Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation
description
Transcript of Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation
![Page 1: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/1.jpg)
Aspectos essenciais no desenvolvimento de aplicações com o
Windows Identity Foundation
ARC303
Pedro Fé[email protected]
![Page 2: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/2.jpg)
4
• Motivation• The claims based model• Windows Identity Foundation• Identity and claims representation• Consumption pipeline• ASP.NET and WCF Integration• Issuance pipeline
try {
![Page 3: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/3.jpg)
5
Motivation
CloudTrack. Create/view issuesView/manage issues
![Page 4: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/4.jpg)
6
Identity and Authorization
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
![Page 5: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/5.jpg)
7
webapp (IssueTracker)
Centralized Solution
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
MembershipProvider
RoleProvider IPrincipal.IsInRole(...)
![Page 6: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/6.jpg)
8
webapp (IssueTracker)
Decentralized Authority
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
webapp::IssueMgr
Contoso Authority
![Page 7: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/7.jpg)
9
Contoso webapp
The Claims Model
creds Contoso::Alice
webapp::IssueView
Contoso::LeadDev
Alice
webapp::IssueMgr
Claims
Security Token
Identity Provider(Issuer)
Identity Consumer(Relying Party)
Accepts
Issues
![Page 8: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/8.jpg)
10
The Claims Model
Consumer/Provider
Identity {Claims}
ConsumerSubject
Provider
Security Tokens
Issue
About
UseIssue
Use
![Page 9: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/9.jpg)
11
Demo
Demo.RP
ADFSDemo.MIP
username+password
Memb.Prov.
RoleProv.
ASP.NET
ASP.NET
WIF
WIFIdentity
Consumer
IdentityTransformer
IdentityProvider
![Page 10: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/10.jpg)
12
Not only for Federation
webapp 2smart cardor
username+passwordwindows authn
AD
webapp 1
![Page 11: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/11.jpg)
13
Not only for Federation
externalapp/service
Partner
windows authn
IdP
AD
webapp 2
webapp 1
smart cardor
username+password
![Page 12: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/12.jpg)
14
Protocols
Browser12
2 3 4
4
IdP
webapp
tkActiveClient
IdP
service
1
21
2
tk
3 3tk
WIF
WIF
WIF
WIF
WIF
Web applicationspassive protocol – WS-Federation
Servicesactive protocol – WS-Trust
WIF
![Page 13: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/13.jpg)
15
• Secure Assertion Markup Language
• Signed by provider (issuer)• (Optionally) Encrypted to consumer • Subject confirmation
• Bearer (passive protocols)• Holder-of-Key (active protocols)
• Audience restrictions (avoid reusage)• Statements (claims)
• Authentication, Authorization and Attributes
SAML Tokens
Certificate configuration
![Page 14: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/14.jpg)
16
• Purpose: automatic configuration• Published by both consumers and providers• Signed XML documents containing• Endpoint addresses• Claims and token types required and offered• Certificates• …
Federation Metadata
![Page 15: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/15.jpg)
17
• Contents• .NET Class Library (Microsoft.IdentityModel.dll)• Visual Studio AddIns
• Purpose• Identity Consumers• Identity Providers • Client helpers – client channels for WCF
Windows Identity Foundation
Unified model for both ASP.NET and WCF
![Page 16: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/16.jpg)
18
• Class model for identity representation• Claims consumption pipeline• Token validation• Identity transformation• Authorization decisions
• Claims issuance pipeline
WIF Essentials
![Page 17: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/17.jpg)
19
Claims Class Model
![Page 18: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/18.jpg)
20
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
![Page 19: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/19.jpg)
21
