In this blog series I have been discussing a simple way any organization of any size can put into place a Single Sign On solution. In the first part I discussed, at very high level, Windows Identity Foundation (or WIF); which has been provided by Microsoft as a simple way of implementing claims-based authentication. If you haven’t read the first part I suggest you go back and read that one first. It will give you a basic understanding of WIF before reading this next part where I will be discussing WIF in practice.
In my conclusion of part one I stated that WIF provides a foundation (as it’s name implies) for claims-based authentication but in and of itself does not provide any implementation. This is done on purpose because Microsoft is trying to give the development community a framework for creating their own implementations of WIF. That may be great for organizations that can afford to pay developers to spin their own WIF implementation but many small and medium sized companies just don’t have the time or resources to do this. Fret not! Luckily for us the guys at ThinkTecture have done all of the hard work and have provided a turnkey solution called IdentityServer that not only implements WIF but also incorporates the mechanisms for Single Sign On.
Let me be clear up front, neither I nor my organization are in any way affiliated with ThinkTecture but we are fans of their IdentityServer product. I think after reading what their IdentityServer product has to offer you may be as well.
At its core IdentityServer is a light-weight security token service built using .NET 4.5, ASP.NET MVC4, WCF and Web API. It has out-of-the-box support for user management using the ASP.NET membership and roles provider, but provides extensibility points to integrate arbitrary user databases. Furthermore almost any aspect of token issuance and data management can be customized using a plugin model. More information and source code, yes I said source code, can be found here. To be honest their website and documentation doesn’t do justice to the power and impact IdentityServer can have on your organization – especially with regards to SSO and flexibility on how you authenticate your users. To save you some time in reading their website, let’s discuss how it can be used in your organization and how it can provide you a simple SSO solution.
First and foremost, IdentityServer is a standalone website you can either install within your organization or host out in the cloud. It has a management interface you can use to configure general server information, certificates, protocols, identity providers, and much more. While you don’t need to be an expert in WIF and security concepts, it is helpful to at least understand some basics. The admin interface provides some inline help but I have found sometimes the need to occasionally do additional research to understand the setting options a bit more.
Referring back to my previous post and the discussion of WIF, the Identity Server is going to, at a minimum, play the role of a Security Token Service (STS). What this means is your application(s) are going to rely on the IdentityServer for collecting credentials and subsequently issuing a claims-based authentication token. Your applications can then use these tokens to identity the authenticated user. This takes the responsibility of authenticating users away from your applications and puts it on the IdentityServer.
With IdentityServer you have a couple of options when it comes to collecting and issuing these claims-based authentication tokens: 1) using IdentityServer’s built in authentication or 2) redirecting to a trusted Identity Provider (IdP).
In the first option, when your applications redirect to the IdentityServer for authentication, the users will be presented with a login page hosted in the IdentityServer and will use the credentials managed within IdentityServer itself. In this scenario you are using IdentityServer as a STS and is the simplest to configure of the two options because it comes pre-configured this way.
The second option is a recent addition to IdentityServer and allows you to redirect your users to a trusted Identity Provider such as Google, Microsoft Live, Twitter, Facebook, etc. In this setup your IdentityServer is actually playing two WIF roles, 1) it is acting as the STS to your applications and 2) it is also acting as a Relying Party (RP) because it is “relying” on an Identity Provider (which is acting as a STS for your IdentityServer) for authentication tokens.
There are a couple things you have to keep in mind when going the Identity Provider route. First, the Identity Providers you use to authenticate with will probably need to be configured on their end to accept requests from your IdentityServer for authentication. This will include how that Identity Provider should redirect back to your IdentityServer. Second, you will need to configure the Identity Provider in your IdentityServer with the necessary information for IdentityServer to talk with the Identity Provider. Configuring your IdentityServer to use Identity Providers is not hard but it does require a bit more knowledge of how to talk with Identity Providers.
If you have the situation/need/desire to allow your users to choose an Identity Provider from two or more Identity Providers (which many sites are doing these days), then IdentityServer has you covered on that front as well with its Home Realm concept. In this setup when IdentityServer receives a request from your applications for an authentication token instead of being presented with an Identity Provider’s login screen they will be presented a Identity Provider selection screen where the user will choose the provider they wish to log in with.
So, for example say you wanted to allow your users to use Google, Facebook, or ADFS to log into your application; with IdentityServer you can do this by configuring an Identity Provider for Google, Facebook, and ADFS on your IdentityServer. Then, when your users are redirected to you IdentityServer for authentication, they will first see a screen where they would choose either Google, Facebook, or ADFS and once doing so will be redirected to the login page for the Identity Provider they chose.
I wish I could go through all of the different options and configurations of IdentityServer but perhaps that can be for another day. Right now I wanted to touch on some of the basic but cool features provided by this product. If you decide you would like to use IdentityServer but need help installing or configuring it please feel free to contact me.
Now that we have discussed the concepts in WIF and seen a simple solution for implementing a STS, the next part to this series will be discussing how to set up your Relying Party applications. If you would like to be notified when the next part of this series is published just follow me (@mpyost) or my company (@yosttechies) on Twitter. As always, if there are any comments or questions feel free to post them to this blog entry or send them to me via email.
Showing posts with label Single Sing On (SSO). Show all posts
Showing posts with label Single Sing On (SSO). Show all posts
Wednesday, September 4, 2013
Monday, August 26, 2013
Single Sign On Made Simple: Part 1-WIF
Almost every organization I have ever worked at, with, or for has discussed and dreamed about implementing a Single Sign On (SSO) solution for either some or all of their applications and/or websites. It is a very interesting and enticing prospect to be able to enable your users to enter one username and password in order to access multiple applications. I am not going to take the time to explain SSO any more than that but if you are not familiar with SSO or would like to learn more about it there is a plethora of blogs and articles on the internet that should help get you up to speed.
