Please enable JavaScript.
Coggle requires JavaScript to display documents.
5.3 - claims-based auth and federated security (5.3.2 - WIF (Windows…
5.3 - claims-based auth and
federated security
Intro
Federated security
allows your application to rely on another application. Federated security is an example of
claims-based authentication
.
identity provider
Facebook
Windows Azure
Token
contains a set of claims.
Claims are bits of information the identity provider is willing to share with other applications
, such as name, phone number, or email address. The more claims your application receives, the more information you know about the user.
5.3.1 - Federated Auth via ACS
Access Control Service
(
ACS
or Windows Azure Active Directory Access Control) is a thirdparty, cloud-based tool that provides support for the authentication and authorization of users.
Microsoft.Web.WebPages.OAuth
OAuthWebSecurity.VerifyAuthentication
OAuthWebSecurity.Login
5.3.2 - WIF (Windows Identity Foundation) is a framework for building identity-aware applications. It is part of .NET framework
1) IIdentity and IPrincipal
1) WIF has added claims to the principal
2)
Example
: custom security token
Custom security token WIF in XML
Model: class MyCustomToken : SecurityToken { ... }
Derive token handler from SecurityTokenHandler
Register securityTokenHandler in web.config
2)
Theory
: WIF abstracts protocols
WS-Trust protocol
WS-Trust is a WS-* specification and
OASIS standard that provides extensions to
WS-Security
WS-Federation protocol
WS-Federation is an extension to WS-Trust
.
3) SAML and SWT tokens
- XML-based protocol that uses security tokens
SAML
tokens use
asymmetric certificates
.
Support key rollover
Supports
key revocation
Client access verification
A
Simple Web Token
(SWT) is a simpler object that is signed with a
symmetric key
. A JWT represents claims to be transferred between two parties.
Does not support key revocation
, because (symmetric) user has all key information
To configure use web.config securityTokenHandlerConfiguration or configure from code.