1 / 44

Identity: “Geneva” Server And Framework Overview

BB42. Identity: “Geneva” Server And Framework Overview.  Stuart Kwan Group Program Manager Microsoft Corporation.  Caleb Baker Senior SDET Microsoft Corporation. Challenges In Identity. Identity is essential, but not straightforward Lots of technologies and standards

altessa
Download Presentation

Identity: “Geneva” Server And Framework Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BB42 Identity: “Geneva” Server And Framework Overview  Stuart Kwan Group Program Manager Microsoft Corporation  Caleb Baker Senior SDET Microsoft Corporation

  2. Challenges In Identity • Identity is essential, but not straightforward • Lots of technologies and standards • Complex decision tree, technology to scenario • Cloud computing adds new requirements • Federated single sign on is a must • Usually can’t read enterprise directory • Need a new approach • Simplify programming model • Cloud/on-premises agnostic

  3. PLACEHOLDER FOR ALL-UP IDENTITY SLIDE

  4. Agenda • Claims-based access model • “Geneva” server and framework demo • Roadmap

  5. Claims-Based Access Model • Claim • Statement by one party about other party • May be an identifier, a characteristic • Security token • Signed document containing claims • Produced by Security Token Service (STS) • Identity Metasystem • Protocols and architecture for exchange claims • Claims-aware application • Claims delivered when user accesses app

  6. Claims-Based Access Model Security Token Service trust • Establish relationship using metadata 3. Read policy 4. Get claims Application Server End User Your App 2. Read policy 5. Send claims Claims Framework

  7. Claims-Based Access ModelIntroducing "Geneva" “Geneva” Server trust • Active Directory • Establish relationship using metadata 3. Read policy 4. Get claims Application Server End User Your App 2. Read policy 5. Send claims “Geneva” Framework

  8. Role Of Security Token Services • Key to flexibility in model: Externalize authentication to an STS • STS takes care of • How to authenticate user • Where to source claim values about user • Emitting specific types, formats and values of claims to satisfy a specific application • Application logic driven by claims

  9. What You Are About To See Starting with an ASP.Net web application • Wire it up to a Security Token Service • Get user data without a lookup • Enable access by federated users • Access a back end service using logged-in user’s identity • Require user to use strong authentication for access to specific resources

  10. The Players Contoso Hybrid Auto Parts Web Application Terry Earls

  11. Demo Wire Up To An STS  Caleb Baker Senior SDET Federated Identity

  12. Checkpoint: Wire Up To STS • Steps • Create and exchange metadata to establish relationship • Switch to anonymous authentication • User redirected, authenticated, returns claims • Benefit • No code change: works with .Netrole-based security • Flexibility: STS admin decides how to authenticate user and retrieve role data

  13. Challenge: Get Information About User • Many authentication systems only convey an identifier, not user attributes • Applications must do lookups in directories, databases for information about user • Location of info not obvious – every org’s information system is slightly different • Not straightforward how to look up information about a user from another org • Applications residing in cloud may not be able to read enterprise directory

  14. Demo Get Information About User  Caleb Baker Senior SDET Federated Identity

  15. Checkpoint: Get Information About User • Steps • Write code to read claims using IClaimsPrincipal, IClaimsIdentity • Benefits • Easy to get user information • No directory lookup necessary in application • STS admin decides where to get information about user

  16. Challenge: Federation • Federation is essential for business to business applications, and when using cloud services • Organizations don’t want to manage separate user accounts at every cloud service or partner • Want end users to have single sign on experience

  17. The Players Contoso Hybrid Fabrikam Motors Auto Parts Web Application Terry Earls Frank Miller

  18. Demo Federation  Caleb Baker Senior SDET Federated Identity

  19. Federation • Establish relationship using metadata “Geneva” Server “Geneva” Server trust trust Application Server Frank Miller Auto Parts 6. Authenticate 3. Redirect to STS 2. Attempt access 5. Redirect to STS 4. Home realm discovery “Geneva” Framework

  20. Federation “Geneva” Server “Geneva” Server trust trust Application Server Frank Miller Auto Parts 7. Get claims 10. Post claims 9. Get claims 8. Post claims “Geneva” Framework

  21. Checkpoint: Federation • Steps • Exchange metadata to establish relationship • Write claims transform to translate inbound claims to those needed by application • New step for user: Home realm discovery • Benefits • Easy to set up: Only need URL of partner STS • No code changes in app: Claims transform impedance matches partner to your application • Single sign on by partner users • Federate with any standards compliant STS: WS-Federation and SAML 2.0 protocols

