320 likes | 540 Views
Claims-Based Identity. Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009. Agenda. Introducing Claims-Based Identity Using Claims-Based Identity: Scenarios Microsoft Technologies for Claims-Based Identity: A Closer Look.
E N D
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009
Agenda • Introducing Claims-Based Identity • Using Claims-Based Identity: Scenarios • Microsoft Technologies for Claims-Based Identity: A Closer Look
Claims-Based Identity The core Microsoft technologies • Active Directory Federation Services (AD FS) 2.0 • The next release of AD FS • CardSpace 2.0 • The next release of CardSpace • Windows Identity Foundation (WIF) 1.0 • Pronounced “Dub-I-F” • These three technologies were previously code-named “Geneva”
What is Identity? • An identityis a set of information about some entity, such as a user • Most applications work with identity • Identity information drives important aspects of an application’s behavior, such as: • Determining what a user is allowed to do • Controlling how the application interacts with the user
Defining the ProblemWorking with identity is too hard • Applications must use different identity technologies in different situations: • Active Directory (Kerberos) inside a Windows domain • Username/password on the Internet • WS-Federation and the Security Assertion Markup Language (SAML) between organizations • Why not define one approach that applications can use in all of these cases? • Claims-based identity allows this • It can make life simpler for developers
Tokens and Claims Representing identity on the wire • A token is a set of bytes that expresses information about an identity • This information consists of one or more claims • Each claim contains some information about the entity to which this token applies Token Example Claims Claim 1 Name Claim 2 Indicates who created this token and guards against changes Group Claim 3 Age . . . Claim n Signature
Identity Providers and STSs • An identity provider (or issuer) is an authority that makes claims about an entity • Common identity providers today: • On your company’s network: Your employer • On the Internet: Most often, you • An identity provider implements a security token service (STS) • It’s software that issues tokens • Requests for tokens are made via WS-Trust • Many token formats can be used • The SAML format is popular
Getting a TokenIllustrating an identity provider and an STS Identity Provider 2) Get information Security Token Service (STS) Account/ Attribute Store 3) Create and return token 1) Authenticate user and request token Token Browser or Client User
Acquiring and Using a Token 4) Use claims in token Identity Provider Application 3) Verify token’s signature and check whether this STS is trusted STS Identity Library List of Trusted STSs 2) Submit token Token 1) Authenticate user and get token Token Browser or Client User
Why Claims Are an Improvement • In today’s world, an application typically gets only simple identity information • Such as a user’s name • To get more, the application must query: • A remote database, e.g., a directory service • A local database • With claims-based identity, each application can ask for exactly the claims that it needs • The STS puts these in the token it creates
How Applications Can Use ClaimsSome examples • A claim can identify a user • A claim can convey group or role membership • A claim can convey personalization information • Such as the user’s display name • A claim can grant or deny the right to do something • Such as access particular information or invoke specific methods • A claim can constrain the right to do something • Such as indicating the user’s purchasing limit
Supporting Multiple IdentitiesUsing an identity selector 5) Use claims in token Identity Providers Application STS STS STS Identity Library 1) Access application and learn token requirements 4) Submit token Token Token 3) Authenticate user and get token for selected identity Browser or Client Identity Selector 2) Select an identity that matches those requirements User
Claims-Based Identity for Windows 5) Use claims in token Identity Providers AD FS 2.0 Application STS STS STS Windows Identity Foundation 1) Access application and learn token requirements 4) Submit token Token Token 3) Authenticate user and get token for selected identity Browser or Client CardSpace 2.0 2) Select an identity that matches those requirements User
An Enterprise Scenario 8) Use claims in token Active Directory Domain Services AD FS 2.0 Application STS 5) Find claims required by application and create token WIF 6) Receive token 7) Submit token 1) Login to domain and get Kerberos ticket 4) Present Kerberos ticket and request token for selected identity 2) Access application and learn token requirements Token Token Browser or Client CardSpace 2.0 3) Select an identity that matches those requirements User
