Delegate Authentication to an external identity provider. This pattern can simplify development, minimize the requirement for user administration, and improve the user experience O f the application.
Delegate authentication to the external identity provider. This model simplifies development, minimizes user management requirements, and improves the user experience of the application.
Context and problem scenarios and issues
Users typically need to work with multiple applications provided by, and hosted by different organizations with which they There is a business relationship. However, these users may is forced to use specific (and different) credentials for each one. This can:
Users typically need to work with multiple applications that are provided by different organizations, and they have a business relationship. However, these users may be forced to use specific (and different) credentials. This can be:
- cause a disjointed user experience. Users often forget sign-in credentials when they has many different ones.
- Create a disjointed user experience. Users often forget logon credentials when they have many different credentials.
- Expose security Vulnerabilities. When a user leaves the must immediately is deprovisioned. It's easy-to overlook-in large organizations.
- Expose security vulnerabilities. When the user leaves the company account must be deprovisioned immediately. This is easily overlooked in large organizations.
- complicate user management. Administrators must manage credentials for all of the users, and perform additional tasks such as providing password remin DERs.
- Complex user management. The administrator must manage the credentials of all users and perform additional tasks, such as providing a password reminder.
Users would, instead, typically expect to use the same credentials for these applications.
Users are very willing to use the same credentials instead of the usual expectation of using these applications.
Solution Solutions
Implement An authentication mechanism the can use federated identity. Separating user authentication from the application code, and delegating authentication to a trusted identity provider, CA n considerably simplify development and allow users to authenticate using a wider range of the identity providers (IdPs) while Minimizing the administrative overhead. It also allows clearly decouple authentication from authorization.
Implements an authentication mechanism that can use federated identities. User authentication and authorization authentication separated from application code, trusted identity providers, can greatly simplify development, allow users to authenticate, and use a wider range of identity providers (IDPs) to minimize administrative overhead. It also allows you to clearly isolate the authentication from the authorization.
The trusted identity providers may include corporate directories, On-premises Federation Services, and other security token SE Rvices (STSs) provided by business partners, or social identity providers that can authenticate the WHO has, for Exampl E, a Microsoft, Google, Yahoo!, or Facebook account.
A trusted identity provider may include a corporate directory, premises syndication service, other security token Service (STS) for business partners, or a social identity provider that can authenticate the user's identity to someone, such as Microsoft, Google, Yahoo! or Facebook account.
Figure 1 illustrates the principles of the federated identity pattern when a client application needs to access a service That requires authentication. The authentication is performed by an identity provider (IdP), which works in concert with a security token service (STS). The IdP issues security tokens that asserts information about the authenticated user. This information, referred to as claims, includes the user's identity, and may also include other information suc H as role membership and more granular access rights.
Figure 1 illustrates the principle of federated identity mode when a client application needs to access a service that requires authentication. Authentication is performed by an identity provider (IDP) that works in a security token Service (STS) concert. Internally displaced persons issues security token authentication for user information maintenance. This information, known as claims, includes the identity of the user, and may also include additional information such as role members and more subtle access rights.
Figure 1-an Overview of federated Authentication Diagram 1-Overview of federated authentication
This model is often referred to as claims-based access control. Applications and services authorize access to features and functionality based on the claims contained in the token. The service that requires authentication must trust the IdP. The client application contacts the IdP that performs the authentication. If The authentication is successful, the IdP returns a tokens containing the claims that identify the user to the STS (note That the IdP and STS is the same service). The STS can transform and augment the claims in the token based on predefined rules, before returning it to the client. The client application can then pass this token to the service as proof of its identity.
This model is often called based on access control requirements. Applications and services grant access to features and functionality that are based on the claims contained in the token. The service requires authentication and must trust the IDP. The client application contacts the IDP to perform the authentication. If the authentication succeeds, the IDP return token contains the requirements to identify the user's STS (note that the IDP and STS can serve the same service). The STS can transform and increment the token request based on the predefined rules and then return to the client. The client application can pass the token to the service as proof of its identity.
