1 / 46

Identity 2.0: The Identity Metasystem Vision

Mario Szpuszta Solutions Architect Microsoft Austria, Vienna. Identity 2.0: The Identity Metasystem Vision. Agenda. Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security

andrew
Download Presentation

Identity 2.0: The Identity Metasystem Vision

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mario Szpuszta Solutions Architect Microsoft Austria, Vienna Identity 2.0:The IdentityMetasystem Vision

  2. Agenda • Digital identity crisis • Real world as metaphor • The Identity Metasystem as model • Agreement on a model • Common, consistent User Experience • Claims-based security • Federation & claims-transformation • Summary

  3. Digital Identities Today – Identity Silos Identity ??? Identity ??? Naming DNS Connectivity IP

  4. Digital Identities Today – Major Problem www.antiphishing.org

  5. Identity is more than just User & Password

  6. Agenda • Digital identity crisis • Real world as metaphor • The Identity Metasystem as model • Agreement on a model • Common, consistent User Experience • Claims-based security • Federation & claims-transformation • Summary

  7. Identity – „You“ and „Claims“

  8. Roles in the Real World Windows CardSpace

  9. Roles in the Real World Windows CardSpace

  10. Trust-Chains & Claims Transformation trusts trusts issues queries

  11. Agenda • Digital identity crisis • Real world as metaphor • The Identity Metasystem as model • Agreement on a model • Common, consistent User Experience • Claims-based security • Federation & claims-transformation • Summary

  12. The goals of the identity metasystem are to connect individual identity systems, allowing seamless interoperation between them, to provide applications with a technology-independent representation of identities, and to provide a better, more consistent user experience with all of them! http://msdn2.microsoft.com/en-us/library/ms996422.aspx Identity Vision Statement

  13. The Laws of Identity • User control and consent • Minimal disclosure for a defined use • Justifiable parties • Directional identity • Pluralism of operators and technologies • Human integration • Consistent experience across contexts

  14. Understanding theRequirements Clear definitionofroles Technology-independentprotocols Consistent User Experience Claims-based Security Federationandclaims-transformation

  15. Roles, Responsibilities, Protocols SecurityTokenService Identity Provider App-lication Relying Party WS-PolicyWS-MetadataExch. SAMLKerberosX.509 etc. Auth“Z“ happenshere Auth“N“ happenshere IdentitySelector Subject WS-Trust WS-SecurityWS-SecureConversation Information cardsOpenID, LID, Yadis…

  16. Microsoft Technologies in the Model AD Cert. AD Cert. AD LDS AD SecurityTokenService App-lication AD LDS ADFS ADFS WCF WCF WS-* WS-* WCF WCF IdentitySelector ILM CardSpace

  17. Other Technologies in the Model SecurityTokenService App-lication Xmldap Eclipse Higgins Ruby Forge InfoCard PHP Verisign PIP Eclipse Higgins Bandit J2EE J2EE, PHP, Python, Ruby… WS-* WS-* WCF WCF IdentitySelector Kevin Millers Selector Bandit Project Eclipse Higgins

  18. Understanding theRequirements Clear definitionofroles Technology-independentprotocols Consistent User Experience Claims-based Security Federationandclaims-transformation

  19. Consistent User Experience • Digital Identity Selector • „Digital Wallet“ • Youcarry „digital cards“ withyou • Eachcardbelongsto1identityprovider IP Three IP One IP Two

  20. What is CardSpace? • CardSpace is an identity selector • Part of .NET Framework 3.0 • Uses WCF for its WS-* standards • User’s digital identities = information cards • CardSpace is an STS • Self-issued cards • Creates SAML v1.0 tokens • Requires no 3rd party identity provider • User is in control ofwhich IP is used  which claims exposed

  21. Self-Issued Cards demo Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

  22. Understanding theRequirements Clear definitionofroles Technology-independentprotocols Consistent User Experience Claims-based Security Federationandclaims-transformation

  23. Claims-based IdentityDigital identity that parallels the real world • Claims • Statements about subject • Identify subject… • …or only describe attributes • …or both • Digital Identity • Set of claims • Asserted by authority / subject • RP requests claims via Policy • Web app: <object/> tag • Service: WS-Policy, WS-MEX

  24. ClaimType is the claim URI as a string Right can be one of two things Identity PossessProperty Resource is the value of the claim Claims in .NET 3.0 namespaceSystem.IdentityModel.Claims { publicclassClaim { public Claim(stringclaimType, objectresource, string right); publicstringClaimType { get; } publicstring Right { get; } publicobject Resource { get; } // ... } }

  25. ClaimSet – Claims and their Issuers namespaceSystem.IdentityModel.Claims { publicabstractclassClaimSet : IEnumerable<Claim>, IEnumerable { publicabstractClaimSet Issuer { get; } publicvirtualboolContainsClaim(Claimclaim); publicabstractIEnumerable<Claim> FindClaims( stringclaimType, string right); publicabstractint Count { get; } publicabstractClaimthis[int index] { get; } publicabstractIEnumerator<Claim> GetEnumerator(); // ... } } • DefaultClaimSet • WindowsClaimSet • X509CertificateClaimSet

  26. Claims-based Security in Web Apps • Scenario: relyingpart IS web site • Browser-integrationnecessary • Requestedclaimsembedded in HTML • Identity Selectorlet‘suserselect Card/IP • Approach: embed <object/> forcard-request • IE 7.0 • Firefoxand • Safari supported

