S

Introduction to:

Claudio Sanchez | LinkedIn.com/in/ClaudioASanchez | @ClaudioASanchez

Single Sign On Evolved

Realtime feedback

@ClaudioASanchez

#CMAPCCWIF

#CMAPCC

Agenda Application Security

Federated Identity

What problem are we trying to solve?

Case study

Current state of affairs

Identity in Real Life

Terminology

The Federated Auth dance

Code demo

Q&A

Application Security

Not Sexy

Requires specialized knowledge

Often times, depends on the environment

Never hear about it, unless it fails

Federated Identity

Organization for the Advancement of Structured Information Standards (OASIS) WS-Federation WS-Trust SAML

OpenID, Oauth, Facebook Connect

The Face of WIF

(Expert) Vittorio Bertocci | Microsoft | Vibro.NET (Not an Expert) NOT Vittorio

LOL

What problem are we solving?

How many accounts/passwords do you currently have?

“Various Gartner studies have estimated that 25% to 35% of calls made to help desks are related to password resets”

“Analysts’ estimate costs at approximately $25 to $40 per call with four password reset calls per user per year ”

Case Study | Health Care

• Clinicians use an average of 6.4 passwords per day

• SSO solution can save an average of 9.51 minutes per day per clinician

• $2,675 per year, per clinician1

1 Based on a $135K/Year Salary, and 250 working days. Source: The Gartner Group, 2002 & The Ponemon Institute, 2010

• 700 full-time equivalent clinicians can save more than $1.88 million per year with an SSO solution in place.

• 1,051 patient beds• More than 1,710 full-time attending

physicians

$2,675 lost productivity per clinician*1,710 physicians=$4,574,250

Our apps are prisoners

Login.aspx Page1.aspx

CredentialTypes / APIs

CredentialStores

User AttributesStores

Each app is an island

Identity in Real Life

?

!?

ExternalizesAuthentication

Gets user info from the document

Terminology

Claim Anything that can be said about a user Name, email, age, role, gender, Sports Team Affiliation, etc

Security Token Serialized collection of claims Crypto-signed by issuer

Identity Provider (IdP) The issuer responsible for authenticating the user

Relaying Party An application configured to trust an IdP for authentication (Your

application)

Claims Can Set Your Application Free

Identity Provider

STS

Security Token

Claims Relying Party

Windows Azure ACS

Multiple apps

“One token to rule them all”

Code

Q & A

One last thing

LinkedIn.com/in/ClaudioASanchez

@ClaudioASanchez

http://ClaudioASanchez.blogspot.com