Claims authentication details (1)

Many times, we applyProgram. For example, an employee needs to access the invoicing and CRM systems after logging on to the portal. If special processing is not performed, the user name and password need to be entered multiple times. Friends who have used SharePoint may know that there is a single sign-on interface to solve this problem. Single Sign-on is not perfect. One of them is that it saves the user name and password in plain text. A programmer may easily obtain the user name and password of a user, this is a fatal defect in password-related software.

Therefore, people begin to rethink a more reliable and practical authentication method. At this time, claims certification debuted. In fact, claims certification has long been around for about 10 years, but it has not been carried forward. This time it can be said that the old tree is sending a new sprout, and the claims certification ushered in the second spring.

Claims certification is hard to explain, and even I cannot find a proper Chinese word to translate it. I had to explain it in a metaphor.

Before implementing the Social Security card, when we go to the hospital to see a doctor, we need to take an ID card for a visit card. After the staff who run the card verify your ID card, your personal information will be entered into the card. When you go to a doctor's office, the doctor scans your medical card to get all your information. This medical card is equivalent to a token in claims authentication. each piece of information in the card is a claim.

The visiting card has two characteristics: (1) it contains the authenticated information, that is, after seeing the information, the doctor does not need to go to your ID card for verification. (2) The doctor needs to verify the issuer, that is, the process of reading the magnetic stripe. Once the doctor confirms that the medical card is issued by the office staff, the information in the card can be trusted.

The above two features are the difference between clims authentication and other authentication methods.

The examination card corresponds to the token in the Claims authentication, and each piece of information in the examination card corresponds to the claim in the Claims authentication. the handler is the token issuer.

A token contains the username, user email, User Manager email, and other information. When claims is used for authentication, it is difficult to extend the above attributes. This is like what information should be contained in your hospital's visit card, which is determined by the hospital software. If you want to add another property, you must change the hospital's software, this is usually rare. Therefore, use the attributes contained in the current token whenever possible. Unless you are the health minister or hospital director :(

Claims certification has a very important role, "issuer". For the above example, the hospital is the issuer of cliaims token. If we want to use claims authentication in our own applications, the following elements are essential.

 

Let's analyze what we need to do: application is our application, in which we want to parse the claims token and get the information contained. This is easy to do, because. net Framework provides some standard methods; the other is issuer, which is used to verify the user, and then make the user information into a security token and send it to our application, this would be complicated if we did it ourselves. Fortunately, Microsoft provides a standard issuer component: ADFs.

ADFs exists in Windows Server 2008 R2 Enterprise Edition and is fully called Active Directory Federation services (ADFs) 2.0. ADFs supports multiple user authentication methods, such as kerbos and form authentication. It also supports SQL statements to extract user information from custom SQL data sources.

One of the advantages of claims authentication is that, for example, if you have many users with the same permissions, you only need to generate a claims token based on their roles, there is no need to generate many tokens, which greatly reduces the number of tokens that the application needs to process.

Detailed implementation steps of claims authentication:

1. Add the logic to your application to support claims.

This includes verifying the token from the issuer and parsing the token to obtain the claims information. Windows identity Foundation (WIF) provides standard APIs that can be used in both WCF and ASP. NET programs. The WIF method is simple. You only need to introduce Microsoft. identitymodel. DLL to your program. For example, isinrole, identity. name, identity. Claims, and so on.

2. Build an issuer.
You can use ADFs. For detailed configuration steps, see the ADFs documentation. Of course, you can also use WIF to build an issuer, which is very complicated.

3. Configure your application to trust your issuer.
This trust relationship must be established, just as a doctor must trust the person who runs the medical examination card.
The key here is a concept called Federation metadata, which is an XML document. This XML document is provided to your application by issuer, including the issuer certificate, the list of information provided by issuer to the application. The application is used to obtain the token URL and other technical details. You can think of it as a magnetic stripe on the medical card.
WIF provides a standard wizard that automatically generates Authentication Settings for your application based on the metadata contained in this XML document. You only need to provide the URL to issuer, WIF automatically downloads the metadata and configures your application.

4. Configure issuer to make it know your application.

Issuer needs to know the following information about the application:

• Application URL.
• Which of the attributes provided by claims are mandatory and optional?
• Whether to encrypt the generated token and what key is used for encryption.
• The application exposes the URL used to receive tokens.

Wif tool edutil.exe can be used to generate a metadata document, so you do not need to manually configure it.

Copyright Disclaimer: This article was originally published in the blog Park, and the author said it was too cold tonight.
The copyright of this article is shared by the author and the blog. You are welcome to repost this article, but you must keep this statement without the author's consent andArticleThe original text connection is clearly displayed on the page. Otherwise, the connection is deemed as infringement.