  22. The Players Contoso Hybrid Fabrikam Motors Frank Miller Auto Parts Web Application

  23. Demo Windows CardSpace “Geneva”  Caleb Baker Senior SDET Federated Identity

  24. Federation “Geneva” Server “Geneva” Server trust trust 3. Click logon button 5. Read policy 4. Read policy 6. Get claims 7. Get claims Application Server Frank Miller Auto Parts 1. Attempt access 2. Redirect to STS 8. Send claims “Geneva” Framework

  25. Checkpoint: Windows CardSpace • Steps • Enable Information Card support on STS • User downloads Information Card(s) • Select card to log in • Benefits • Cards make it easy to use federated application • No code changes in application: setting up Information Card support is easy • Works with web and smart client applications • Avoid phishing-prone redirect-based protocols that prompt for passwords

  26. Challenge: Identity Delegation • Front end application wants to call back end service, “Acting As” logged in user • Today’s approaches • Gather user’s credentials at front end – gives front end app too much power • Give front end full privileged to back end, “Trusted subsystem” – takes control out of hands of back end app • Kerberos constrained delegation – only works with Kerberos

  27. The Players Contoso Hybrid Fabrikam Motors Frank Miller Auto Parts Web Application High Value Inventory Web Service

  28. Identity Delegation 1. Enable delegation “Geneva” Server trust trust 5. Get claims Web Front End Web Service Back End Frank Miller Auto Parts High Value Inventory 4. Post claims 6. Send claims “Geneva” Framework “Geneva” Framework

  29. Demo Identity Delegation  Caleb Baker Senior SDET Federated Identity

  30. Checkpoint: Identity Delegation • Steps • Configure delegation policy on STS • Write WCF code to call back end service using ActAs client credential • Benefits • Familiar WCF programming model • Fine grained control over delegation policy • Back end gets claims it needs • Back end can audit user access accurately • App can turn claims back into mapped NT user for access to Kerberos-protected resources

  31. Challenge: Strong Authentication • Apps that need strong authentication get bound to particular mechanism • Some apps need to vary authentication strength based on endpoint or resource • Just to make things fun, authentication strength about more than just mechanism • Also about credential provisioning process • Knowing key is asymmetric isn’t enough to declare something “strong”

  32. The Players Contoso Hybrid Fabrikam Motors Terry Earls Frank Miller Auto Parts Web Application High Value Inventory Web Service

  33. Demo Authentication Assurance  Caleb Baker Senior SDET Federated Identity

  34. Checkpoint: Strong Authentication • Steps • Write application code to inspect authentication strength claim • Redirect user to STS if strength inadequate • Benefits • Code to check authentication strength is simple • App does not become bound to mechanism • Mechanism determined by IT pro at STS • Future: make entirely config-driven

  35. What You Just Saw Starting with an ASP.Net web application • Wire it up to a Security Token Service • Get user data without a lookup • Enable access by federated users • Access a back end service using logged-in user’s identity • Require user to use strong authentication for access to specific resources

  36. "Geneva" Schedule Beta 1 October 2008 Beta 2 1st Half 2009 RTM 2nd Half 2009

  37. Details • “Geneva” components are Windows components • Supported platforms • Beta: Windows Server 2008, Windows Vista • RTM: To Be Determined • See us in Lounge, Pavilion, Hands On Lab • Learn about Technology Adoption Partner program

  38. What's In the Beta • “Geneva” framework • Essential claims programming model • Framework for custom STS • Claims-to-NT Token service • “Geneva” server • Metadata-driven trust setup • Support for WS-Trust, WS-Federation • Support for Information Cards • SAML 2.0 protocol (IdPLite only) • Windows CardSpace “Geneva” • Small download, streamlined user experience • Managed cards only

  39. Identity @ PDC • Software • (BB42) Identity:  "Geneva" Server and Framework Overview • (BB43) Identity: "Geneva" Deep Dive • (BB44) Identity: Windows CardSpace "Geneva" Under the Hood • Services • (BB22) Identity: Live Identity Services Drilldown • (BB29) Identity: Connecting Active Directory to Microsoft Services • (BB28) .NET Services: Access Control Service Drilldown • (BB55) .NET Services: Access Control In the Cloud Services

  40. Summary • Claims-based identity model • Simple programming model for identity • Externalize identity to STS, managed by IT Pro • Works for cloud and on-premises • Builds on existing infrastructure • Based on standard protocols • “Geneva” client, server, framework • Claims-based programming model for .Net • Builds on Active Directory • In beta now

  41. Evals & Recordings Please fill out your evaluation for this session at: This session will be available as a recording at: www.microsoftpdc.com

  42. Q&A Please use the microphones provided

  43. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related