Recently in Security Category

PingFederate's OnBehalfOf does not Work with WIF

By
Travis Spencer
on March 17, 2010 2:27 PM | | Comments (4) | TrackBacks (0) |
As I wrote about yesterday, you can use WIF to get a token from PingFederate's STS by tweaking a few binding-related knobs.  Today, I tried to use WIF to get an OnBehalfOf (OBO) token from Ping Identity's federation server.  The results weren't as positive though.

Before I dive into what went wrong, it might be helpful to explain what OBO is typically used for and why it's important.  An STS (especially an IP-STS) is a core service that is as critical to your organization's ability to conduct business as DNS, DHCP, and your enterprise directory.  Just like any of these, if your STS is compromised, your business will stop.  For this reason, it is critically important to ensure that it is protected.  One way to do this is to hide it behind a firewall and proxy it out to the Internet using an intermediary.  The resulting network topology looks something like this:

typical-sts-network-topology.gif

In this type of deployment, the proxy STS lives in the DMZ and external clients hit this not the actual STS; It (and its private signing key) are safely tucked away in your corporate haven. 

When a request for a security token arrives to the proxy and it is forwarded to the STS, what's sent is an OBO message.  In other words, the proxy is requesting a security token on behalf of the subject.  This allows the STS to decide if it should issue a token for the subject by way of the intermediary.  This manifests itself as a SOAP message that has a security token for the proxy in the header and another that is embedded in the OBO element of the RST (which is in the body).  For example, an OBO request would look something like this:

<s:Envelope ...>

  <s:Header>

    ...

    <o:Security ...>

      <!-- These are the credentials of the proxy -->

      <o:UsernameToken ...>

        <o:Username>proxy</o:Username>

        <o:Password>*****</o:Password>

      </o:UsernameToken>

    </o:Security>

  </s:Header>

  <s:Body>

    <t:RequestSecurityToken ...>

     ...

      <t:OnBehalfOf>

        <!-- These are the credentials of the subject -->

        <UsernameToken ...>

          <Username>subject</Username>

          <Password>*****</Password>

        </UsernameToken>

      </t:OnBehalfOf>

      <t:RequestType>

        http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>

    </t:RequestSecurityToken>

  </s:Body>

</s:Envelope>


With that groundwork in place, let's look at why PingFederate will not work w/ WIF. 

Starting where I left off yesterday, I added a new method to my driver that would get an OBO token from PingFederate:

private static RequestSecurityTokenResponse RequsetOnBehalfOfToken()

{

    var factory = GetChannelFactory();

    var rst = new RequestSecurityToken(WSTrustFeb2005Constants

        .RequestTypes.Issue)

    {

        AppliesTo = new EndpointAddress(appliesTo),

        OnBehalfOf = new SecurityTokenElement(new UserNameSecurityToken(

            subjectUserName, subjectPassword)),

    };

    RequestSecurityTokenResponse rstr;

    var channel = factory.CreateChannel();

 

    channel.Issue(rst, out rstr);

 

    return rstr;

}


Note how the RST includes an OBO element that has a security token identifying the subject.  That is different from the credentials of the proxy/requester that are set when the channel factory is created:

private static WSTrustChannelFactory GetChannelFactory()

{

    // See yesterday's post for more complete code sample.

    var factory = new WSTrustChannelFactory(binding, endpoint);

 

    factory.Credentials.UserName.UserName = proxyUserName;

    factory.Credentials.UserName.Password = proxyPassword;

 

    return factory;

}


When I ran this code, PingFederate returned a fault and printed this in its logs:

2010-03-17 12:05:21,481 tid:066b8dea8 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] Handle Exception (http://schemas.xmlsoap.org/soap/envelope/).
org.sourceid.wstrust.handlers.WSTrustException: STS requests with more than one token are unsupported.
                at org.sourceid.wstrust.handlers.WSTrustBaseRequestHandler.ensureOneToken(WSTrustBaseRequestHandler.java:187)

As the message says, PingFederate allows only one token in an RST.  If an OBO element is included in the RST, it requires one of two things to be true:

  1. There must be no additional security tokens in the SOAP header, and the security token of the subject must be embedded directly in the OBO element of the RST; or
  2. The OBO element must contain a SecurityTokenReference element that points to the security token of the subject in the SOAP header.