In this series of blog articles I am going to go over a way I have found to very quickly and easily implement a SSO solution - without writing a lick of code! But I won’t stop there; the solution I will suggest will also enable your organization to authenticate your users via one or more of the many well known identity providers out there such as Active Directory Federated Services, Google, Live, Facebook, and more – or you can roll your own if so inclined. Finally I will take this SSO solution and extend it to your Windows based applications as well.
In this first part I am going to introduce you to the underlying framework that will be doing most of the work. While I don’t expect you to understand everything about this framework, I do want to point out its existence and role in our solution. If you are developer or you are at an organization that is going to want to write their own identity provider then you are going to want to know about the framework.
At the center of our solution is Microsoft’s Windows Identity Foundation (WIF). Until recently it was an add on framework but starting with .NET Framework 4.5, WIF has been fully integrated into the .NET framework. At it’s core WIF is a framework for building identity-aware applications; it abstracts the WS-Trust and WS-Federation protocols and presents developers with APIs for building security token services and claims-aware applications. I won’t go into too much detail about the framework but I do want to point out the major parts of the framework because when I get to my solution for SSO you will need to have a basic understanding to appreciate what it does for you.
I do want to point out that WIF is based on a concept called the Claims-Based Identity Model which simply means that a user in your applications is presented as a set of claims. One claim could be the user’s name, others might be their email address or display name. The basic idea is your application will be given a set of data an external identity system is configured to provide about the user – along with cryptographic assurance the identity data you receive comes from a trusted source, of course. [1]
A basic WIF scenario usually consists of one or more Relying Party (RP) applications and a Security Token Service (STS). The Relying Party (RP) is basically an application that relies on claims issued by a STS. An RP is also often called a “claims aware application” or “claims-based application.” The Security Token Service (STS) is the service that builds, signs, and issues security tokens according to the WS-Trust and WS-Federation protocols. The STS will be the one responsible for collecting and validating user credentials and if successful, returning to the RP a claims-based token representing the user. [2,3] If you are confused don’t worry, the solution I propose should help make this abstract concept a little more concrete.
Microsoft’s Windows Identity Foundation is a great start but it doesn’t give us anything to immediately get up and running – let alone a SSO solution. It is as it’s name implies – a foundation, not a solution. Continue to part 2 of this blog series to be introduced to a solution I have discovered that makes implementing WIF and SSO a snap and all without writing a single line of code. I welcome your comments and feedback on this first part. Also you may contact me via the “Contact Us” page at http://www.yosttechnologies.com/contact.
References:
1. The Claims-Based Identity Model (http://msdn.microsoft.com/en-us/library/ee517291.aspx)
2. Relying Party (http://msdn.microsoft.com/en-us/library/ee748466.aspx)
3. Security Token Service (http://msdn.microsoft.com/en-us/library/ee748490.aspx)
In this series of blog articles I am going to go over a way I have found to very quickly and easily implement a SSO solution - without writing a lick of code! But I won’t stop there; the solution I will suggest will also enable your organization to authenticate your users via one or more of the many well known identity providers out there such as Active Directory Federated Services, Google, Live, Facebook, and more – or you can roll your own if so inclined. Finally I will take this SSO solution and extend it to your Windows based applications as well.
In this first part I am going to introduce you to the underlying framework that will be doing most of the work. While I don’t expect you to understand everything about this framework, I do want to point out its existence and role in our solution. If you are developer or you are at an organization that is going to want to write their own identity provider then you are going to want to know about the framework.
At the center of our solution is Microsoft’s Windows Identity Foundation (WIF). Until recently it was an add on framework but starting with .NET Framework 4.5, WIF has been fully integrated into the .NET framework. At it’s core WIF is a framework for building identity-aware applications; it abstracts the WS-Trust and WS-Federation protocols and presents developers with APIs for building security token services and claims-aware applications. I won’t go into too much detail about the framework but I do want to point out the major parts of the framework because when I get to my solution for SSO you will need to have a basic understanding to appreciate what it does for you.
I do want to point out that WIF is based on a concept called the Claims-Based Identity Model which simply means that a user in your applications is presented as a set of claims. One claim could be the user’s name, others might be their email address or display name. The basic idea is your application will be given a set of data an external identity system is configured to provide about the user – along with cryptographic assurance the identity data you receive comes from a trusted source, of course. [1]
A basic WIF scenario usually consists of one or more Relying Party (RP) applications and a Security Token Service (STS). The Relying Party (RP) is basically an application that relies on claims issued by a STS. An RP is also often called a “claims aware application” or “claims-based application.” The Security Token Service (STS) is the service that builds, signs, and issues security tokens according to the WS-Trust and WS-Federation protocols. The STS will be the one responsible for collecting and validating user credentials and if successful, returning to the RP a claims-based token representing the user. [2,3] If you are confused don’t worry, the solution I propose should help make this abstract concept a little more concrete.
Microsoft’s Windows Identity Foundation is a great start but it doesn’t give us anything to immediately get up and running – let alone a SSO solution. It is as it’s name implies – a foundation, not a solution. Continue to part 2 of this blog series to be introduced to a solution I have discovered that makes implementing WIF and SSO a snap and all without writing a single line of code. I welcome your comments and feedback on this first part. Also you may contact me via the “Contact Us” page at http://www.yosttechnologies.com/contact.
References:
1. The Claims-Based Identity Model (http://msdn.microsoft.com/en-us/library/ee517291.aspx)
2. Relying Party (http://msdn.microsoft.com/en-us/library/ee748466.aspx)
3. Security Token Service (http://msdn.microsoft.com/en-us/library/ee748490.aspx)
Subscribe to:
Posts (Atom)