While listening to the latest .NET Rocks podcast I came upon a topic which sounded like something I should know but with which I had very little familiarity: claims-based security/authorization. What I found was a security model that addresses many security-related issues that have affected me as a developer. Perhaps I’ll have a chance to use the Windows Identity Foundation in my next big project?
Here’s some links and snippets from articles that brought me up to speed.
Microsoft announced at WPC the new name for Microsoft codename “Geneva”. “Geneva” provides companies with simplified user access and single sign-on, for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web to facilitate collaboration, increase security and reduce cost. Beta 2 of the following components are now available for public evaluation:
- “Geneva” Framework will become Windows Identity Foundation and provides developers pre-built .NET security logic for building claims-aware applications, enhancing either ASP.NET or WCF applications
- “Geneva” Server will become Active Directory Federation Services and is a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access
- Windows CardSpace “Geneva” will become Windows Cardspace for helping users navigate access decisions and for developers to build customer authentication experiences for users
Microsoft Identity Management Developer Home
From an older article regarding WCF and a claims-based security model…
Traditional security models for intranet and Internet applications use some form of username and password to authenticate users. Client-server applications deployed to a common domain often rely on Windows credentials (NTLM or Kerberos), while services exposed to the Internet often require a username and password to be passed in an interoperable format (WS-Security) to be authenticated against a custom credential store. These scenarios are frequently accompanied by role-based security checks that authorize access to functionality. Although popular, role-based security is often too coarse an approach since custom roles are often necessary to represent different combinations of permissions or rights. Thus, applications are usually better off authorizing calls based on permissions granted, using roles to gather the appropriate permission set. This type of permission-based security model will provide a more fine-grained result over role-based security.
…
WCF introduces a claims-based approach to security at service boundaries, improving on role-based and permission-based security models. Claims can represent many different types of information including identity, roles, permissions or rights and even general information about the caller that may be useful to the application. A set of claims is also vouched for by an issuer such as a security token service, adding credibility to the information described by each claim – something not present in role-based or permission-based models. An additional benefit of using a claims-based security model is that it supports federated and single sign-on scenarios.
Claims
Credentials are passed in the security headers of a message as security tokens. Each security token in a message is mapped to a set of claims that are added to the security context for the request. A claim describes an individual right or action applicable to a particular resource. For example, an identity claim might describe a username, while a proof of possession claim might describe a role, a right to a particular resource, or some other useful information.
Claims are represented at runtime as a Claim type, from the System.IdentityModel.Claims namespace, with the following key properties:
- ClaimType: Can be any Uri value identifying the type of claim. A basic set of claims used by WCF can be found in the ClaimTypes static class, but this can be customized.
- Resource: Can be any type, but should contain the resource being referred to by the claim. For an e-mail possession claim, this would contain an e-mail address as a string.
- Right: Can be a Uri identifying an identity claim, or a possession claim. The Rights static class contains the correct Uri to use.
(Note that these articles are somewhat out-of-date given recent developments in this space such as the WIF.)
http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel
http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel2
Channel9 video discussing current state of affairs of the Microsoft Federation Gateway (MFG), WIF, and Identity at Microsoft in general…
http://msdn.microsoft.com/en-us/library/cc287610.aspx
Microsoft looks to be supporting/integrating claims-based in a variety of ways, including the Claims-Driven Modifier Control (CDMC) that is an ASP.NET server control gives an easy UI for wiring up claims to object properties, such as text or visibility.
http://code.msdn.microsoft.com/ClaimsDrivenControl
Not exactly light reading, Microsoft has a white paper available regarding claims and identity…
Today’s identity-management practices are often a patchwork of partial solutions, which somehow accommodate but never really integrate applications and entities separated by technology and organizational boundaries. The rise of Software as a Service (SaaS) and cloud computing, however, will force organizations to cross such boundaries so often that ad hoc solutions will simply be untenable. A new approach that tears down identity silos and supports a de-perimiterized IT by design is in order.
http://msdn.microsoft.com/en-us/library/cc836390.aspx
If the last link was too heavy this looks a little lighter and more directly applied…
Authorization is the process of determining which entities have permission to change, view, or otherwise access a computer resource. For example, in a business, only managers may be allowed to access the files of their employees. Windows Communication Foundation (WCF) supports two mechanisms for performing authorization processing. The first mechanism enables you to control authorization using existing common language runtime (CLR) constructs. The second is a claims-based model known as the Identity Model. WCF uses the Identity Model to create claims from incoming messages; Identity Model classes can be extended to support new claim types for custom authorization schemes. This topic presents an overview of the major programming concepts of the Identity Model feature, as well as a listing of the most important classes the feature uses.
http://msdn.microsoft.com/en-us/library/ms729851%28VS.100%29.aspx
This post on Stack Overflow I think identifies why we should care about this topic, though sadly it doesn’t do much to elaborate on the possible solutions to the issue(s) described. (Aside from “do it gooder!”)
The problem comes in because, as with many systems, different users need access to different functions. Some roles have access to Y button, and others have access to Y and B button, while another still only has access to B. Most of the time that I see this, developers just put in a mish-mosh of if statements to deal with the UI state. My fear is that left unchecked, this will become an unmaintainable mess, because in addition to putting authorization logic in the GUI, it needs to be put in the web services (which are called via ajax) to ensure that only authorized users call certain methods.
so my question to you is, how can a system be designed to decrease the random ad-hoc if statements here and there that check for specific roles, which could be re-used in both GUI/webform code, and web service code.
http://stackoverflow.com/questions/203468/scalable-reusable-authorization-model
Another post identifies some advantages of claims-based security…
Claims-based security has the following advantages over role-based and access control lists (ACLs):
- Single programming model, no matter the authentication scheme used
- Claims flow across services in a SOA environment easier and in a more standards-compliant way
- More flexible (you may see that a role is really just another type of claim)
- No need to reauthenticate when crossing process boundaries
Hopefully this post contains or references enough information to start to have an intelligent discussion about a claims-based security model.
Read Full Post »
Devmanic - Software Development Mania 