Wednesday, September 4, 2013

Single Sign On Made Simple: Part 2–IdentityServer

In this blog series I have been discussing a simple way any organization of any size can put into place a Single Sign On solution. In the first part I discussed, at very high level, Windows Identity Foundation (or WIF); which has been provided by Microsoft as a simple way of implementing claims-based authentication. If you haven’t read the first part I suggest you go back and read that one first. It will give you a basic understanding of WIF before reading this next part where I will be discussing WIF in practice.

In my conclusion of part one I stated that WIF provides a foundation (as it’s name implies) for claims-based authentication but in and of itself does not provide any implementation. This is done on purpose because Microsoft is trying to give the development community a framework for creating their own implementations of WIF. That may be great for organizations that can afford to pay developers to spin their own WIF implementation but many small and medium sized companies just don’t have the time or resources to do this. Fret not! Luckily for us the guys at ThinkTecture have done all of the hard work and have provided a turnkey solution called IdentityServer that not only implements WIF but also incorporates the mechanisms for Single Sign On.

Let me be clear up front, neither I nor my organization are in any way affiliated with ThinkTecture but we are fans of their IdentityServer product. I think after reading what their IdentityServer product has to offer you may be as well.

At its core IdentityServer is a light-weight security token service built using .NET 4.5, ASP.NET MVC4, WCF and Web API. It has out-of-the-box support for user management using the ASP.NET membership and roles provider, but provides extensibility points to integrate arbitrary user databases. Furthermore almost any aspect of token issuance and data management can be customized using a plugin model. More information and source code, yes I said source code, can be found here. To be honest their website and documentation doesn’t do justice to the power and impact IdentityServer can have on your organization – especially with regards to SSO and flexibility on how you authenticate your users. To save you some time in reading their website, let’s discuss how it can be used in your organization and how it can provide you a simple SSO solution.

First and foremost, IdentityServer is a standalone website you can either install within your organization or host out in the cloud. It has a management interface you can use to configure general server information, certificates, protocols, identity providers, and much more. While you don’t need to be an expert in WIF and security concepts, it is helpful to at least understand some basics. The admin interface provides some inline help but I have found sometimes the need to occasionally do additional research to understand the setting options a bit more.

Referring back to my previous post and the discussion of WIF, the Identity Server is going to, at a minimum, play the role of a Security Token Service (STS). What this means is your application(s) are going to rely on the IdentityServer for collecting credentials and subsequently issuing a claims-based authentication token. Your applications can then use these tokens to identity the authenticated user. This takes the responsibility of authenticating users away from your applications and puts it on the IdentityServer.

With IdentityServer you have a couple of options when it comes to collecting and issuing these claims-based authentication tokens: 1) using IdentityServer’s built in authentication or 2) redirecting to a trusted Identity Provider (IdP).

In the first option, when your applications redirect to the IdentityServer for authentication, the users will be presented with a login page hosted in the IdentityServer and will use the credentials managed within IdentityServer itself. In this scenario you are using IdentityServer as a STS and is the simplest to configure of the two options because it comes pre-configured this way.

The second option is a recent addition to IdentityServer and allows you to redirect your users to a trusted Identity Provider such as Google, Microsoft Live, Twitter, Facebook, etc. In this setup your IdentityServer is actually playing two WIF roles, 1) it is acting as the STS to your applications and 2) it is also acting as a Relying Party (RP) because it is “relying” on an Identity Provider (which is acting as a STS for your IdentityServer) for authentication tokens.

There are a couple things you have to keep in mind when going the Identity Provider route. First, the Identity Providers you use to authenticate with will probably need to be configured on their end to accept requests from your IdentityServer for authentication. This will include how that Identity Provider should redirect back to your IdentityServer. Second, you will need to configure the Identity Provider in your IdentityServer with the necessary information for IdentityServer to talk with the Identity Provider. Configuring your IdentityServer to use Identity Providers is not hard but it does require a bit more knowledge of how to talk with Identity Providers.

If you have the situation/need/desire to allow your users to choose an Identity Provider from two or more Identity Providers (which many sites are doing these days), then IdentityServer has you covered on that front as well with its Home Realm concept. In this setup when IdentityServer receives a request from your applications for an authentication token instead of being presented with an Identity Provider’s login screen they will be presented a Identity Provider selection screen where the user will choose the provider they wish to log in with.

So, for example say you wanted to allow your users to use Google, Facebook, or ADFS to log into your application; with IdentityServer you can do this by configuring an Identity Provider for Google, Facebook, and ADFS on your IdentityServer. Then, when your users are redirected to you IdentityServer for authentication, they will first see a screen where they would choose either Google, Facebook, or ADFS and once doing so will be redirected to the login page for the Identity Provider they chose.

I wish I could go through all of the different options and configurations of IdentityServer but perhaps that can be for another day. Right now I wanted to touch on some of the basic but cool features provided by this product. If you decide you would like to use IdentityServer but need help installing or configuring it please feel free to contact me.

Now that we have discussed the concepts in WIF and seen a simple solution for implementing a STS, the next part to this series will be discussing how to set up your Relying Party applications. If you would like to be notified when the next part of this series is published just follow me (@mpyost) or my company (@yosttechies) on Twitter. As always, if there are any comments or questions feel free to post them to this blog entry or send them to me via email.