to discuss with people in the rest of your organisation.
If the benefits are not particularly big, the alternative is to simply keep these responsibilities at the web application's server. Each web application will have a good old ASP.Net membership database, it'll authenticate the user all by itself. When asking queries from the service layer, it'll present its web server certificate plus specify the user's name and type.
If the benefits are big enough, you can in principle use ADFS 2.0 for everything. It can also store external users nowadays and it's free if you already have Active Directory. Or the ThinkTecture 2.0 server that Ross recommends. It's easier to customize and perhaps your systems administrators and security folks will not be too enthusiastic about opening the firewall to the ADFS server.
Microsoft has some good reads on WIF, in particular an Overview of Claims-Based Architecture.
You should take a look at identity server as it can indeed handle this scenario.
The person who leads the project above has a great pluralsight video on this exact scenario! You need to sign up to watch it, but they offer a free trial.
Basically you get a token from the identity provider (windows ADFS for the internal client, and what ever you decide for the external users). You will give this token to the federated gateway (identity server probably, but it could be Azure ACS). This will return an authentication token that you can then use with your service.
I have a need to implement a STS-IP server for our web applications and services. The server will need to issue SAML tokens for the following scenarios:
Business partner submits their SAML token which is converted to a SAML token with the claims required for our applications. This token is used to access our Web Applications and Services.
Our public facing applications need to have a user sign in (via forms authentication) and then access our web applications and services with a SAML token.
Our clients (without a STS trust) needs to authenticate with our STS-IP server, get a SAML token, and use that token to access our WCF services.
In all 3 scenarios, we need to have custom claims on the SAML token that our applications and services use. The thought is once we identify the user, we would look up their authorization in our back-end systems and attach claims.
In these scenarios, you can assume the back-end authentication store is a custom implementation with authentication stored in Active Directory and authorization stored in a database.
So my thought has been, we need to create a custom STS-IP server using something like Windows Identity Framework. But I have also been reading that you should not do this because it can take some time.
Can I use an off-the-shelf STS-IP server? Everything I've seen is a mapping between one system to another (SAML to SAML or AD to SAML).
Why will it "take a long time" to build a production ready STS-IP ? I built one using WIF very easily, but I guess I don't understand the risks in doing this.
In terms of "It will take a long time", the documentation showing how to do this is very poor. See here: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/257d93be-165e-45a6-a277-fc7ed2286e7d/
Anyhow, you'll simply need to look over the code samples that Microsoft provides: Google for Identity Developer Training Kit. That should help you get started.
Why are you not considering using ADFS? If the backing store for authentication is AD, then ADFS is probably a good candidate to evaluate.
Before writing you own STS, you may want to check out this blog and closely review the features that you may need in the STS. Just because you can build one yourself, doesn't always mean you should.
extending adfs to multiple identity and attribute stores
They "why not" is relatively simple: Why take weeks to build something that will probably only handle a single use-case when you can put in off-the-shelf STS in a day that will cover all sorts of things your company may come up with? Building it yourself will also require you to become an expert in SAML (which is probably not the best us of your company's time).
Check out --
http://www.pingidentity.com/our-solutions/pingfederate.cfm
Good luck -- Ian
Agree with #eugenio - why not use ADFS?
ADFS can only authenticate against AD as discussed but it can derive authorisation attributes from AD / LDAP / SQL server
The nuts and bolts for an STS are available in VS 2010 plus the identity tool kits. A simple STS can be quickly prototyped.
There are some examples available. StarterSTS is already mentioned plus SelfSTS.
The hard part is getting the security right especially if this will be part of a production system. As per "Steve on Security" Build your own Directory Federation Service:
It may sound like I think it’ll be a
synch to develop this system and have
it work securely, but in reality there
is a lot that will need to go into it
to protect the network, the employees,
and the data this could possibly
interact with. It is tough to develop
applications securely. It is far
harder to develop secure applications
whose sole responsibility is security
related.
That's the reason that all the samples on the Internet have disclaimers in bold:
Do not use in a Production environment
WCF has a rich security model, I hope everyone can agree upon that as a given. I recently came across a situation where our client applications (WCF based applications that leverage the user's credentials within the domain) needed to communicate with services we had to deploy to a data center outside of our domain and control. Consequently, this broke our single sign-on model and I'd like know if any of you have had any success extending the security model to services beyond the domain.
Our identity model relies on the IIdentity and IPrincipal classes (not the WindowsIdentity/WindowsPrincipal) so using an alternative identity implementation is fine. As my question implies, I don't have an answer and I'm hoping you do. The one solution I have toyed around with requires the client to authenticate in our domain in the same fashion that they do now. As part of the authentication, they'd be provided with a X.509 certificate signed by our CA (which would be trusted by the data center). Certificates would be housed in a certificate store (I believe there is one that is bundled with .NET, but I'm unclear about it's ability to be leveraged in an environment where users move occasionally) and created/provided to the user when requested.
I'd appreciate any feedback and/or ideas.
Edit:
We have services that still reside within our data center in addition to the remote data center. I'd like to provide a solution that requires only a single signon (and fwiw, our users must enter their user name and password each and every time they launch this application).
If you have more or less point-to-point requests between few participants, like in a B2B environment, then certificates are definitely the way to go. Everything works automagically - once you've set it all up correctly, of course! :-)
Basically, your service will have a certificate to authenticate itself, and the client will also have a certificate which will be sent to the service and authenticates the clients against the service. On the server side, you'll be able to tap into the ServiceSecurityContext.Current.PrimaryIdentity to get access to the IIdentity of the caller.
For more information, see these resources:
Fundamentals of WCF Security - excellent intro
p&p WCF security scenarios
p&p WCF Security Guidance - very extensive, very complete
WCF Security - Barebones - Scenarios - excellent blog post series on scenario-driven WCF security
Declarative WCF Security - Juwal Lowy's fundamental article about declarative WCF Security
Hope this helps a bit!
Marc