  27. Examplebased on CardSpace Identity Provider The IP authenticates RST… If successful, builds & signs the requested token Identities Store The website authenticates the token STS User’s PC Website User picks a card The IP sends back the token in a RSTR GET login page Browser Read policies The Browser POSTs the token to the website Cardspace sends a RST CardSpace gives the token to the app & exits Token Policy Filter card collection & show cardspace UI Pass policies to CardSpace Cards Store SAML SAML

  28. Sample Web Login Page <!-- ... --> <buttononclick="javascript:returninfocardlogin.submit();"> Sign in with your Information Card </button> <formname="infocardlogin"target="_self"method="post"> <objecttype="application/x-informationcard"name="xmlToken"> <paramname="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"> <paramname="issuer" value="http://schemas..../identity/issuer/self"> <paramname="requiredClaims" value="http://.../claims/givenname, http://.../claims/surname,http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"> </object> </form> <!-- ... -->

  29. Claims-basedsecurity in Web Applications demo Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

  30. WCF Services and Claims • WCF is metasystem-ready • Supports necessary WS-* standards • Understands many tokens (SAML, Kerberos...) • Client integration and CardSpace • System.IdentityModel • System.ServiceModel.Identity • Identity selector triggered based on WS-Policy

  31. WCF Service Configuration <wsFederationHttpBinding> <bindingname="TestFederationBinding" bypassProxyOnLocal="true"> <security> <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <claimTypeRequirements> <addclaimType="claim-uri" isOptional="false" /> </claimTypeRequirements> <issueraddress="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" /> </message> </security> </binding> </wsFederationHttpBinding>

  32. Claims-basedsecurity in WCF Services demo Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

  33. Understanding theRequirements Clear definitionofroles Technology-independentprotocols Consistent User Experience Claims-based Security Federationandclaims-transformation

  34. Federation and Trust-Chains • Relying party does not manage identity • IP authenticates / proves identity • Relying party determines truth based on • IP with closest relationship to subject • IP authentication of subject • Consensus of multiple IPs • Federation bridges silos!! relies on

  35. Federation Scenario - Example Company A Company B IP/STS IP/STS IDstore WS-Policy WS-Trust WS-Policy WS-Trust Target Service WS-Trust WS-Trust Requestor

  36. Claims-Transformation & Federation Company A Company B Content Trust Format Local Actionable Claim Partner Claim • Issues • Name • Date ofBirth • Passport Nr. • Passport Valid • … IP/STS IP/STS Transforms from „Date ofBirth“ To „Age >= 21?“ Access Right Role IDstore SAML token X.509 Cert • Asksfor • Age >= 21 Target Service Requestor

  37. A look at an simple STS demo Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

  38. Agenda • Digital identity crisis • Real world as metaphor • The Identity Metasystem as model • Agreement on a model • Common, consistent User Experience • Claims-based security • Federation & claims-transformation • Summary

  39. Summary • Identity Metasystem • Solves many of today’s issues (e.g. phishing) • Based on interoperable standards • Many supporting vendors (IBM, Novell, OSIS Community, Pamela, Eclipse project etc.) • Windows CardSpace • Client-integration into metasystem • Identity selector and self-issuing STS • WCF is meta-system ready by design • Full support: ADFS vNext incl. .NET Fx Extensions

  40. Microsoft Open Specification Promise (OSP) • Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed • Includes all the protocols underlying CardSpace • Issued September 2006 • http://www.microsoft.com/interop/osp

  41. Resources and Links • Community site, samples, news • http://cardspace.nefx3.com • MSDN Forum • http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=784&SiteID=1 • MSDN Home Page • http://msdn.microsoft.com/identity • Blogs • http://identityblog.com • http://blogs.msdn.com/card • http://self-issued.info/ • http://identity-des.com/ • http://blogs.msdn.com/vbertocci • www.leastprivilege.com

  42. Open Source Identity Selectors (some) • Firefox – Bandit DigitalMe Project • Windows, Linux, Apple, Fedora • http://www.bandit-project.org/index.php/DigitalMe • Firefox – Windows only (Kevin Miller) • http://www.codeplex.com/IdentitySelector • Apple Identity Selectors • http://www.hccp.org/safari-plug-in.html • Java Identity Selectors • xmldap http://xmldap.org/

  43. Open Source Relying Parties (some) • Ruby RP projects • http://rubyforge.org/projects/informationcard/ • http://www.codeplex.com/informationcardruby • Java RP projects • http://www.eclipse.org/org/press-release/20080221_higgins.php • http://sourceforge.net/projects/informationcard/ • http://www.codeplex.com/informationcardjava • C and PHP projects • https://infocard-demo.labs.pingidentity.com/ • Python and PHP projects • http://code.bandit-project.org/trac/wiki/PythonInfoCard • http://code.google.com/p/py-self-issued-rp/ • http://www.codeplex.com/InformationCardPHP

  44. Open Source Identity Providers (some) • Verisign PIP • https://pip.verisignlabs.com/ • Bandigt IP Framework • https://cards.bandit-project.org/BanditIdP/index.jsp • Higgings Frameworks • http://www.eclipse.org/higgins/

  45. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related