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
SerializedToken
Claims Identities
TokenToken
ref
![Page 20: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/20.jpg)
22
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
SerializedToken
Claims Identities
TokenToken
ref
<microsoft.identityModel> <service> <securityTokenHandlers> <remove type=“…” /> <add type=“…” /> </securityTokenHandlers>
</service></microsoft.identityModel>
![Page 21: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/21.jpg)
23
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
TokenIssuerToken
IssuerName
Tokenref
![Page 22: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/22.jpg)
24
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
TokenIssuerToken
IssuerName
Tokenref
<issuerNameRegistry type=“…ConfigurationBasedIssuerNameRegistry…"> <trustedIssuers>
<add name="gaviao" thumbprint="a1…74"/> <add name="gaviao.adfs" thumbprint="72…8e"/>
</trustedIssuers></issuerNameRegistry>
![Page 23: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/23.jpg)
25
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims Authentication
Manager
ClaimsPrincipal
ClaimsPrincipal
TokenIssuerToken
IssuerName
Tokenref
public override IClaimsPrincipal Authenticate( string endpointUri, IClaimsPrincipal incomingPrincipal) { if (incomingPrincipal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("LeadDeveloper@http://gaviao/demo.mip/issue.aspx"))) { incomingPrincipal.Identities[0].Claims.Add( new Claim(ClaimTypes.Role, "IssueMgr)); } return incomingPrincipal;}
![Page 24: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/24.jpg)
26
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims Authentication
Manager
Claims Authorization
Manager
ClaimsPrincipal
ClaimsPrincipal
AuthorizationContext boolean
TokenIssuerToken
IssuerName
Tokenref
public override bool CheckAccess(AuthorizationContext context) { var resource = new Uri(context.Resource.First().Value); if(resource.AbsolutePath.Equals("/demo.rp/issues.aspx")) { return context.Principal.Identities[0].Claims.Any(c => c.ClaimType.Equals(ClaimTypes.Role) && c.Value.Equals("IssueMgr")); }
return true;}
[ClaimsPrincipalPermission( SecurityAction.Demand, Operation = "Get", Resource = "ViewIssues")]
private void ViewIssues(){ …}
![Page 25: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/25.jpg)
27
WIF Consumer Pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims Authentication
Manager
Claims Authorization
Manager
ClaimsPrincipal
ClaimsPrincipal
ClaimsPrincipal boolean
TokenIssuerToken
IssuerName
Tokenref
![Page 26: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/26.jpg)
28
WIF Consumer Pipeline (ASP.NET)
ASP.NET
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims Authentication
Manager
Claims Authorization
Manager
ClaimsPrincipal
ClaimsPrincipal
ClaimsPrincipal boolean
TokenIssuerToken
IssuerName
Tokenref
ClaimsAuthorizationModule
ClaimsPrincipalHttpModule
WSFederationPassiveAuthenticationModule
SessionAuthenticationModule
<federatedAuthentication>
<cookieHandler requireSsl=“true" /> <wsFederation issuer="https://gaviao/adfs/ls/" realm="http://gaviao/Demo.RP/default.aspx" requireHttps=“true" />
</federatedAuthentication>
![Page 27: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/27.jpg)
29
ASP.NET Integration
AuthenticateRequest PostAuthenticateRequest AuthorizeRequest EndRequest
Any AuthenticationModule
ClaimsPrincipalHttpModule
ClaimsAuthorizationModule
Any AuthenticationModule
SessionAuthenticationModule
• Using a legacy authentication mechanism• e.g. Forms authentication
![Page 28: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/28.jpg)
30
ASP.NET Integration
AuthenticateRequest PostAuthenticateRequest AuthorizeRequest EndRequest
WSFedAuthenticationModule
ClaimsAuthorizationModule
WSFedAuthenticationModule
WSFedAuthenticationModule
SessionAuthenticationModule
SessionAuthenticationModule
• Using federated authentication• WS-Federation
![Page 29: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/29.jpg)
31
WS-Federation Authn Module (FAM)
?Authenticate
FAMEndRequest
IdP
FAMAuthenticate
HTTP request
HTTP request with fed. request message
HTTP redirect with fed. response message