Option one is not possible because WIF will throw an exception if a client credential is not supplied when calling Issue on a WSTrustChannelFactory object.  WIF does not support the SecurityTokenReference element, so option two is out as well. This means that to use WIF to implement the requester, we have to skip OBO entirely, put the subject's identity in the SOAP header, and authenticate the requester to the STS using transport-level security (e.g., using mutually authenticated SSL).

Getting a Token from PingFederate using WIF

By
Travis Spencer
on March 16, 2010 1:43 PM | | Comments (1) | TrackBacks (1) |
If you want to get a security token from the STS that is included in Ping Identity's flagship product, PingFederate, using a client coded in Windows Identity Foundation (WIF), you'll have to tweak a few knobs.  It isn't hard, but it does require that you know which dials to turn and how.  This can be quite time consuming if you have to (re)learn a bunch about WCF bindings.

To figure all this out, I started by setting up PingFederate using the guide (included with the product).  Then, I installed the .NET-based WS-Trust client sample.  This sample is a WSE-3-based console application that sends an RST, parses the RSTR, and prints the security token included in that message.  Once I had that working, I was able to use a proxy to grab the messages sent between it and PingFederate.  I used these as my baseline.

Creating a similar console app in WIF is easy thanks to the WSTrustChannelFactory (which is the replacement for WSTrustClient from the betas).  The trick was the binding and getting the protocol versions to match what was used in the WSE app.  Here's the entire console app in hopes that it helps:

using System;

using System.Net;

using System.ServiceModel;

using System.ServiceModel.Channels;

using System.ServiceModel.Security;

using System.Text;

using Microsoft.IdentityModel.Protocols.WSTrust;

using Microsoft.IdentityModel.Protocols.WSTrust.Bindings;

 

namespace ConsoleApplication1

{

    class Program

    {

        private const string userName = "john";

        private const string password = "Password1";

        private const string appliesTo = "http://www.valid.com";

        private const string stsAddress = "https://computer:9031/idp/sts.wst";

 

        static void Main()

        {

            IgnoreCertificateValidation();

 

            var rstr = RequestSecurityToken();

 

            PrintRequestSecurityTokenResponse(rstr);

 

            Console.ReadLine();

        }

 

        private static void IgnoreCertificateValidation()

        {

            ServicePointManager.ServerCertificateValidationCallback = (sender,

                cert, chain, errors) => true;

        }

 

        private static void PrintRequestSecurityTokenResponse(

            RequestSecurityTokenResponse rstr)

        {

            Console.WriteLine("Security token issued by PingFederate:");

            Console.WriteLine(rstr.RequestedSecurityToken.SecurityTokenXml

                .InnerXml);

        }

 

        private static RequestSecurityTokenResponse RequestSecurityToken()

        {           

            var factory = GetChannelFactory();

            var rst = new RequestSecurityToken(WSTrustFeb2005Constants

                .RequestTypes.Issue)

            {

                AppliesTo = new EndpointAddress(appliesTo)

            };

            RequestSecurityTokenResponse rstr;

            var channel = factory.CreateChannel() as WSTrustChannel;       

            var token = channel.Issue(rst, out rstr);

 

            return rstr;

        }

 

        private static WSTrustChannelFactory GetChannelFactory()

        {

            var binding = GetBinding();

            var endpoint = new EndpointAddress(stsAddress);

            var factory = new WSTrustChannelFactory(binding, endpoint)

            {

                TrustVersion = TrustVersion.WSTrustFeb2005

            };

 

            factory.Credentials.UserName.UserName = userName;

            factory.Credentials.UserName.Password = password;

 

            return factory;

        }

 

        private static Binding GetBinding()

        {

            var binding = new CustomBinding();

 

            binding.Elements.AddRange(new BindingElement[]

            {

                SecurityBindingElement

                    .CreateUserNameOverTransportBindingElement(),

                new TextMessageEncodingBindingElement(MessageVersion

                    .Soap11WSAddressingAugust2004, Encoding.UTF8),

                new HttpsTransportBindingElement(),

            });

