1 / 35

Identity: Windows CardSpace "Geneva" Under the Hood

BB44. Identity: Windows CardSpace "Geneva" Under the Hood.  Rich Randall Development Lead Microsoft Corporation. PLACHOLDER FOR ALL UP IDENTITY SLIDE. What Will Be Covered. Overview of claims-based access What’s new in CardSpace Protocol and architecture Why CardSpace Future plans.

eden
Download Presentation

Identity: Windows CardSpace "Geneva" Under the Hood

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BB44 Identity: Windows CardSpace "Geneva" Under the Hood  Rich Randall Development Lead Microsoft Corporation

  2. PLACHOLDER FOR ALL UP IDENTITY SLIDE

  3. What Will Be Covered • Overview of claims-based access • What’s new in CardSpace • Protocol and architecture • Why CardSpace • Future plans

  4. What is CardSpace • The claims-based access client • Protocol client • Application inputs policy, gets back token • User interface • Relationships manifested as information cards • Personas • Credential collection interface

  5. Claims-Based Access Model • Claim • Statement by one party about other party • May be an identifier, a characteristic • Security token • Signed document containing claims • Produced by Security Token Service (STS) • Identity Metasystem • Protocols and architecture for exchange claims • Claims-aware application • Claims delivered when user accesses app

  6. Claims-Based Access Model Security Token Service trust • Establish relationship using metadata 3. Read policy 4. Get claims Application Server End User Your App Identity Selector 2. Read policy 5. Send claims Client Claims Framework

  7. What Did V1 Teach Us • Faster • Smaller • Lighter

  8. Demo

  9. At The Center Is The Information Card • User friendly metaphor • Token issuer reference • Issuer capabilities

  10. Protocol Flow • Policy retrieval • Filter and selection • Token retrieval

  11. Policy Retrieval Established Trust Contoso STS Fabrikam STS Contoso Fabrikam Contoso Application Fabrikam

  12. Filter And Selection

  13. Token Retrieval Established Trust Contoso STS Fabrikam STS Contoso Fabrikam Contoso Application Fabrikam

  14. Demo Add CardSpace Support

  15. Object Tag • <html> • <form method="post" action="TokenProcessingPage.aspx“> • <OBJECT classid=“CLSID:19916E01-B44E-4e31-94A4-4696DF46157B" • name="CardSpaceToken“ • CODEBASE=“http://microsoft.com/CSV2.exe#Version=10,10,1,12"> • <PARAM • NAME="issuer" VALUE="http://contoso.com/issue" > • <PARAM • NAME="tokenType" • VALUE="urn:oasis:names:tc:SAML:1.0:assertion" • > • <PARAM • NAME="requiredClaims" • VALUE=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier " • > • </OBJECT> • </form> • </html>

  16. CardSpace “Geneva” Architecture Managed Application Credential Provider Internet Explorer 7+ App code ObjectTag Extension (ActiveX Control) IdentitySelector.GetToken() Managed Wrapper Class ? GetToken() [native] GetToken() [native] Native Client API (infocardapi2.dll) Native Client API (infocardapi2.dll) Control Panel Federated Identity Client Service Identity Manager Federation Manager STS Card Store Client Local Store Card and Ledger Management WS-Trust and WS-Mex Client Sapphire Win32

  17. Why You Want CardSpace • Home realm discovery • Persona’s and other card tricks • Credential agility

  18. Home Realm Discovery Game World PDC Exhibitor Policy Claim: Email Federated App App User

  19. Persona Selection Claim: Admin Claim: Admin Geneva Identity Server Claim: User Claims Store Claims Aware App

  20. Credential Agility • App does not handle credentials • CardSpace handles credential collection • STS handles Credential validation • Credential type can vary without affecting the app

  21. In The Future

  22. Windows Integration (SSP) Sharepoint Client Sharepoint Server Credential Provider IE IIS WinInet Sharepoint LSASS XML Token to Windows Token Translator CardSpace Service LSASS FedSSP FedSSP

  23. Demo Windows SSP Integration

  24. U-Prove: “Minimal Disclosure Tokens” • Cryptographic technology for strong authentication with enhanced privacy characteristics • Tokens that cannot be correlated • Like coins: • You know issuer (central bank) • can’t forge them • and can’t tell two apart • Tokens can be obtained in advance for “offline” presentation • Single use tokens • Users can prove properties of claims without disclosing the claims • Derived claim: Over-21 proof instead of disclosing DoB • Prove claim not equal to certain value: my name is not on deny list

  25. Roaming • Cloud and Device Roaming

  26. Wireframe – Connect to Store Remember this location Windows Security Choose a card to submit The card will be used to authenticate to <computer> SanDisk USB drive (E:) Enter password to unlock you cards Password Login Find your other cards Click here to select and connect to a web service that holds your cards. OK Cancel

  27. Wireframe – Select Roamed Card Windows Security Choose a card to submit The card will be used to authenticate to <computer> Real Me Personal card Card location: SanDisk USB drive (E:) This card was previously used at www.aaa.com Funny Me Personal card Card location: SanDisk USB drive (E:) Login Find your other cards Click here to select and connect to a web service that holds your cards. www.aaa.com Website requests a personal card OK Cancel

  28. Other Future Directions • Windows secure desktop • Even smoother installation • Admin policy for card use • Richer policy alternatives

  29. "Geneva" Schedule Beta 1 October 2008 Beta 2 1st Half 2009 RTM 2nd Half 2009

  30. Details • “Geneva” components are Windows components • Supported platforms • Beta: Windows Server 2008, Windows Vista • RTM: To Be Determined • See us in Lounge, Pavilion, Hands On Lab • Learn about Technology Adoption Partner program

  31. Identity @ PDC • Software • (BB42) Identity:  "Geneva" Server and Framework Overview • (BB43) Identity: "Geneva" Deep Dive • (BB44) Identity: Windows CardSpace"Geneva" Under the Hood • Services • (BB22) Identity: Live Identity Services Drilldown • (BB29) Identity: Connecting Active Directory to Microsoft Services • (BB28) .NET Services: Access Control Service Drilldown • (BB55) .NET Services: Access Control In the Cloud Services

  32. Evals & Recordings Please fill out your evaluation for this session at: This session will be available as a recording at: www.microsoftpdc.com

  33. Q&A Please use the microphones provided

  34. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related