HTTP redirect with fed. request message
HTTP request with fed. response message
?Authorize
?Authorize
RP
RP
Security Token
Security Token
Handler
![Page 30: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/30.jpg)
32
• WSFederationAuthenticationModule• OnAuthorizationFailed• RedirectingToIdentityProvider• SecurityTokenReceived• SecurityTokenValidated• …
• SessionAuthenticationModule• SessionSecurityTokenCreated• SessionSecurityTokenReceived• …
Module Pipeline Events
![Page 31: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/31.jpg)
33
• FederatedPassiveSignIn
• FederatedPassiveSignInStatus
Controls
![Page 32: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/32.jpg)
34
• WCF already supported federation and claims• System.IdentityModel.dll• e.g. WS2007FederationHttpBinding binding, Claims class
• WIF• Builds upon this previous support• Changes the token processing model
• WCF and ASP.NET uniform model• Adds client-side features (e.g. explicit token requests)
WCF Integration
![Page 33: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/33.jpg)
35
• FederatedServiceCredentials• Derives from ServiceCredentials• Static method ConfigureServiceHost(ServiceHostBase)
“installs” WIF (the Host Adaptation Layer)• Overrides WCF behavior, namely• Configuration (e.g. username validation)• Authorization policies• Authentication manager
WCF Integration
<extensions> <behaviorExtensions> <add name="federatedServiceHostConfiguration" type=“…ConfigureServiceHostBehaviorExtensionElement, …"/> </behaviorExtensions></extensions>
<behavior name="Demo.RP.statusBehavior"> <federatedServiceHostConfiguration/></behavior>
![Page 34: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/34.jpg)
36
WIF Consumer Pipeline (WCF)
WCF
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims Authentication
Manager
Claims Authorization
Manager
ClaimsPrincipal
ClaimsPrincipal
ClaimsPrincipal boolean
TokenIssuerToken
IssuerName
Tokenref
ServiceAuthorizationManagerSecurityTokenAuthenticator
![Page 35: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/35.jpg)
37
Producer Model – host independence
![Page 36: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/36.jpg)
38
Producer Model – issue pipelineIssue Pipeline
ValidateRequestGetScopeCreateSecurityTokenDescriptorGetSecurityTokenHandlerGetIssuerNameGetTokenLifetimeGetProofTokenGetOutputClaimsIdentityCreateTokenGetDisplayTokenGetResponse
• GetScope• Creates the Scope
• Scope• Signing and encrypting creds.• reply to address
• GetOutputClaimsIdentity• Creates the issued claims identity• Defines the issued claims
• Other non-mandatory extensibility points• ValidateRequest, …
![Page 37: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/37.jpg)
39
Producer Model – ASP.NETprotected void Page_Load(object sender, EventArgs e) {
FederatedPassiveSecurityTokenServiceOperations.ProcessRequest( Page.Request, Page.User, new SimpleSecurityTokenService( new SimpleSecurityTokenServiceConfiguration()), Page.Response); }
![Page 38: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/38.jpg)
40
Producer Model - WCF<%@ ServiceHost Language="C#" Debug="true" Factory =
"Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceHostFactory,…" Service = "Demo.MIP.SimpleSecurityTokenServiceConfiguration" %>
<binding name="MessageIssueBinding"> <security> <message clientCredentialType="UserName" …/> </security></binding>
<services> <service behaviorConfiguration=“…" name="Microsoft.IdentityModel….WSTrustServiceContract"> <endpoint address=“” … bindingConfiguration="MessageIssueBinding" contract="Microsoft.IdentityModel….IWSTrust13SyncContract" /> …</services>
![Page 39: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/39.jpg)
41
Producer Model – WCF integration
![Page 40: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/40.jpg)
42
• Identity and Access Control Management• Claims Model Relevance• WIF• Class library for both identity providers and consumers• Multiple hosts: ASP.NET and WCF
} finally {
![Page 41: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/41.jpg)
43
Q & A
![Page 42: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/42.jpg)
A sua opinião é importante!Complete o questionário de avaliação e devolva-o à saida.
