Making access control decisions using claims

May 9, 2009 at 6:05 AM
Edited May 9, 2009 at 6:05 AM

Hi All,

Does NetSqlAzMan have any way of making access control decisions based on claims?  What is the integration story w/ ADFS, Geneva Server, and custom STSs?  Does the identity object used to make the authz decision have to be a WindowsIdentity?  Can it be any IIdentity object instead?

TIA!

--

Regards,

Travis Spencer

Coordinator
May 9, 2009 at 8:22 AM
Hi Travis,
NetSqlAzMan supports AOP (Aspect Oriented Programming):

Example:
[Form1.Designer.cs]
[NetSqlAzManAuthorization("My operation", " Visible", false)]
//If NOT CheckAccess(...) => button1.Visible = false
private System.Windows.Forms.Button button1;

[NetSqlAzManAuthorization("My Role", "Enabled", false)]
//If NOT CheckAccess(...) => saveToolStripMenuItem.Enabled = false
private System.Windows.Forms.ToolStripMenuItem saveToolStripMenuItem;


[Form1.cs]
private
void Form2_Load(object sender, EventArgs e)
{

//Initialize the NetSqlAzMan Context

NetSqlAzManAuthorizationContext ctx = new NetSqlAzManAuthorizationContext("data source=(local);Initial Catalog=NetSqlAzManStorage;User id=sa;password=", "My Store", “My Application", WindowsIdentity.GetCurrent(),true);

[…]

//Finally … check the security for all Attributes

ctx.CheckSecurity(this);

}

NetSqlAzMan supports Windows users and database users only and ADFS is supported too.
By now there is any integration with Geneva server or custom STSs.
Yes ... the Identity object must be a WindowsIdentity instance and cannot be an IIdentity object, but if you want you can use Kerberos Protocol Transition to create a WindowsIdentity object without user permissions:
Example:

if you have the username you can create a WindowsIdentity object, simply using Kerberos Protocol Transition.

In other way you must be on a Windows Server 2003 (or later) machine and in a Windows 2003 domain (or later).

From the username ... take the User Principal Name, i.e.:

Then create the WindowsIdentity passing the UPN as parameter.

WindowsIdentity wid = new WindowsIdentity(j.doe@mydomain.ext);

In this way you can obtain the User Token ... but without permissions (its enough for NetSqlAzMan).

Regards,
Andrea.

May 9, 2009 at 3:31 PM

Hi Andrea,

> NetSqlAzMan supports Windows users and database users only and ADFS is supported too.

Can you elaborate on the support for ADFS?  Does NetSqlAzMan support making access control decisions based on the claims minted by an ADFS STS?  If so, what is stopping NetSqlAzMan from supporting a custom STS?  If NetSqlAzMan is not making decisions using the claims, in what way is ADFS supported?

> Yes ... the Identity object must be a WindowsIdentity instance and cannot be an IIdentity object

That's a bummer.  If a general IIdentity could be used (without having to jump through Kerberos-related hoops), then we could simply provide NetSqlAzMan with an IClaimsIdentity object that the Geneva Framework gives us in my web applications/services that rely on our custom STS for claims.

Let me back up here a second:

We have created a custom STS.  We built this STS using the Geneva Framework.  We have a number of Web application and services that depend on it for claims -- relying parties.  These relying parties get a bunch of claims from our STS, just like a web site/service would from ADFS (which is also an STS AFAIK).  These claims are essential, but the relying party still has to authorize the caller.  To this end, we were thinking of using AzMan.  In researching it, we learned about NetSqlAzMan which has a lot of compelling features that AzMan does not.  However, we will need to make access control decisions using only the IClaimsIdentity that the Geneva Framework gives us in our relying parties because many times (e.g., when federating) we won't have Windows accounts associated with the claims set.

Do you think that NetSqlAzMan is a good fit for our need?

TIA!

--

Regards,

Travis Spencer

 

Jul 1, 2009 at 4:39 PM
Edited Jul 1, 2009 at 4:41 PM

I'm in the same boat as spencer above, trying to use NetSqlAzman under the covers of a custom STS built on the Geneva Framework. Maybe you could elaborate on the underlying reason for WindowsIdentity being a requirement of NetSqlAzman and not just IIdentity? 

What happens if Thread.Current.Principal.Identity is not a windows identity but instead some arbitrary IClaimsIdentity?

Coordinator
Jul 1, 2009 at 9:20 PM

Hi,

one of the reason is that WindowsIdentity object is th unique object exposing User and Groups properties (User SID and User Groups SIDs).

Another reason is that by now ... SQL Server side is able to perform a CheckAccess (using its WindowsIdentity and not an IIdentity).

By Now NetSqlAzMan cannot support IIdentity instead of WindowsIdentity ... Im sorry guys

__________________________________
Andrea Ferendeles
NetSqlAzMan - Project Coordinator

http://netsqlazman.codeplex.com

Da: jimitndiaye [mailto:notifications@codeplex.com]
Inviato: mercoledì 1 luglio 2009 18.39
A: Andrea Ferendeles
Oggetto: Re: Making access control decisions using claims [netsqlazman:55778]

From: jimitndiaye

I'm in the same boat as spencer above, trying to use NetSqlAzman under the covers of a custom STS built on the Geneva Framework. Maybe you could elaborate on the underlying reason for WindowsIdentity being a requirement of NetSqlAzman and not just IIdentity?

Read the full discussion online.

To add a post to this discussion, reply to this email (netsqlazman@discussions.codeplex.com)

To start a new discussion for this project, email netsqlazman@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Jul 2, 2009 at 1:22 PM

How then are you able to create and verify authorization rules for DBUsers if all users must have windows identities?

Coordinator
Jul 2, 2009 at 2:40 PM
The main difference is that DB Users does not have the Groups membership concept ....
All authorizations checks are mande on DB User SID.
IIdentity has Name only ... and cannot be used because it is not unique.
Regards,
Andrea.