Windows CardSpace

Windows CardSpace Martin Parry Developer Evangelist Microsoft martin.parry@microsoft.com

Event slides will be posted at: http://www.microsoft.com/uk/msdnevents

Identity: problems • Passwords too easy to crack • Or too hard to remember • I want multiple identities • Results in identity silos • Banks etc. would like to make sign-on data a lot more complex • Users’ ability to remember is the obstacle • Nobody trusts a single organization to store all identity information

Identity: a new approach • Kim Cameron; www.identityblog.com • Seven laws of identity • We have interoperable WS-* specs • Allow multiple identity systems to take part • We have a standard format for credentials • SAML tokens • The Identity Metasystem

Security Tokens • SAML • Security Assertion Markup Language • Prevailing format for credentials today • What’s in a security token? • Collection of claims (self-asserted or verifiable) • Token signed by issuer • Issuing a token • Use WS-Security and WS-Trust • Consuming a token • Verify signature, decide if issuer trusted • Read claims (for authZ decisions)

Example Security Token Given Name: Martin Family Name: Parry Email: martin.parry@microsoft.com MartinParrymartin.parry@...

Security Token Service Give it something... Username/passwordX.509 CertificateAnother security tokenBiometric Etc... MartinParrymartin.parry@...

Federation • If users have accounts elsewhere and you trust the authN that takes place there • Don’t add user accounts to your system • Accept security tokens issued elsewhere • Establish trust between systems • WS-Federation • Think of B2B scenarios

Federation: example • Instead of provisioning a new user account for a partner, I’ll let her organization authenticate her • Automate the trust relationship • Ask user to supply a SAML token issued by a partner org • SAML token contains claims about the user • Partner org claims that this user’s name is Alice • Partner org claims that Alice is a Purchaser • Partner org claims that Alice is authorized to purchase bike parts • Reduces identity management burden and latency

Information Cards • Identities represented as cards • Users understand that they need to be careful when giving out credit card details • Self-issued “personal card” • Created by user and held in local secure store • Private personal identifier • “Managed card” • Issued by trusted Identity Provider • Visible locally but identity information is stored at IP • Cards do not contain security tokens • They represent my ability to supply a token

How it works Relying Party 2. “I would like a SAML 1.1 token, containing First Name, Surname, issued by *any*” Policy 3. UI filters cards that can satisfy policy • Access resource 7. Token is presented 4. User picks a card 6. Token is created 5. Token is requested Identity Provider

Demo • Create a self-issued card • Sign on to a website using the card

HTML <formid="form1" method="post"action="login1.aspx"> <div> <buttontype="submit">Click here to sign in</button> <objecttype="application/x-informationcard" name="xmlToken"> <paramname="tokenType"value="urn:oasis:names:tc:SAML:1.0:assertion"/> <paramname="issuer"value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"/> <paramname="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /> </object> </div> </form>

Server-side code protected void Page_Load(object sender, EventArgs e) { string xmlToken = Request.Params["xmlToken"]; if (xmlToken == null || xmlToken.Equals("")) ShowError("Token presented was null"); else { TokenHelper tokenHelper = new TokenHelper(xmlToken, "www.fabrikam.com"); givenname.Text = tokenHelper.GetClaim(ClaimTypes.GivenName); surname.Text = tokenHelper.GetClaim(ClaimTypes.Surname); email.Text = tokenHelper.GetClaim(ClaimTypes.Email); } } Clearly all the work’s in TokenHelper Get it in the samples at www.netfx3.com

How to implement a RP • Update user database • To include unique IDs from CardSpace • Create an association page • Users can associate cards with their accounts • Update the sign-in page • To allow the use of cards • Can still allow other credentials • Update registration page • To allow the use of cards

Event slides will be posted at: http://www.microsoft.com/uk/msdnevents

Get the latest technology previews, trial software, special offers • Get information tailored to your needs • Pick your RSS feeds • Sign up for MSDN Connection at: http://www.msdn.co.uk

Resources, tools and betas • Learn about development for Windows Live • http://dev.live.com • Useful resource for .NET Framework 3.0, the development platform for Windows Vista • http://www.netfx3.com • Get the latest betas for Windows Vista and Office 2007 • http://www.microsoft.com/betaexperience • Try Visual Studio • http://www.microsoft.com/getthetrials • Check out the free Express versions of Visual Studio • http://msdn.microsoft.com/express • Learn about and try the new Web and client designer tools • http://www.microsoft.com/expression • Resources • http://www.gotdotnet.com • http://www.asp.net

Additional Information • UK MSDN Events • Post events page including slide decks • http://www.microsoft.com/uk/msdnevents • Upcoming events • http://www.microsoft.com/uk/msdn/events/upcoming.aspx • UK MSDN Site & Flash Newsletter • Local news, events, nuggets & webcasts • http://www.microsoft.com/uk/msdn • Register to receive the bi-weekly MSDN Flash by email • http://www.microsoft.com/uk/msdn/flash.aspx

Windows CardSpace