![Page 43: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/43.jpg)
45
![Page 44: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/44.jpg)
46
![Page 45: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/45.jpg)
47
• ClaimsPrincipalHttpModule• Hooks on the PostAuthenticateRequest event• Translate, into the claims-model, the authentication performed by
another module
• ClaimsAuthorizationModule• Hooks on the AuthorizeRequest event• If current user is authenticated, then calls the authorization manager
• Action = HTTP method, Resource = raw URL• If authorization is denied, complete request with a 401 status code
ASP.NET integration
![Page 46: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/46.jpg)
48
ASP.NET integration
• WSFederationAuthenticationModule• Hooks on the AuthenticateRequest
• If request is a sign-in federation message, process it• Hooks on the PostAuthenticateRequest
• Behavior similar to the ClaimsAuthorizationModule• Hooks on the EndRequest
• If response status code is 401 and request is not authenticated, then redirect to identity provider with a sign-in request message
![Page 47: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/47.jpg)
49
ASP.NET integration
• SessionAuthenticationModule• Hooks on the AuthenticateRequest event• Try to read and validate session token from a cookie• If successful, then sets the current principal with the
session token info
• Uses a CookieHandler to read and write from cookies
![Page 48: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/48.jpg)
50
Authorization Model - Enforcement
• Called automatically in the pipeline• ASP.NET – In a HTTP Module (ClaimsAuthorizationModule)• WCF – In the service dispatcher
• Called explicitly via permission demand• Similar to PrincipalPermission and PrincipalPermissionAttribute• ClaimsPrincipalPermission and
ClaimsPrincipalPermissionAttribute
![Page 49: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/49.jpg)
51
WIF consumer pipeline
Host (e.g. ASP.NET, WCF)
Host Adaptation Layer
Token Handler
Token Resolver
Issuer NameRegistry
SerializedToken
Claims Identities
Claims Authentication
Manager
Claims Authorization
Manager
ClaimsPrincipal
ClaimsPrincipal
ClaimsPrincipal boolean
TokenIssuerToken
IssuerName
Tokenref
![Page 50: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/50.jpg)
52
A taxonomy of claims• Primordial vs. Substantive claims
• Primordial – proof (e.g. shared secret) presentable by only one subject• Substantive – produced by claims providers
• Claim types• Static – properties of the subject
• National Identifier Number; Date-of-Birth• Derived – derived from other claims
• Portuguese Citizen; Over-18• Membership – role or group membership, relation with other subject
• Administrator; Lead Developer; Purchase Officer• Capability – authorization to something
• Can-emit-purchase-order; Can-admin-CI-server• Contextual – information about the context
• Authentication method, location and time
![Page 51: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/51.jpg)
53
Security Token Analogies
• National Identity Card• Claims: Name, DoB, PoB, Address• Subject binding: picture and signature• Issuer binding: physical anti-tampering measures• Consumer binding: omni-directional identity
• Train Ticket• Claims: authorization to travel in a specific train/place• Subject binding: holder, claim• Issuer binding: physical anti-tampering measures, signature• Consumer binding: authorization details
![Page 52: Aspectos essenciais no desenvolvimento de aplicações com o Windows Identity Foundation](https://reader034.fdocumentos.tips/reader034/viewer/2022051002/56816397550346895dd48f7d/html5/thumbnails/52.jpg)
54
Authorization Model
• “Old” model (PrincipalPermission)• PrincipalPermission constructed with the required identity names
and/or roles• Association between the permission and the users is hard-coded
• “New” model (ClaimsPrincipalPermission)• ClaimsPrincipalPermission constructed with the resource and action
characterization• Association between the permission and the required identity is external