Allowing Internet Access 5) Use claims in token Active Directory Domain Services AD FS 2.0 Application STS WIF 4) Submit token Token Token Internet 3) Authenticate user and get token for selected identity 1) Access application and learn token requirements Browser or Client CardSpace 2.0 2) Select an identity that matches those requirements User
Using an External Identity Provider Identity Providers 5) Use claims in token Windows Live ID Other Application WIF STS STS 4) Submit token Token Token Internet 3) Authenticate user and get token for selected identity 1) Access application and learn token requirements Browser or Client CardSpace 2.0 2) Select an identity that matches those requirements User
Identity Across OrganizationsDescribing the problem • A user in one Windows forest must access an application in another Windows forest • A user in a non-Windows world must access an application in a Windows forest (or vice-versa)
Identity Across OrganizationsPossible solutions • One option: duplicate accounts • Requires separate login, extra administration • A better approach: identity federation • One organizations accepts identities provided by the other • No duplicate accounts • Single sign-on for users
Identity Federation (1) Organization X Organization Y Active Directory Domain Services AD FS 2.0 STS STS 5) Use claims in token Token 3) Get token for selected identity 4) Submit token Token Application Browser or Client WIF CardSpace 2.0 1) Access application and learn token requirements • Trusted STSs: • Organization Y • Organization X 2) Select an identity that matches those requirements User
Identity Federation (2) Organization X Organization Y 2) Access Organization Y STS and learn token requirements Active Directory Domain Services AD FS 2.0 Token for STS Y STS STS 5) Request token for application • Trusted STSs: • Organization X Token Token for STS Y 6) Issue token for application 8) Use claims in token 4) Get token for Organization Y STS 7) Submit token Token Application Browser or Client WIF CardSpace 2.0 1) Access application and learn token requirements 3) Select an identity that matches those requirements • Trusted STSs: • Organization Y User
Delegation Active Directory Domain Services 5) Check policy for user, application X, and application Y AD FS 2.0 STS Token for X Token for X Token for Y 1) Get token for application X 4) Request token for application Y 6) If policy allows, issue token for application Y 8) Use claims in token 7) Submit token Token for Y Browser or Client Application X Application Y Token for X WIF 3) Access application and learn token requirements WIF 2) Submit token User
Microsoft Technologies for Claims-Based Identity: A Closer Look
Changes in AD FS 2.0From the previous release • AD FS 1.1 supports only passive clients (i.e., browsers) using WS-Federation • And it doesn’t provide an STS • AD FS 2.0: • Supports both active and passive clients • Provides an STS • Supports both WS-Federation and the SAML 2.0 protocol • Improves management of trust relationships • By automating some exchanges
CardSpace 2.0Selecting identities • CardSpace” provides a standard user interface for choosing an identity • Using the metaphor of cards • Choosing a card selects an identity (i.e., a token)
Information Cards • Behind each card a user sees is an information card • It’s an XML file that represents a relationship with an identity provider • It contains what’s needed to request a token for a particular identity • Information cards don’t contain: • Claims for the identity • Whatever is required to authenticate to the identity provider’s STS
Information CardsAn illustration Identity Providers Browser or Client STS STS STS CardSpace 2.0 Information Card 1 Information Card 2 Information Card 3 Information Card 4 User
Creating Industry Agreement • The Information Card Foundation is a multi-vendor group dedicated to making this technology successful • Its board members include Google, Microsoft, Novell, Oracle, and PayPal • A Web site can display a standard icon to indicate that it accepts card-based logins:
Changes in CardSpace 2.0From the first CardSpace release • CardSpace 2.0 is available separately from the .NET Framework • It’s smaller and faster • CardSpace 2.0 contains optimizations for applications that users visit repeatedly • A Web site can display the card you last used to log in the site • The CardSpace screen needn’t appear • Cards can be set using Group Policy • The self-issued identity provider has been dropped
Windows Identity Foundation • The goal: Make it easier for developers to create claims-aware applications • WIF provides: • Support for verifying a token’s signature and extracting its claims • Classes for working with claims • Support for creating a custom STS • Visual Studio project types • An STS for development and testing • More
Conclusions • Changing how applications (and people) work with identity is not a small thing • Widespread adoption of claims-based identity will take time • Yet all of the pieces required to make claims-based identity real on Windows are here: • AD FS 2.0 • CardSpace 2.0 • Windows Identity Framework