Matias Woloski’s Blog

We spent three days with a mix of theory and practice on Software as a Service.

The hosters: Fred Chong, Gianpaolo Carraro, Erik Weis and me.

The consumers: microsoft internal employees and ISVs.

Day 1

• SaaS Ecosystem: Gianpaolo presented the different players in SaaS.
• Multi tenant architecture principles: general architecture principles like data, workflow, security and provisioning.
• Multi tenant data architecture: Fred Chong talked about the famous paper about the different approaches.
• Hands on Labs: Data model extensions

Day 2

• Consuming SaaS in the Enterprise: where is the enterprise fits as a consumer
• SaaS Hosting Platform: the idea of a multitenant platform where ISV can plug applications
• Monetizing SaaS: how you can protect and license your SaaS app. The guys from SecureLM (that was acquired by Microsoft) have a great product.
• Hands on Labs: customizing workflows using Workflow Foundation

Day 3

• Securing SaaS application: Fred, the "security guru", presented different approaches about identity and federation in the context of SaaS
• Hands on Labs: creating security token service to manage authentication and authorization
• Hands on Labs: provisioning a tenant on IIS, ADAM, SQL Server

People found the labs very in depth showing the latest technology and how that applies to SaaS. Specially the ones about workflow and security. That means that the team at Southworks did a great job!

I finally found the time to write 5 things about me after being tagged by Andres Aguiar, Pablo Galiano, Eugenio Pace and Diego Dagum.

1. My first computer was a 386DX. Since there was nothing to do I decided to learn the DOS help side by side :) After knowing everything about DOS and hacking autoexec.bat and config.sys I moved to do Quick Basic simple games… cool.

2. I've played piano since I was 10 years old. That's my wire to earth (in spanish “mi clabe a tierra”). Play tennis and footbal are the sports I like to do. I'm living with my girlfriend for 2 years now, but still not married…

3. I live and love Argentina. I believe there is no better place to live than here despite of everyday problems and the unstable situation, politically and economically speaking.

4. I've worked since my high school graduation at 18 years old. I've been always fan of the latest technology and I am always willing to learn new things. I'm working at Southworks and this company and the people working here allowed me to do this kind of things and always pushed me to the next level.

5. I'm 26 years old and currently I'm developing my thesis exploring “Software as a Service” to get my engineering degree in the University of Buenos Aires.

Now, I pass the ball to: Mariano Szklanny, Johnny Halife, Angel “Java” Lopez, Ariel Schapiro and Juan Pablo Garcia.

I’m presenting SaaS with Roberto Schatz, Ramiro Iturregui and Ariel Schapiro at Microsoft Argentina headquarters. The talk will be oriented to ISVs and architects who wants to know about the business model and the architectural technical challenges.

We will explore the LitwareHR application published on february.

Register here!

A couple of years ago, the platform was not rich enough to create complex security solutions for service oriented applications based on standards. WSE was a half way path. With the advent of WCF we finally have a foundation to build a security subsystem flexible and robust for the enterprise.

The following illustration shows the different components involved and how they interact between each other.

Most of enterprise line of business apps have used a login to authenticate their users and roles to authorize them. When webservices were not there, the business logic was hosted in the application itself and advanced users hosted in COM+. The authentication and access checks were mixed in the same code that performed the business logic. Sometime later enterprises started to realize that integration between applications was getting harder: SOA implemented with webservices came to the rescue.

Now, the business logic lived in the application server and was accessed through webservices. The problem became to "how can I secure my services?". I’ve seen many different implementations: using kerberos, using custom tickets, certificates, etc. However they were coupled to the platform or they were custom solutions. Single sign on and access check across applications of different platform is hard to accomplish: WS-Trust, STS and SAML comes to the rescue.

Let’s describe the scenario:

1. A user browses to Login.aspx, enters his username and password and click "Login". As this is the only time when we have username and password available from the user, we can fill the UserName token on the proxy. We call a Ping service which is just a dummy service that we use to obtain a SamlToken.

using (SystemServiceChannel channel = new SystemServiceChannel())
{
    channel.ClientCredentials.UserName.UserName = LoginControl.UserName;
    channel.ClientCredentials.UserName.Password = LoginControl.Password;
    channel.Ping();
}

2. The client endpoint is configured to use wsFederationHttpBinding and the issuer of the token is the Authorization STS. Since the client does not have a SamlToken yet, it will send the UserName token to the Authorization STS so he can issue one. Below is the binding.

<binding name="SecureConversationBinding">
  <security mode="Message">
    <message issuedKeyType="SymmetricKey" 
             issuedTokenType="http://….saml-token-profile-1.1#SAMLV1.1">
      <issuer address="http://services.litwarehr.com/Authz/STS.svc"
        binding="wsFederationHttpBinding" bindingConfiguration="AuthorizationSTS">
        <identity>
          <dns value="SaasyLongTailCert" />
        </identity>
      </issuer>
    </message>
  </security>

3.  The Authorization STS trust on the Authentication STS and request him a SamlToken. The Authentication STS message security is configured to use wsHttpBinding with UserName token.

