How Single Sign on works in claims authentication
These days users are very much demanding, they want to access lot of interactive applications on the web but do not want to re-enter their credentials from one application
to another application. it is because of this reason claim based authentication has to support single sign on so that it can be used for various scenarios.
Single sign on is very common in window authentication scenarios where users enters their credentials in morning and access lot of resource in their company throught the
With use of kerberos it cannot include all claims like users email address as kerberos is not competent to provide all claims. Also Active directory is key server for company so it is
behind firewall so you cannot access it untill you configure some thing like VPN from outside company network.
Because of above limitation there is need for better flexibility which can override above limitations. Here comes the claims which comes with all possibilities and features
designed to work cross boundaries such as realms, Firewalls and different platforms for secure communications. With claims your application do not need to authenticate
users , it completely decouples from authentication all it needs is security token from the issuer which it trusts. Application will not break if there is change in security
The end goal for any claim based architecture is to communicate claims from issuer to application in secure way. Some of the application has goals to enable federation.
There are two type of federation one is with smart client and other is through browser.
When we are using window based application(smart client) then communication is to request token and pass to services(like WCF). When we are using browser based web
application which relies on HTTP get and Post to get and pass security Tokens. For browser based claim aware application it works like Form based authentication. If users
needs to sign in users are redirected to issuer's Login page here the user is authenticated and then redirect to Application. Issues Login Page doesnt neccesarry be
Login.aspx like in Form Authentication it can be empty html page which is configured in IIS to accept Window authentication, client certificate or smart card etc.
When user is redirected to Issuer Page for Authentication two Important values are passed
as part of query string
1) wa :- Signin or signout to tell issuer if user is logging in or logging off.
2) realm :- The url for the application which is used by Issuer to identify the application.
After authentication, issuer grant the claims configured for that application , package claims into security token and sign it with private key. If application requires claims to
be encrypted it encrypt with public key of application certificate too. After this issuer send the html page to browser with Form tag and security token wrapped inside that.
application url so that application can use security token inside the form tag. Application recieves it and validate the token
and store it in a cookie for subsquent requests.
Now assume if issuer is using Integrated Authentication then user go to application which redirects user to issuer login which post the security token and back to application.
As we know WIF(Windows Identity framework) is used to make any application claim aware. After issuer Post the Authentication token WIF of application takes over. It
listens for "AuthenticateRequest" event and validates the incoming token by using issuer public key to make sure it is trusted with Issuer. It also validate AudienceURI
element to make sure token is issued for correct application. Then it parses the claims in the application create IclaimPrinciple object and assign it to User.Identity in page
life cycle. It also create session token to store these values so that authentication process is not repeated for same session until user sign off or expiration of cookie is done.
On subsequent request session cookie is checked and if values are present then recreate the claim principle using values in cookie
to reassign current user property.