You are previewing A Guide to Claims-Based Identity and Access Control.
O'Reilly logo
A Guide to Claims-Based Identity and Access Control

Book Description

Claims-based identity means to control the digital experience and to use digital resources based on things that are said by one party about another. A party can be a person, organization, government, Web site, Web service, or even a device. The very simplest example of a claim is something that a party says about itself. Claims-based identity has been possible for quite a while, but there are now tools available that make it much easier for developers of Windows-based applications to implement it. These tools include the Windows Identity Foundation (WIF) and Microsoft Active Directory® Federation Services (ADFS) v2. This book shows you when and how to use these tools in the context of some commonly occurring scenarios.

Table of Contents

  1. A Guide to Claims-Based Identity and Access Control: Authentication and Authorization for Services and the Web
  2. Foreword
  3. Foreword
  4. Preface
    1. Who This Book Is For
    2. Why This Book Is Pertinent Now
    3. A Note About Terminology
    4. How This Book Is Structured
    5. What You Need to Use the Code
      1. Application Server
      2. ADFS
      3. Active Directory
      4. Client Computer
    6. Who’s Who
  5. Acknowledgments
  6. 1. An Introduction to Claims
    1. What Do Claims Provide?
      1. Not Every System Needs Claims
      2. Claims Simplify Authentication Logic
      3. A Familiar Example
      4. What Makes a Good Claim?
      5. Understanding Issuers and ADFS
      6. User Anonymity
    2. Implementing Claims-Based Identity
      1. Step 1: Add Logic to Your Applications to Support Claims
      2. Step 2: Acquire or Build an Issuer
      3. Step 3: Configure Your Application to Trust the Issuer
      4. Step 4: Configure the Issuer to Know About the Application
    3. A Summary of Benefits
    4. Moving On
  7. 2. Claims-Based Architectures
    1. A Closer Look at Claims-Based Architectures
      1. Browser-Based Applications
        1. Understanding the Sequence of Steps
        2. Optimizing Performance
      2. Smart Clients
    2. Federating Identity Across Realms
      1. The Benefits of Gross-Realm Identity
      2. How Federated Identity Works
        1. Identity Transformation
      3. Home Realm Discovery
        1. Home Realm Discovery and Web Services
    3. Design Considerations for Claims-Based Applications
      1. What Makes a Good Claim?
      2. How Can You Uniquely Identify One User From Another?
      3. How Can You Get a List of All Possible Users and All Possible Claims?
      4. Where Should Claims Be Issued?
  8. 3. Claims-Based Single Sign-On for the Web
    1. The Premise
    2. Goals and Requirements
    3. Overview of the Solution
    4. Inside the Implementation
      1. A-Expense Before Claims
      2. A-Expense with Claims
      3. A-Order Before Claims
      4. A-Order with Claims
    5. Signing Out of an Application
    6. Setup and Physical Deployment
      1. Using a Mock Issuer
      2. Isolating Active Directory
      3. Converting to a Production Issuer
      4. Enabling Internet Access
    7. Variation—Moving to Windows Azure
    8. Hosting a-Expense on Windows Azure
    9. More Information
  9. 4. Federated Identity for Web Applications
    1. The Premise
    2. Goals and Requirements
    3. Overview of the Solution
    4. Benefits and Limitations
    5. Inside the Implementation
    6. Setup and Physical Deployment
      1. Using Mock Issuers for Development and Testing
    7. Establishing Trust Relationships
    8. More Information
  10. 5. Federated Identity for Web Services
    1. The Premise
    2. Goals and Requirements
    3. Overview of the Solution
    4. Inside the Implementation
      1. Implementing the Web Service
      2. Implementing the Active Client
      3. Implementing the Authorization Strategy
      4. Debugging the Application
    5. Setup and Physical Deployment
      1. Configuring ADFS 2.0 for Web Services
  11. 6. Federated Identity with Multiple Partners
    1. The Premise
    2. Goals and Requirements
    3. Overview of the Solution
      1. Step 1: Present Credentials to the IP
      2. Step 2: Transmit the IP’s Security Token to the FP
      3. Step 3: Map the Claims
      4. Step 4: Transmit the Mapped Claims and Perform the Requested Action
      5. Using Claims in Fabrikam Shipping
    4. Inside the Implementation
    5. Setup and Physical Deployment
      1. Establishing the Trust Relationship
        1. Organization Section
        2. Issuer Section
        3. Certificate Section
      2. User-Configurable Claims Transformation Rules
  12. A. Using Fedutil
    1. Using FedUtil to Make an Application Claims-Aware
  13. B. Message Sequences
    1. The Browser-Based Scenario
      1. Step 1
      2. Step 2
      3. Step 3
      4. Step 4
      5. Step 5
      6. Step 6
      7. Step 7
    2. The Active Client Scenario
      1. Step 1
      2. Step 2
  14. C. Industry Standards
    1. Security Assertion Markup Language (SAML)
    2. WS-Federation
    3. WS-Federation: Passive Requestor Profile
    4. WS-Security
    5. WS-SecureConversation
    6. WS-Trust
    7. XML Encryption
  15. D. Certificates
    1. Certificates for Browser-Based Applications
      1. On the Issuer (Browser Scenario)
        1. Certificate for TLS/SSL (Issuer, Browser Scenario)
        2. Certificate for Token Signing (Issuer, Browser Scenario)
        3. Optional Certificate for Token Encryption (Issuer, Browser Scenario)
      2. On the Web Application Server
        1. Certificate for TLS/SSL (Web Server, Browser Scenario)
        2. Token Signature Verification (Web Server, Browser Scenario)
        3. Token Signature Chain Trust Verification (Web Server, Browser Scenario)
        4. Optional Token Decryption (Web Server, Browser Scenario)
        5. Cookie Encryption/Decryption (Web Server, Browser Scenario)
    2. Certificates for Active Clients
      1. On the Issuer (Active Scenario)
        1. Certificate for Transport Security (TLS/SSL) (Issuer, Active Scenario)
        2. Certificate for Message Security (Issuer, Active Scenario)
        3. Certificate for Token Signing (Issuer, Active Scenario)
        4. Certificate for Token Encryption (Issuer, Active Scenario)
      2. On the Web Service Host
        1. Certificate for Transport Security (TLS/SSL) (Web Service Host, Active Scenario)
        2. Certificate for Message Security (Web Service Host, Active Scenario)
        3. Token Signature Verification (Web Service Host, Active Scenario)
        4. Token Decryption (Web Service Host, Active Scenario)
        5. Token Signature Chain Trust Verification (Web Service Host, Active Scenario)
      3. On the Active Client Host
        1. Certificate for Message Security (Active Client Host)
  16. Glossary
  17. Index
  18. About the Authors
  19. Copyright