Note:
In some scenarios there is additional STSs in the chain of trust. For example, in the Microsoft Azure scenario described later, an on-premises STS trusts another STS that is responsible fo R Accessing an identity provider to authenticate the user. This approach are common in enterprise scenarios where there are an on-premises STS and directory.
In some cases it is possible to attach an STS to the chain of trust. For example, after Microsoft's Azure scenario description, another STS STS for the REIT, which is responsible for authenticating the user's identity to the identity provider. This approach in the case of an enterprise, there is a place where STS and directories are common.
Federated authentication provides a standards-based solution to the issue of trusting identities across diverse domains, a ND can support single sign on. It is becoming more common across all types of applications, especially cloud-hosted applications, because it supports sin GLE sign in without requiring a direct network connection to identity providers. The user does not has to enter credentials for every application. This increases security because it prevents the proliferation of credentials required to access many different application s, and it also hides the user ' s credentials from all but the original identity provider. Applications see just the authenticated identity information contained within the token.
Federated authentication provides a standard-based solution to the issue of trusting identities in different domains and can support single sign-on. It is becoming increasingly common in all types of applications, especially cloud-hosted applications, because it supports single sign-on without the need for direct network connectivity to identity providers. Users do not have to enter credentials for each application. This adds security because it prevents the proliferation of credentials required to access many different applications, and it also hides the user's credentials from all but the original identity provider. The application sees only the identity information that is contained in the token for authentication.
Federated identity also have the major advantage that management of the identity and credentials are the responsibility of T He identity provider. The application or service does not need to provide identity management features. In addition, in corporate scenarios, the corporate directory does isn't need to know about the user (providing it trusts the Identity provider), which removes all the administrative overhead of managing the user identity within the directory.
Federated identities also have the primary advantage of managing identities and credentials as the responsibility of the identity provider. An application or service does not need to provide identity management functionality. In addition, in an enterprise scenario, the enterprise directory does not need to know the user (providing the identity provider it trusts), and it removes all administrative overhead for managing the user's identity in the directory.
Issues and considerations problems and thoughts
Consider the following when designing applications that implement federated authentication:
- Authentication can is a single point of failure. If you deploy your application to multiple datacenters, consider deploying your identity management mechanism to the same Datacenters in order to maintain application reliability and availability.
- Authentication can be a single point of failure. If you deploy applications to multiple datacenters, consider deploying your identity management mechanism to the same datacenter in order to maintain the reliability and availability of the application.
- Authentication mechanisms may provide facilities to configure access control based on role claims contained in the Authent Ication token. This was often referred to as role-based access control (RBAC), and it could allow a further granular level of control Over access to features and resources.
- The authentication mechanism may configure access control and the physical location of the role-based authentication token type for it. This is a commonly called role-based access control (RBAC), which allows for more control and granular level of features and access to resources.
- Unlike a corporate directory, claims-based authentication using social identity providers does not usually provide Informa tion about the authenticated user and than an email address, and perhaps a name. Some social identity providers, such as a Microsoft account, provide only a unique identifier. The application would usually need to maintain some information on registered users, and is able to match this information To the identifier contained in the claims in the token. Typically this is do through a registration process when the user first accesses the application, and information is the n injected into the tokens as additional claims after each authentication.
- Unlike the corporate directory, a physical-based social identity provider does not provide information about the user authenticated often than other e-mail addresses, or a name. Some social identity providers, such as Microsoft's customers, provide unique, uniquely identifiable identifiers. Its application will require some information, he often keeps the registered user, and can match identifiers that contain this information in physical tokens. Usually this is not through the registration process, when the user first accesses the app and Information Center, and then injected as an additional physical token after the authentication option.
