Identity and Access Control in ASP.NET 4.5

Implementing claims-based identity, federation, authentication & authorization in ASP.NET 4.5
Course info
Rating
(475)
Level
Intermediate
Updated
Nov 9, 2012
Duration
3h 20m
Table of contents
Overview
The ASP.NET Security Pipeline
Windows Authentication
Forms Authentication
Claims Transformation and Session Management
Authorization
External Authentication using WS-Federation (Part 1)
External Authentication using WS-Federation (Part 2)
Federation Patterns
Description
Course info
Rating
(475)
Level
Intermediate
Updated
Nov 9, 2012
Duration
3h 20m
Description

If you need to implement authentication and authorization in an ASP.NET application, this course is for you. Authentication mechanisms are explored in detail, including Windows, Forms, and federated authentication. This course also examines how to work with .NET 4.5's claims-based identity and authorization, as well as patterns such as single sign-on/out, federation and home realm discovery.

About the author
About the author

Dominick works as an associate consultant for the Germany-based company thinktecture. His main area of focus is security in general and identity & access control in particular.

More from the author
Web API v2 Security
Intermediate
6h 12m
Apr 12, 2014
Identity and Access Control in WCF 4.5
Intermediate
3h 12m
Dec 14, 2012
More courses by Dominick Baier
Section Introduction Transcripts
Section Introduction Transcripts

The ASP.NET Security Pipeline
In the first module, we'll have a look at the ASP. NET security pipeline. This is important because all or most of the security services in ASP. NET are based on that concept of the pipeline, and it's very beneficial to understand how that works and how these things play together.

Windows Authentication
Dominick Baier: We'll now have a look at Windows Authentication in ASP. NET. So we'll first have a look at why you would want to do Windows Authentication. We look at the configuration steps which are necessary for that, how this all works with respect to the ASP. NET pipeline, and we'll look at the claims that you will actually get when you are choosing Windows Authentication. And in the last step I want to show you a very nice feature of Windows Authentication that gets enabled by using Windows Server 2012 and the new claims over Kerberos features in that server product and in the corresponding domain mode.

Forms Authentication
In this module we're going to have a look at built-in Forms Authentication mechanism in ASP. NET and how it behaves relative to the claim space identity infrastructure. So we'll have a look at why you actually want to use Forms Authentication, where are the benefits and scenarios, the Configuration that you have to do. Then again, I will show you briefly how that is implemented by the means of the ASP. NET pipeline. Then we'll have a look at what Claims you actually get when using Forms Authentication and I briefly going to show you how you-- or how the build in membership and role manager feature relate to that.

Claims Transformation and Session Management
In this module, we talked about a new identity pipeline and features that got added in. NET 4. 5, namely the Claims Transformation and Session Management features. So, I want to show you then the claims transformation and validation features in. NET 4. 5, which is a more general mechanism, how you can couple extra data with your user. So, we talked about that before, that for example, in Windows authentication, you might not really care about, in which Windows groups that user is member of you, you typically on more-- care more about more domains, specific data in your application. And also, in the forms authentication, what will I show you that, there is some limited support to add roles to a user. Now, claims transformation in. NET 4. 5 is a more general mechanism how you can associate arbitrary data with that user. After that, we're going to look about-- look at the new session feature in 4. 5, and don't confuse that with ASP. NET sessions, it's about authentication sessions and it's basically a general purpose mechanism how you can persist identity data across roundtrips, and this mechanism can replace the forms authentication cookie and can replace the RoleManager cookie that we've seen earlier. And, in the last part, I want to show you some advanced topics been dealing with this new session feature.

External Authentication using WS-Federation (Part 1)
In this module, we're going to talk about the big new feature in. NET 4. 5 called WS-Federation Support. What this allows you is to separate your application from the actual authentication logic. So far we've always been doing authentication inside our application like in forms authentication for example but with WS-Federation, it's now possible to separate authentication logic and application into two distinct parts. So we're going to look at the motivation and the scenarios why you actually want to do that. We're going to look at how the protocol actually works, what you need to do for configuration. We talked about this concept of security token services and some advanced topics and because it is quite a number of-- a lot of number of material, I've split that up into two modules. So here we'll talk about the basics and in the next module we're going to about the-- more like the customizations and the advanced topics you will run into.

External Authentication using WS-Federation (Part 2)
In this second module about WS-Federation we want to have a more detailed look at how things actually work under the covers. So we have look at configuration and what this wizard we've seen in the last module actually produces and what kind of knobs you can turn there. We have a look at Federation Metadata which is actually what drives that wizard so it can automatically generate that configuration for user, that's useful to understand how that works. Then we have a look at how you can create or sign in links manually. So maybe you want to have something like a soft login for example and not just use like a blanket authorization setting in your configuration, but rather, you know, take control over that process more the way your application would like it to be. We have a look at signing out. We have a look at what if you want to construct those redirection URLs dynamically when you're going to the token service, and we're going to look at, again, at sliding expiration and server-side caching.

Federation Patterns
So now that we know the mechanics of WS-Federation I want to show you some patterns that you want to typically implement that sit on top of this row protocol flow. So we've seen how we can separate authentication from the application. The next thing that people typically want is Single Sign-On meaning now that we share this token service, this identity provider can users be allowed to sign in once, maybe per day for example. And then use all the other applications that share the same token service in a Single Sign-On fashion. What goes hand in hand but is often forgotten is that you also want to sign out maybe at some point. And we've seen in the previous module that signing out, out of the local application might not always be exactly what you want. So there is also a protocol flow called Single Sign-Out and I'll show you how that works. And in the last part I want to show you some challenges that you face when you want to federate with external party. So, let's say you have like a business partner and he wants to get access to your application and they also have a token service and you can make that happen without changing your application at all just by configuring the token service in a way that it allows these external log ins. And this is very useful but you will also run into a problem here which is called Home Realm Discovery and I'll show you exactly what that is and how you handle that.