1 / 24

Claims-based Identity Beyond Identity Silos

This presentation from the 1st European Identity Conference in 2007 discusses the problems and costs of identity silos and introduces the concept of claims-based identity and identity federation as solutions. It covers topics such as claim transformation, user selection, and the benefits of moving from enterprise directory to identity metasystem.

smccray
Download Presentation

Claims-based Identity Beyond Identity Silos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1st European Identity Conference 2007 Don Schmidt Principal Program Manager Architect, Microsoft Corp http://identity-des.com Claims-based Identity Beyond Identity Silos

  2. Agenda • Identity Silos • Summary of problems and costs • Claims-based Identity • Identity Federation • Claim Transformation • User Selection • Rx for Identity Silos • Enterprise Directory to Identity Metasystem

  3. eCommerce System Snapshot • Network de-perimeterization • Organizational boundaries dissolving • Service oriented application architecture • Reusable, “legonic” web services • Isolated, inflexible Identity silos • Local identity system is the only source of truth • Authenticates all users directly • Manages authoritative version of all user attributes

  4. YourPARTNERSand theirNETWORKS YourCUSTOMERS YourREMOTEandMOBILE EMPLOYEES YourSUPPLIERSand their NETWORKS De-perimeterization and SOA YourEMPLOYEESonyour NETWORK

  5. YourPARTNERSandtheirNETWORKS Your CUSTOMERS YourREMOTEandMOBILE EMPLOYEES YourSUPPLIERSand theirNETWORKS Identity Silos YourEMPLOYEESonyourNETWORK

  6. Identity Silos Cost InstitutionsProductivity, Security & Compliance IT/Helpdesk Efficiency End User Productivity Security Regulatory Compliance External user account provisioning requests Password reset requests Lifecycle management Provisioning latency Forgotten passwords Logon frequency Orphaned or inaccurate accounts Compromised passwords Unnecessary access Privacy protection End-end auditing Repudiation

  7. Identity Silos Threaten PeoplePrivacy, Reputation and Finances • Internet built without identity safeguards • Web sites trained users to fill in forms • Filling in forms trained users to be phished • Ease and profit of identity fraud growing • High value transactions attracting professional criminals • Phishing and pharming about 1000% CAGR (per www.antiphishing.org)

  8. Agenda • Identity Silos • Summary of problems and costs • Claims-based Identity Metasystem • Identity Federation • Claim Transformation • System or User Selection • Rx for Identity Silos • Enterprise Directory to Identity Metasystem

  9. Digital Identity • Set of claims about a subject • Asserted by subject or third party • Uniquely identify subject, describe attributes, both • Possibly many IDs for many purposes • Use may require proving ownership • Parallels physical world • Common model for access technology

  10. Identity Federation • Relying Party does not mange identity • RP depends on external Identity Providers • Authenticate a subject • Provide accurate digital identity • RP determines “it’s truth” based on: • IP with closest relationship to subject, or • How IP authenticated subject, or • Average of multiple IPs, or …

  11. Identity Federation Flow Security Token Identity Provider Relying Party Assert Claims Send Claims PKI Trust Signing Certificate STS App

  12. Agenda • Identity Silos • Summary of problems and costs • Claims-based Identity Metasystem • Identity Federation • Claim Transformation • System or User Selection • Rx for Identity Silos • Enterprise Directory to Identity Metasystem

  13. Claim Transformation • Claims can be transformed by Security Token Services before RP consumes them • Provides impedance matching between RP, IP and subject • IP may not store claim values in same data type as RP requires • IP may not issue claims with same syntax as RP requires • User may want to send derived claims (e.g. >21) rather than stored claim value

  14. Simplifies Programming WS-SecurityPolicy Required Claims: • Name • Job Title • Projects • No application code needed to retrieve identity claims • Required claims published as part of configuration • Applications get exactly & only the claims they need • Generated per-application by claims transform • Excellent privacy characteristics • Claims • Transform • Trust

  15. Claim Transformation Flow • IP STS • RP STS WS-SecurityPolicy Required Claims: • Name • Job Title • Projects •  •  • Client • Application • 

  16. Agenda • Identity Silos • Summary of problems and costs • Claims-based Identity Metasystem • Identity Federation • Claim Transformation • System or User Selection • Rx for Identity Silos • Enterprise Directory to Identity Metasystem

  17. Laws of IdentityEstablished through industry dialog • User control and consent • Minimal disclosure for a defined use • Justifiable parties • Directional identity • Pluralism of operators and technologies • Human integration • Consistent experience across contexts

  18. User Selection Integrates Silos Communities Of Interest Community Web Sites Your Telco or ISP Online Merchants Your University Educational Institutions Government Agencies Government Services Your Bank Financial Institutions Your Employer Business Partners Subjects Get and present claims Identity Providers (IP) Issue claims Relying Parties (RP) Require claims

  19. 1 HTTP(S) GET (Protected Page)   Redirect to Login Page 2 HTTP(S) GET (Login Page)  7 Login Page (w/ InfoCard Tag) HTTPS GET + Cookie  HTML Content 6 HTTPS POST (w/ Token ) Cookie + Browser Redirect 3 5 CardSpace delivers token to browser CardSpace lights up User selects card 4 WS-Trust RST/RSTR Authenticate user to STS and get token CardSpace Selector Flow Browser w/ CardSpace Web Site Front End Relying Party Identity Provider Security Token Service (STS) Identity Provider (Managed or Self-Issued)

  20. Agenda • Identity Silos • Summary of problems and costs • Claims-based Identity Metasystem • Identity Federation • Claim Transformation • System or User Selection • Rx for Identity Silos • Enterprise Directory to Identity Metasystem

  21. Migrating to the Metasystem Policy Store Policy Service Pseudonym Service Pseudonym Token Service Policy Store Authorization Service Attribute Service Claim Store Policy Service Attribute Token Service Authorization Token Service (7) { WS-Trust } “OnBehalfOf” Identity Provider Realm Relying Party Realm Claim Store Federation STS Claim Store Identity STS (2) { WS-MEX } { WS-SecurityPolicy} (5) { WS-Trust } { WS-Federation } Identity STS (3) { WS-MEX } { WS-SecurityPolicy} (4) { WS-Trust } { WS-Federation} Client Application / Web Service Identity Selector Agent (1) { WS-MetadataExchange } { WS-SecurityPolicy } (6) { WS-Security } { Application Request } (8) { WS-Security } { Application Response }

  22. Microsoft Open Specification Promise (OSP) • Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed • Includes all the protocols underlying CardSpace • Issued September 2006 • http://www.microsoft.com/interop/osp/

  23. Please visit Microsoft Exhibition AreaMicrosoft & Partner Identity & Access Solutions • Identity LifecycleManager 2007 • Active DirectoryFederation Services • IDA Topics representedby Microsoft & partnersatthe 1st European Identity Conference, May 2007, Munich, Germany.

  24. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related