Posts Tagged ‘STS’

Federated access control through Windows Identity Framework (WIF) Part 1

October 12, 2010 Leave a comment

In this post, I will introduce the concept of the federated access control to different resources using the Windows Identity Framework (Geneva framework) delivered by Microsoft. The purpose of this first part is to introduce the concept of the federated authentication.

First of all, let’s imagine the following scenario: You are usually using X.509 certificates technology to access to the resources of your enterprise but in an other enterprise, where you are obliged to spend some days, you won’t be able to use the same resources since they use an other technology like Kerberos for example.

Assuming that you are not obliged to implement the Kerberos technology, so how will you be capable of consuming the services of the new enterprise?

The federation principle is aiming to resolve that problem by federating existing protocols and even future ones.

Secondly, the claims based authentication is a new concept where different credentials used for authentication are considered as claims contained into a serialized structure named token.

The federation principle is based on the concept of the CBA (Claims Based Authentication) through three roles as illustrated in the following image :


  1. The user is the entity aiming to consume a service through a passive browser or a thin client.
  2. The identity provider (IP) which is implementing a special service to deliver tokens according to Relying Party policies to the User after authentication. This special service is implementing WS-Trust endpoints and is named Security Token Service (STS).
  3. The application which delivers services to User.

So for our first scenario, the User consults the policy of the application and knows that is requiring a Kerberos ticket. The User generates a Request Security Token to the IP. The IP after authenticating the user (by Certificates) delivers to him a signed token containing the requested kerberos ticket. The user sends finally the generated token to the application which can verify the identity of the IP thanks to its signature.

Finally, the application can rely on a local rules engine or an external process to manage the authorization of the user.

Categories: Security Tags: , , ,