1 / 37

Identity: “Geneva” Deep Dive

BB43. Identity: “Geneva” Deep Dive.  Jan Alexander Program Manager Microsoft Corporation. Microsoft Identity Software + Services One identity model that puts users in control of their identities. Flexibility via Choice. Enhances Developer Productivity. Standards Based.

yon
Download Presentation

Identity: “Geneva” Deep Dive

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BB43 Identity: “Geneva” Deep Dive  Jan Alexander Program Manager Microsoft Corporation

  2. Microsoft Identity Software + ServicesOne identity model that puts users in control of their identities Flexibility via Choice Enhances Developer Productivity • Standards Based Live Identity Services Microsoft Federation Gateway .Net Access Control Service Services Claims-Based Access “Geneva” Server Microsoft Services Connector Windows CardSpace “Geneva” “Geneva” Framework Live Framework Software Active Directory

  3. Microsoft Identity Software + ServicesOne identity model that puts users in control of their identities Flexibility via Choice Enhances Developer Productivity • Standards Based Live Identity Services Microsoft Federation Gateway .Net Access Control Service Services Claims-Based Access “Geneva” Server Microsoft Services Connector Windows CardSpace “Geneva” “Geneva” Framework Live Framework Software Active Directory

  4. Agenda • Identity Meta-System & Claims • Creating Claims-based Application • Adding Custom Claims • Federated Authentication • Custom STS • Claims & WCF • Identity Delegation • Futures

  5. Identity Meta-System & Claims

  6. Identity Meta-System Introduction Claims Producer Security Token Service (Geneva Server, Custom STS) 1. Trust established 2. Authenticate and get claims in a token 3. Send the issued token with claims to authenticate with the service Claims Consumer Relying Party (ASP.NET, WCF service, SSP-based service) Claims Requestor Client (Web Browser, WCF Smart Client, SSP-based application)

  7. Terminology • Claim • Statement made by an entity (issuer) about an entity (subject) • Security Token • Represents a collection of claims • Usually asserted and cryptographically signed by an issuing authority • Security Token Service • Issues security tokens • Relying Party • Accepts security tokens and uses claims contained in them

  8. Claims Model IClaimsPrincipal IClaimsIdentity IClaimsIdentity Sample Fill Sample Fill Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject

  9. Creating Claims-Based Application

  10. Federated Claims-Based Application Claims Transformation Policy for Relying Party Name = Contoso\Bob -> ShoeSize = 41 STS (Geneva Server) Identity: Contoso\Bob Going to: Relying Party SAML(Shoe Size = 41) Authorization Policy secret.aspx -> Shoe Size = 41 HTTP GET /secret.aspx SAML(Shoe Size = 41) Secret content Bob Relying Party (ASP.NET + Geneva FX)

  11. Original Application Without Claims Infrastructure Authorization Policy default.aspx -> * secret.aspx -> janalex Application Code Only Shoe Size 41 IIS + ASP.NET Windows Authentication Module URL Authorization Module secret.aspx Kerberos Everyone Client default.aspx

  12. Making The Application Claim-BasedConverting authorization to use claims Infrastructure Authorization Policy default.aspx -> * secret.aspx -> janalex Authorization Policy default.aspx -> Everyone secret.aspx -> Claim Type = “Name“ Claim Value = “janalex” Geneva Framework Application Code Claims Authorization Manager Only Shoe Size 41 IIS + ASP.NET Windows Authentication Module Claims Authentication Module Claims Authorization Module URL Authorization Module secret.aspx Kerberos Everyone Client default.aspx

  13. demo Securing a Web Page

  14. Adding Custom Claims

  15. Geneva Framework Architecture Request Hosting Layer (WCF or ASP.NET) Geneva FX integration layer Token Handling XML/Binary Token Reference Token Resolver Token Serialization Security Token Security Token Token Validation Security Token Issuer’s Token Issuer Name Registry Claims Extraction Claims Identity Issuer’s Name Claims Principal Claims Authentication Manager Claims Principal Claims Principal Security Session Management Session Token Claims Principal Claims Authorization Manager True/False Claims Principal Application Code

  16. Making The Application Claims-BasedAdding shoe size claim Infrastructure Claims Transformation Policy Name = REDMOND\janalex -> ShoeSize = 41 Authorization Policy default.aspx -> Everyone secret.aspx -> Name = REDMOND\janalex Authorization Policy default.aspx -> Everyone secret.aspx -> ShoeSize = 41 Geneva Framework Application Code Claims Authentication Manager Claims Authorization Manager Only Shoe Size 41 IIS + ASP.NET Windows Authentication Module Claims Authentication Module Claims Authorization Module secret.aspx Kerberos Everyone Client default.aspx