<binding name="AuthorizationSTS">
  <security mode="Message">
    <message issuedKeyType="SymmetricKey"
                     issuedTokenType="http://…-saml-token-profile-1.1#SAMLV1.1">
      <issuer address="http://services.litwarehr.com/Auth/Sts.svc"
        binding="wsHttpBinding" bindingConfiguration="AuthenticationSTS">
        <identity>
          <dns value="SaasyLongTailCert" />
        </identity>
      </issuer>
    </message>
  </security>
</binding>

<binding name="AuthenticationSTS">
  <security mode="Message">
    <message clientCredentialType="UserName"
                     negotiateServiceCredential="true"
                     establishSecurityContext="false" />
  </security>
</binding>

4. The Authentication STS service has a custom UserName Password validator behavior configured. Before the request actually gets to the STS it will go through the username/password validation. LitwareHr default implementation uses ADAM.

<serviceBehaviors>
   <behavior name="AuthenticationSTS">
      <serviceCredentials>
        <userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="CustomValidator, Sts"/>
       </serviceCredentials>
   </behavior>
</serviceBehaviors>

5. If the authentication was succesful , the Authentication STS will issue a basic SamlToken containing the identity name of the caller.

Collection GetIssuedClaims(RequestSecurityToken rst)
{
    string caller = ServiceSecurityContext.Current.PrimaryIdentity.Name;
    Collection samlAttributes =
                    new Collection();
    samlAttributes.Add(
        new SamlAttribute(
        new Claim(ClaimTypes.Authentication,
                  caller,
                  Rights.PossessProperty)));

    return samlAttributes;
}

6. Since the Authorization STS trusts on the SamlTokens issued by the Authentication STS, it will grab the token, extract the username claim and retrieve the actions available for the user. This happens in the IAuthorizationPolcy configured on the STS.

public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
    // check if this context was updated for this user
    if (state == null)
    {
        // Create an empty list of Claims
        IList claims = new List();
        // Add list of actions the user can perform
        string user = GetUserFromClaimSets(evaluationContext.ClaimSets);
        foreach (string action in GetActionsForUser(user))
        {
            claims.Add(new Claim(
                    ClaimTypes.AuthorizationDecision,
                    action,
                    Rights.PossessProperty));
        }
        …
     }
}

7. The SamlToken enriched now is ready to go through the service pipeline.

8. This is where the access check happens. The ServiceAuthorizationManager class has access to the AuthorizationContext which exposes the SamlToken with the claims.

public override bool CheckAccess(OperationContext operationContext)
{
    // Extract the AuthorizationContext from the ServiceSecurityContext
    AuthorizationContext authContext =
        operationContext.ServiceSecurityContext.AuthorizationContext;

    // Guard denies exectuion if the action is not in the token as a claim
    string action = operationContext.IncomingMessageHeaders.Action;
    IEnumerable authorizationDecisionClaims =
        claimSet.FindClaims(ClaimTypes.AuthorizationDecision, Rights.PossessProperty);

    foreach (Claim claim in authorizationDecisionClaims)
    {
        string authzAction = claim.Resource as string;
        if (!string.IsNullOrEmpty(authzAction) &&
            authzAction.Equals(action,
                              StringComparison.InvariantCultureIgnoreCase))
        {
            return true;
        }
    }

    // If no AuthorizationDecision claim had a resource value that matched the 
    // current action name, return false (Access Denied)
    return false;
}

9. Finally, the SOAP message gets to the service implementation and the response is sent back to the client with the SamlToken attached.

10. The SamlToken is cached on the client using an HTTP cookie. This is achieved by using a custom IssuedSecurityTokenProvider.

Conclusion and a bit of SaaS

WCF provides an extensible foundation that allow taking the service oriented on the enterprise to the next level using standards like WS-Trust and SAML.

Since SOA is part of the deal for Software as a Service apps we implemented this architecture on LitwareHR to get ready for future scenarios like Federated Security. In this scenario the tenant wants to manage authentication and authorization using its own infrastructure. He owns an STS that issues SamlTokens for every app in the enterprise and the IT guys don’t want to manage yet another user/password. The SaaS provider (LitwareHR) will allow the tenant to configure the claims mapping and the tenant STS to rely on. By doing this, the IT administrator for Contoso (the tenant) will manage a single authorization store and will configure the claim mappings on the "cloud" apps: the "Administrator" role in my enterprise is the "ConfigureAndCustomize" role in the SaaS application.

If you want to see a working implementation of the scenario described in the figure above download LitwareHr Software as a Service sample application and look for Shp.Security.BrokeredReceiver and Shp.Security.BrokeredSender projects. If you are taking SOA seriously, then it might worths looking at it.