 

            return binding;

        }

    }

}

RSA Conference 2010 -- Day 5

By
Travis Spencer
on March 6, 2010 9:04 AM | | Comments (0) | TrackBacks (0) |
What a conference! In case you missed it, I've blogged about RSA all week long:

Like last year, I finished the conference by attending Richard Howard's talk on cyber threats and trends.  Howard is the director of the iDefense Lab.  In his talks, he lays out new security disruptors that will drastically change the information security landscape over the next 5 to 10 years.  He warned of the following disruptors last year and this:

20092010
  • Cyber terrorism
  • Mobile threats
  • IPv6
  • Arbitrary TLDs and multilingual URLs
  • Virtual worlds
  • Shift in attacks to government targets (i.e., cyber terrorism)
  • Smart phones (i.e., mobile threats)
  • Cloud computing

Then, I went to a talk on cross-domain identity and access control presented by Tom Winnenberg, principal security engineer at Raytheon.  In it, he talked about federation and centralized authorization using XACML.  Centralized authorization, especially using XACML, is something I heard a lot about during the week actually.  Last year, that protocol was only mentioned once in a presentation given by Sun and Burton.  This year, I heard about it in a half dozen different sessions, a couple vendors on the show floor, and one other conference goer that I talked with. I think people are starting to wrap their heads around centralized authentication, and are now beginning to wonder about how to also centralize authorization.  So I think the attention paid to XACML will increase this year, especially if Microsoft begins supporting it their products (which won't happen in 2010).

All in all, it was a great show.  If you missed it, I would certainly recommend that check out those blog posts I listed above and try to attend next year if you can.

RSA Conference 2010 -- Day 4

By
Travis Spencer
on March 4, 2010 4:56 PM | | Comments (0) | TrackBacks (1) |
Cloud computing, virtualization, cyber-crime, and compliance were predicted to be the big themes of RSA.  After four days, I've been to about 20 sessions in 7 tracks, 7 keynotes, and heard from more than 30 corporate representatives from a half dozen industries.  Cloud computing has certainly come up, but almost exclusively in the keynotes.  It seems that the conference organizers want to talk about it, but the information security community has other things on its mind.  What have been the themes I've heard after attending all these sessions?  Identity and as corollaries to that authentication (as I said last night) and PKI.

I heard from Joshua Powers, CTO of Securboration and formerly of the US Air Force.  He talked about the difficulty of modeling identities and how semantic Web technologies can be used to create graphs to represent identities more effectively.  Then I heard from G&D and EISST about how they have been working to harder Web browsers and ensure that they haven't been patched by malware.  They called this technique Dynamic Application Authentication (DAA), and they used PKI and smart cards to do it. 

Then I attended a panel discussion chaired by a representative from Adobe which included a registrar in higher ed, a lawyer, and an auditor.  They talked about how there is a resurgence of interest in PKI.  Unlike ten years ago, they said, this new buzz is coming from business and not from crypto geeks going on and on about Alice, Bob, and Eve.  The result is a market pull rather than a push as was the case a decade ago.  The fundamental reason they said was because businesses of the twenty-first century are information companies.  Data doesn't remain neatly within the silos we've created in our organization -- it flows across them.  In order to comply with regulations, avoid leakages, and use data to provide customers with value, companies have to find a way to secure it.  PKI is an increasing way in which they're doing so, the panelist said.  They sited a number of examples:

  • Verification of hundred year old legal contracts
  • Digitally signing transcripts
  • Federation
  • Verifying the identity of doctors
All of these examples come down to authenticating the identity of different entities. 

BTW, when the layer, Randy Sabett, was asked by a Brazilian audience member about when America would get a national ID system like his country's, Sabett said it was a "long way off."  In light of this, perhaps my predication last night was a bit naive :-)

The last session I attended today was a P2P discussion about Identity Management (IdM).  The group was made up of folks reporting to CIOs, CSOs, and CTOs.  They talked about the huge disarray that their organizations are in with regard to identity.  From the sound of it, it seemed that their IdM systems were not working very well for them.

