SAML Integration

1
SAML Integration
Doug BayerDirector, Windows SecurityMicrosoft
Corporationdbayer_at_microsoft.com
2
Agenda

• Overview of Microsoft authentication
  authorization plans
• Problem space
• Our understanding of the scenarios
• Our current approach
• How could we use SAML?
• Migration?
• Integration?

3
Windows.NET

• Windows.NET Authentication Architecture
• Windows.NET Authorization Extending the Windows
  Model
• Resource-Based Authorization ACLs Groups
• Application-Based Authorization RBAC
• Making It All Secure

4
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred Owner
Mary Viewer
AA Authentication Authority
Directory
AA
KDC
myCalendar.NET
MyHS.NET
Fred_at_TinyCo.com
Mary_at_BigCo.com
5
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred Owner
Mary Viewer
AA Authentication Authority
Directory
AA
2
KDC
myCalendar.NET
MyHS.NET
Fred_at_TinyCo.com
Mary_at_BigCo.com
6
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred Owner
Mary Viewer
AA Authentication Authority
Directory
AA
KDC
myCalendar.NET
MyHS.NET
Fred_at_TinyCo.com
Mary_at_BigCo.com
7
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred Owner
Mary Viewer
AA Authentication Authority
Directory
AA
KDC
myCalendar.NET
MyHS.NET
Fred_at_TinyCo.com
Mary_at_BigCo.com
8
.NET Process Scenario
Roles
MyNotifications.NET
myCalendar.NET
Fred Owner
Mary Viewer
AA Authentication Authority
Directory
AA
Signed MessageAccepted
5
KDC
myCalendar.NET
MyHS.NET
Fred_at_TinyCo.com
Mary_at_BigCo.com
9
Windows.NET Application Security Framework
Partner/Supplier
Store
AA
Internet
DMZ
Enterprise
Customer
Employee
Store Directory or Database AA Authentication
Authority
10
Windows.NET Application Security Framework
Partner/Supplier
Store
AA
Internet
Passport, Kerberos, Basic SSL, Digest,
DMZ
Enterprise
Customer
Employee
Store Directory or Database AA Authentication
Authority
11
Windows.NET Application Security Framework
Partner/Supplier
Store
AA
Internet
DMZ
Enterprise
Customer
Employee
Store Directory or Database AA Authentication
Authority
12
Windows.NET Authentication

• Multiple credential types
• Passwords, tokens, smartcards
• Multifactor Key biometric
• Multiple Client to Server protocols
• Today Basic, NTLM, Passport, Digest, SSL,
  Kerberos,
• Converge on Kerberos Kerberos/TLS in the future
• Message Signing and Signature verification
• Single Server to Server protocol Kerberos
  w/constrained delegation
• IETF standard, interoperable, scalable
• Secure mutual authentication
• Extensible credentials support
• Passwords, X.509 certificates, tokens,
• Directory independent authentication

13
Windows.NET Authentication
KDC
Trust
Verify Policy Allowed-To-Delegate-To
Ticket
Passport
Basic Digest SSL
Users
Ticket
Signed Messages, S/MIME/SMTP
Kerberos
Cert
XMLDSIG/HTTP
Front End Application
Back End Application
14
Application Classification For Authorization

• Resource Managers
• Resources are well-defined with persistence
• Access is controlled to operations on such
  objects
• E.g. File system, database, Active Directory,
• Gatekeepers Special form of resource managers
• Resources are other applications
• Controls access to other applications
• E.g. OS itself, Web Server, VPNs, Firewalls,
• Business Processes
• Resources arent well defined operations,
  processes workflows are
• Access is controlled to operations, processes,
  workflows
• E.g. LOB applications, Transaction processing,
  ...

15
Authorization Role Based Model

• Roles-based
• LOB, B2B, B2C and workflow applications
• Characteristics
• No real objects but operations tasks are
  well-defined
• Authorizations arent simply yes/no on operation
• Operation data business rules matter
• Typically have a state machine
• Where do you hang the ACL?
• Applications enforce access
• Users authenticate to Authentication Authority
• Application performs authorization
• Application has full access to underlying objects

16
Roles-Based Authorization Manager
Gatekeeper Applications (Web Server/URL, VPNs,
Firewalls,)
Resource Manager Applications (Document Store,
Mail Store,)
Business Process Applications (E-Commerce, LOB
Applications,)
Windows Authorization API
Windows Authorization API
Windows Authorization API
Authorization Administration Manager
Policy Store
Active Directory Or XML (Files, SQL)
Common Roles Management UI
17
Roles-Based Authorization Manager

• Scopes
• VDirs, URL, Prefix
• Tasks
• Basic GET/POST
• Dynamic by associating VBscript business rules
• Groups
• Static
• Computed
• LDAP query
• Roles
• Defined by administrators and applications

Gatekeeper Applications (Web Server/URL, VPNs,
Firewalls,)
URL
URL-Based Authorization
Windows Authorization API
Windows Authorization API
IIS
Web-Based Application
Windows Authorization API
Common Roles Management UI
18
SAML/Kerberos Protocol Overview
WebAuth Server(s)
(Web Sphere) AIX
(Windows.NET)
(Netscape MAC)
19
SAML/Kerberos Protocol Overview
AS-Req TGS-Reg (2)
AP-Req (3)
Sess-Cookie TGT
WebAuth Server(s)
Redirect (1)
SSL
User Name Password
20
SAML/Kerberos Protocol Overview
Data
Sess-Cookie AP-Req
AP-Req (cached)
Get
AP-Req
WebAuth Server(s)
Sess-Cookie TGT

• Subsequent requests
• Browser sends AP-REQ in cookie
• Web Server checks against saved AP-REQ, if OK,
  returns requested URL

21
Protocol Overview Initial Request to Second Web
Server

• Browser does GET to WebSphere
• WebSphere redirects to WebAuth
• Redirect contains TGT in cookie
• WebAuth does TGS-REQ, then proceeds as before

22
SAML/Kerberos Protocol Overview
Apache Web Servers
Affiliate Site
Get
WebAuth Server(s)
Sess-Cookie TGT
23
SAML/Kerberos Protocol Overview
Affiliate Site
AS-Req
AS-Req (2)
AP-Req (3)
WebAuth Server(s)
Redirect (1)
SSL
Sess-Cookie TGT
Sess-Cookie TGT
24
SAML/Kerberos Protocol Overview
Affiliate Site
AP-Req
Sess-Cookie AP-Req
Get
Data
WebAuth Server(s)
Sess-Cookie TGT
25
Questions?