- If There is more than one identity provider configured for the STS, it must detect which identity provider the user sh Ould is redirected to for authentication. This process is referred to as Home realm Discovery . The STS May is able to does this automatically based in an e-mail address or user name that the user provides, a subdomain of The application, the user is accessing, the user's IP address scope, or on the contents of a cookie stored in the use R ' s browser. For example, if the user entered a email address in the Microsoft domain, such as user @live. com, the STS would re Direct the user to the Microsoft account sign-in page. On subsequent visits, the STS is could use a cookie to indicate, which is with a Microsoft account. IF Automatic discovery cannot determine the home realm, the STS would display a home realm Discovery (HRD) page that lists The trusted identity providers, and the user must select the one they want to use.
This pattern is might not being suitable in the following situations: This modern model is not possible in the following questions:
- All users of the application can are authenticated by one identity provider, and there are no requirement to authenticate US ing any other identity provider. This is typical on business applications so use only a corporate directory for authentication, and access to this direct Ory is available in the application directly, by using a VPN, or (in a cloud-hosted scenario) through a virtual network co Nnection between the On-premises directory and the application.
- All users of the application are certified by the identity provider and do not need to use any other provider's identity. This is a typical application that is used only in the enterprise and company authentication and access directories, the application of this directory is available, and through the use of VPN, or (in the cloud-hosted scenario) and the connection between virtual networks, through online catalogs and clear applications.
- The application is originally built using a different authentication mechanism, perhaps with custom user stores, or does Not has the capability to handle the negotiation standards used by claims-based technologies. Retrofitting claims-based authentication and access control into existing applications can is complex, and may not is cost effective.
Example Example
An organization hosts a multi-tenant software as a Service (SaaS) application in Azure. The application incudes a website that tenants can use and manage the application for their own users. The application allows tenants to access the tenant's website by using a federated identity that's generated by Active Di Rectory Federation Services (ADFS) When a user was authenticated by that organization ' s own Active Directory. Figure 2 shows a overview of this process.
An organization's host and multi-tenant software as a service (SaaS) app in Azure. Apps include the possessor's website, which you can use to manage your own users of the application. The app's possessor can access the site by using the Federated authentication and federated of the Converged Active Directory Service (ADFS Federation), when a user is authenticated organization active, with its own directory. This paper introduces the analysis process of a number 2.
Figure 2-how users at a large enterprise Subscriber access the application diagram 2 how large enterprise users access the app
In the scenario shown in Figure 2, tenants authenticate with their own identity provider (step 1), in this case ADFS. After successfully authenticating a tenant, ADFS issues a token. The client browser forwards this token to the SaaS application ' s federation provider, which trusts tokens issued by the TE Nant's ADFS, in order-get back a token that's valid for the SaaS Federation provider (step 2). If necessary, the SaaS federation Provider performs a transformation on the claims in the tokens into claims that the appli cation recognizes (step 3) before returning the new token to the client browser. The application trusts tokens issued by the SaaS Federation provider and uses the claims in the tokens to apply Authorizati On rules (step 4).
Tenants won't need to remember separate credentials to access the application, and a administrator at the tenant ' s COM Pany'll is able to configure in its own ADFS the list of users that can access the application.
Tenants does not have to remember to separate credentials for accessing the application, and the administrator of the tenant company configures its own list of ADFS users to access the application.
Related Patterns and guidance related patterns and guidance
At this time, there is no related patterns and guidance.
There are no relevant patterns and related guidance.
More Information Update information
For more information on the Federated authentication Technologies you can use in Azure applications, see the following:
- Microsoft Azure Active Directory on the Azure website.
- Active Directory Domain Services on MSDN.
- Active Directory Federation Services on MSDN.
- Windows Identity Foundation on MSDN.
- Developing multi-tenant Web applications with Microsoft Azure AD on MSDN.
For comprehensive information about claims-based the identity and federated authentication See:
- Federated Identity:scenarios, Architecture, and implementation on MSDN.
- Federated Identity Patterns in a service-oriented world in the Architecture Journal.
Federated Identity Pattern Federated Identity Mode