So cloud computing is important, but it seems that the information security community thinks identity, authentication, and PKI are more important.  Have you been hearing other things at the conference?  Are other issues more important to your organization than these?  Are these issues hot topics for you company as well?  I'd love to hear about it.  Leave a comment below or shoot me a note.  I've got one more day here at RSA, so keep an eye on my Twitter stream for real-time updates and check back tomorrow for my final post.

RSA Conference 2010 -- Day 3

By
Travis Spencer
on March 3, 2010 4:55 PM | | Comments (0) | TrackBacks (2) |
I can't believe it's only day three! It already feels like day 10. Today, I attended sessions presented by representatives from the Brazilian banking industry, Yahoo!, Google, Cisco, Bank of America, Qualys, and the US government.  There was a red threads that wove through all of these speakers' words that really caught my ear.  It was a topic I also heard while speaking with a German exhibitor on the show floor and other conference goers who I ate lunch with.  Any guesses as to what it was? Readers of my blog, especially those familiar with this year's theme for RSA, will certainly think it was cloud computing.  It wasn't though.  It was authentication.

The Brazilian banking representatives who worked for the first and eighth largest financial institutions spoke about the PKI that Brazil has recently launched.  The root of this trust hierarchy is the government itself.  When citizens are born, their fingerprints are taken at birth and placed in a government database.  At some later point, they are issued national identity cards.  Their fingerprints are encoded on the smart card of the ID and signed by the Brazilian root CA. 

Banks in Brazil apply to be intermediate CAs under the government's root.  When a citizen comes to one of them for a bank account, they must present their national ID card.  With this, they can authenticate the person using the biometric data on the card, the person's finger, and the signature of the root CA.  There are surely many factors that have led to the adoption of this technology in Brazil, but one is no doubt the scale of crime confronting the country.

Richard Clarke, Chairman of Good Harbor Consulting, asked rhetorically in his keynote, if America must get to similar level of crisis before taking more drastic measure to protect its citizens online.  An American gentleman that I had lunch with (who's name I unfortunately did not get) said that he wants a national ID, in order to protect his privacy.  He argued that by being able to positively identify himself using such an ID, he could avoid intrusive searches in cases where the government suspects him of crimes perpetrated by someone that looks like him.  While searching his computer, house, car, etc. to determine who he really is, the government may find things that are actually illegal.  Once they are convinced he is not the suspect they originally believed him to, they would then have the evidence necessary to convict him of other crimes.  Authentication initially would have prevented this, he argued.

Google, Yahoo!, B of A, and Cisco talked about how phishing is bombarding their users, and preventing the banks from using that channel to communicate to the full extent desired.  Due to a lack of authentication, email can not be trusted to deliver more value to customers.  In fact, the phishing attacks are discrediting the financial institution's brand and reputation, B of A said.  The solution the Web mail providers are employing is the same one the Brazilian banks are using to guard the online banking and ATM channels: PKI.  Unlike the South American organizations, however, Google and Yahoo! are not authenticating the end users; rather, they are only, initially, verifying the identity of the servers which are sending them email.  Email from unauthenticated servers are scrutinized more intensly than those from authenticated senders.

In her keynote, Secretary of the Department of Homeland Security, Janet Napolitano, said that what is needed is "privacy enhancing authentication."  CEO of Qualys, Philippe Courtot, said that it is the job of security professionals to "verify and to be on the lookout."  Bruno Quint of CORISECIO, a Germany service provider in the telco industry, told me about how his company is providing 2+ factor authentication using a national PKI (like Brazil's but without biometry) combined with Information Cards on on mobile devices to provide strong authentication that is easy to use.

From all of this, I will go out on a limb and make the following predictions about authentication:

  • America will inevitably role out a national ID card that uses PKI; it will not use biometry at first.
  • The creation of this PKI will be lobbied for by the financial industry.
  • It will be rolled out in 10 years or less.
  • It will eventually be used to securely authenticate online banking, e-commerce, voting, and other applications.
Disagree?  Have other predictions?  Share your opinion in a comment below or let me know.  Also, be sure to check back tomorrow for a summary of day 4 and watch my Twitter stream for live updates.
« Identity | Main Index | Archives | SOA »