1 / 32

Claims-Based Identity

Claims-Based Identity. Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009. Agenda. Introducing Claims-Based Identity Using Claims-Based Identity: Scenarios Microsoft Technologies for Claims-Based Identity: A Closer Look.

mandar
Download Presentation

Claims-Based Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009

  2. Agenda • Introducing Claims-Based Identity • Using Claims-Based Identity: Scenarios • Microsoft Technologies for Claims-Based Identity: A Closer Look

  3. Introducing Claims-Based Identity

  4. Claims-Based Identity The core Microsoft technologies • Active Directory Federation Services (AD FS) 2.0 • The next release of AD FS • CardSpace 2.0 • The next release of CardSpace • Windows Identity Foundation (WIF) 1.0 • Pronounced “Dub-I-F” • These three technologies were previously code-named “Geneva”

  5. What is Identity? • An identityis a set of information about some entity, such as a user • Most applications work with identity • Identity information drives important aspects of an application’s behavior, such as: • Determining what a user is allowed to do • Controlling how the application interacts with the user

  6. Defining the ProblemWorking with identity is too hard • Applications must use different identity technologies in different situations: • Active Directory (Kerberos) inside a Windows domain • Username/password on the Internet • WS-Federation and the Security Assertion Markup Language (SAML) between organizations • Why not define one approach that applications can use in all of these cases? • Claims-based identity allows this • It can make life simpler for developers

  7. Tokens and Claims Representing identity on the wire • A token is a set of bytes that expresses information about an identity • This information consists of one or more claims • Each claim contains some information about the entity to which this token applies Token Example Claims Claim 1 Name Claim 2 Indicates who created this token and guards against changes Group Claim 3 Age . . . Claim n Signature

  8. Identity Providers and STSs • An identity provider (or issuer) is an authority that makes claims about an entity • Common identity providers today: • On your company’s network: Your employer • On the Internet: Most often, you • An identity provider implements a security token service (STS) • It’s software that issues tokens • Requests for tokens are made via WS-Trust • Many token formats can be used • The SAML format is popular

  9. Getting a TokenIllustrating an identity provider and an STS Identity Provider 2) Get information Security Token Service (STS) Account/ Attribute Store 3) Create and return token 1) Authenticate user and request token Token Browser or Client User

  10. Acquiring and Using a Token 4) Use claims in token Identity Provider Application 3) Verify token’s signature and check whether this STS is trusted STS Identity Library List of Trusted STSs 2) Submit token Token 1) Authenticate user and get token Token Browser or Client User

  11. Why Claims Are an Improvement • In today’s world, an application typically gets only simple identity information • Such as a user’s name • To get more, the application must query: • A remote database, e.g., a directory service • A local database • With claims-based identity, each application can ask for exactly the claims that it needs • The STS puts these in the token it creates

  12. How Applications Can Use ClaimsSome examples • A claim can identify a user • A claim can convey group or role membership • A claim can convey personalization information • Such as the user’s display name • A claim can grant or deny the right to do something • Such as access particular information or invoke specific methods • A claim can constrain the right to do something • Such as indicating the user’s purchasing limit

  13. Supporting Multiple IdentitiesUsing an identity selector 5) Use claims in token Identity Providers Application STS STS STS Identity Library 1) Access application and learn token requirements 4) Submit token Token Token 3) Authenticate user and get token for selected identity Browser or Client Identity Selector 2) Select an identity that matches those requirements User

  14. Claims-Based Identity for Windows 5) Use claims in token Identity Providers AD FS 2.0 Application STS STS STS Windows Identity Foundation 1) Access application and learn token requirements 4) Submit token Token Token 3) Authenticate user and get token for selected identity Browser or Client CardSpace 2.0 2) Select an identity that matches those requirements User

  15. Using Claims-Based Identity: Scenarios

  16. An Enterprise Scenario 8) Use claims in token Active Directory Domain Services AD FS 2.0 Application STS 5) Find claims required by application and create token WIF 6) Receive token 7) Submit token 1) Login to domain and get Kerberos ticket 4) Present Kerberos ticket and request token for selected identity 2) Access application and learn token requirements Token Token Browser or Client CardSpace 2.0 3) Select an identity that matches those requirements User