  17. demo Adding Shoe Size Claim

  18. Federated Authentication

  19. What Is Geneva Server? • Security Token Service for AD • Identity and federation provider • Managed Card Provider for AD • CardSpace and InfoCard Identity Selectors • Federation Trust Manager • Automates trust management using metadata • Standards Based and Interoperable • WS-* & SAML 2.0 protocol “Web SSO profile” • SAML 1.1 & 2.0 tokens

  20. Geneva Server Architecture Home Realm Discovery Service Relying Party Client MMC: Policy UX MMC: Service UX Geneva FX API Card Space Geneva FX API {WS-Fed Passive } {WS-Fed Metadata} {WS-Fed Passive } {WS-Fed Metadata} {WS-Trust WS-MEX} {WMI} {Information Card Issuance} {Policy Management} Geneva Server Runtime Geneva FX API Protocol Hosting (WS-Trust, Metadata, WS-Federation) Information Card Issuance Service Policy Management Service WMI Provider Issuance Engine Identity Store Interface Policy Store Interface LDAP Store SQL Store {SQL} {FileIO} {LDAP} AD/ADAM User Attribute AuthN Store Config File SQL Policy Store

  21. Making The Application Claims-BasedConverting to the federated authentication Claims Authentication Policy Issuer = STS -> Can say Shoe Size Claims Transformation Policy Name = REDMOND\janalex -> ShoeSize = 41 Authorization Policy default.aspx -> Everyone secret.aspx -> Shoe Size = 41 Geneva Server STS Establish Trust Kerberos Issuer Name Registry Claims Authentication Manager Claims Authorization Manager Only Shoe Size 41 IIS + ASP.NET Windows Authentication Module Federated Authentication Module Claims Authentication Module Claims Authorization Module secret.aspx Everyone Kerberos SAML Token default.aspx Client

  22. demo Converting to the Federated Authentication

  23. Making The Application Claims-BasedAdding a new identity provider Trust Established Fabrikam STS WLID STS Fabrikam Windows Live ID Fabrikam User Relying Party Windows Live ID User

  24. Identity Delegation

  25. Claims Model IClaimsPrincipal IClaimsIdentity IClaimsIdentity Delegate IClaimsIdentity Delegate Sample Fill Sample Fill Sample Fill Sample Fill Claim ClaimType = “Name” Value = “Server1” Issuer = “MS STS” Subject Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject

  26. Identity Delegation STS (Geneva Server) Issue Token { Bob} Issue Token { WFE, ActAs(Bob)} HTTP/HTML SOAP { Bob } { Bob delegate WFE } Bob WFE (ASP.NET) Backend (WCF)

  27. Futures

  28. Authorization • Imagine this: • Turned into this: foreach (IClaimsIdentity identity in subject.Identities) { if ((from c in identity.Claims where c.ClaimType == ClaimTypes.Name && c.Value == "REDMOND\janalex" select c).Count() > 0) { return true; } } [AccessCheck(Resource="page1.aspx", Operation="GET")]

  29. Geneva Server Issuance Policy • Accessing arbitrary Claim properties • Today limited to claim type and claim value • Complex conditions • Today only a single expression is supported • Custom attribute stores • Today only LDAP • Policy analysis support • Enhanced identity delegation policy • Today on-par with AD constraint delegation • Support for custom issuance engines

  30. "Geneva" Schedule Beta 1 October 2008 Beta 2 1st Half 2009 RTM 2nd Half 2009

  31. Details • “Geneva” components are Windows components • Supported platforms • Beta: Windows Server 2008, Windows Vista • RTM: To Be Determined • See us in Lounge, Pavilion, Hands On Lab • Learn about Technology Adoption Partner program

  32. Summary • Claims are flexible and powerful. • Security Token Service is here to help you to get the right identity information to your applications • “Geneva” Framework gives you a consistent programming model for every situation

  33. Identity @ PDC • Software • (BB42) Identity:  "Geneva" Server and Framework Overview • (BB43) Identity: "Geneva" Deep Dive • (BB44) Identity: Windows CardSpace "Geneva" Under the Hood • Services • (BB22) Identity: Live Identity Services Drilldown • (BB29) Identity: Connecting Active Directory to Microsoft Services • (BB28) .NET Services: Access Control Service Drilldown • (BB55) .NET Services: Access Control In the Cloud Services

  34. Evals & Recordings Please fill out your evaluation for this session at: This session will be available as a recording at: www.microsoftpdc.com

  35. Q&A Please use the microphones provided

  36. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related