  17. Allowing Internet Access 5) Use claims in token Active Directory Domain Services AD FS 2.0 Application STS WIF 4) Submit token Token Token Internet 3) Authenticate user and get token for selected identity 1) Access application and learn token requirements Browser or Client CardSpace 2.0 2) Select an identity that matches those requirements User

  18. Using an External Identity Provider Identity Providers 5) Use claims in token Windows Live ID Other Application WIF STS STS 4) Submit token Token Token Internet 3) Authenticate user and get token for selected identity 1) Access application and learn token requirements Browser or Client CardSpace 2.0 2) Select an identity that matches those requirements User

  19. Identity Across OrganizationsDescribing the problem • A user in one Windows forest must access an application in another Windows forest • A user in a non-Windows world must access an application in a Windows forest (or vice-versa)

  20. Identity Across OrganizationsPossible solutions • One option: duplicate accounts • Requires separate login, extra administration • A better approach: identity federation • One organizations accepts identities provided by the other • No duplicate accounts • Single sign-on for users

  21. Identity Federation (1) Organization X Organization Y Active Directory Domain Services AD FS 2.0 STS STS 5) Use claims in token Token 3) Get token for selected identity 4) Submit token Token Application Browser or Client WIF CardSpace 2.0 1) Access application and learn token requirements • Trusted STSs: • Organization Y • Organization X 2) Select an identity that matches those requirements User

  22. Identity Federation (2) Organization X Organization Y 2) Access Organization Y STS and learn token requirements Active Directory Domain Services AD FS 2.0 Token for STS Y STS STS 5) Request token for application • Trusted STSs: • Organization X Token Token for STS Y 6) Issue token for application 8) Use claims in token 4) Get token for Organization Y STS 7) Submit token Token Application Browser or Client WIF CardSpace 2.0 1) Access application and learn token requirements 3) Select an identity that matches those requirements • Trusted STSs: • Organization Y User

  23. Delegation Active Directory Domain Services 5) Check policy for user, application X, and application Y AD FS 2.0 STS Token for X Token for X Token for Y 1) Get token for application X 4) Request token for application Y 6) If policy allows, issue token for application Y 8) Use claims in token 7) Submit token Token for Y Browser or Client Application X Application Y Token for X WIF 3) Access application and learn token requirements WIF 2) Submit token User

  24. Microsoft Technologies for Claims-Based Identity: A Closer Look

  25. Changes in AD FS 2.0From the previous release • AD FS 1.1 supports only passive clients (i.e., browsers) using WS-Federation • And it doesn’t provide an STS • AD FS 2.0: • Supports both active and passive clients • Provides an STS • Supports both WS-Federation and the SAML 2.0 protocol • Improves management of trust relationships • By automating some exchanges

  26. CardSpace 2.0Selecting identities • CardSpace” provides a standard user interface for choosing an identity • Using the metaphor of cards • Choosing a card selects an identity (i.e., a token)

  27. Information Cards • Behind each card a user sees is an information card • It’s an XML file that represents a relationship with an identity provider • It contains what’s needed to request a token for a particular identity • Information cards don’t contain: • Claims for the identity • Whatever is required to authenticate to the identity provider’s STS

  28. Information CardsAn illustration Identity Providers Browser or Client STS STS STS CardSpace 2.0 Information Card 1 Information Card 2 Information Card 3 Information Card 4 User

  29. Creating Industry Agreement • The Information Card Foundation is a multi-vendor group dedicated to making this technology successful • Its board members include Google, Microsoft, Novell, Oracle, and PayPal • A Web site can display a standard icon to indicate that it accepts card-based logins:

  30. Changes in CardSpace 2.0From the first CardSpace release • CardSpace 2.0 is available separately from the .NET Framework • It’s smaller and faster • CardSpace 2.0 contains optimizations for applications that users visit repeatedly • A Web site can display the card you last used to log in the site • The CardSpace screen needn’t appear • Cards can be set using Group Policy • The self-issued identity provider has been dropped

  31. Windows Identity Foundation • The goal: Make it easier for developers to create claims-aware applications • WIF provides: • Support for verifying a token’s signature and extracting its claims • Classes for working with claims • Support for creating a custom STS • Visual Studio project types • An STS for development and testing • More

  32. Conclusions • Changing how applications (and people) work with identity is not a small thing • Widespread adoption of claims-based identity will take time • Yet all of the pieces required to make claims-based identity real on Windows are here: • AD FS 2.0 • CardSpace 2.0 • Windows Identity Framework

More Related