300 likes | 439 Views
BB11. Identity: Roadmap for Software + Services. Kim Cameron Distinguished Engineer Microsoft Corporation. The First Two Lines of Every Connected Application. Who are you? What are you allowed to do?. Landscape.
E N D
BB11 Identity: Roadmap for Software + Services Kim Cameron Distinguished Engineer Microsoft Corporation
The First Two Lines of Every Connected Application • Who are you? • What are you allowed to do?
Landscape • Problem is it’s hard to get that to work in all the contexts customers ask for • As one developer told me, “You are never done” • Many choices of identity technology • Kerberos, X.509, SAML, LDAP, OpenID, etc • Different representations, programming models, fit with scenario • Applications become bound to a technology • Bound to constraints of technology you choose • Difficult to connect across application boundaries, technology boundaries, organizational boundaries • Now: extend seamlessly to cloud services
Claims-Based Access • Claims-based model • Abstraction layer for authenticating, authorizing, obtaining information about users and services • Claim: statement made by one subject about another subject • Email = kcameron@microsoft.com • Age > 21 • Employer =Microsoft • Role= Architect • Identity Metasystem: open standards-based architecture for exchange of claims under user control • “Claims transformers” that match impedance • Write to model, let infrastructure adapt to environment
Claims-Based Access Claims Provider (Security Token Service) Application (requires Claims) • Application: requires, uses claims to define users • Claims provider: supports protocols for issuing claims • Relationship: context in which meaning of claims defined Relationship 1. Require claims 2. Get claims 3. Send claims SUBJECT
What's Involved for the Developer? 1. Who are you? <federatedAuthentication enabled="true"> <wsFederation issuer="https://sts1.contoso.com/FederationPassive/" realm = “http://web1.contoso.com/MyApp” passiveRedirectEnabled = "true"/> </federatedAuthentication> 2. What can you do? IClaimsIdentity caller = Thread.CurrentPrincipal.Identity as IClaimsIdentity; string Role = (from c in caller.Claims where c.ClaimType == MyClaimTypes.Role select c.Value).Single();
Solving Problems with Claims • Cross organization federation • Building and using cloud based services • Applications • Developer services • Identity across the web
Your Customer Microsoft Services Identity Backbone YOUR CUSTOMER • Enterprise perimeter is dissolving • How does your customer make your application available to more than just employees? Active Directory YOUR Application ? THEIR PARTNER Active Directory
Microsoft Code Name "Geneva" Microsoft Services Identity Backbone Enterprise Identity Backbone • “Geneva” Framework • .Net framework for building claims-aware applications • “Geneva” Server • STS integrated with Active Directory • Supports Windows CardSpace • Windows CardSpace “Geneva” • Federation client that puts users in control • Smaller, faster YOUR Application Active Directory “Geneva” Framework “Geneva” Server Claims “Geneva” Server Active Directory
Your Customer Microsoft Services Identity Backbone Enterprise Identity Backbone • Supports WS-Federation, WS-Trust, SAML 2.0 protocols • Works with federation software or service that supports these standards YOUR Application Active Directory “Geneva” Framework “Geneva” Server “Geneva” Server Third Party STS Active Directory User Database
Microsoft Federation Gateway Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Microsoft Federation Gateway service is key part of Microsoft identity backbone • Brokers access to Microsoft cloud applications and developer services • Single federation relationship to access any service • Compliant with WS-Federation, WS-Trust Cloud Applications and Developer Services Microsoft Federation Gateway “Geneva” Server Third Party STS Active Directory User Database
Live ID Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Live ID accounts can also access Microsoft applications via the Federation Gateway • Live ID managed domains service enables outsourced identity management • APIs for automated management • Customizable UX Live ID Cloud Applications and Developer Services Microsoft Federation Gateway Consumers Managed Domains “Geneva” Server Third Party STS Active Directory User Database
Microsoft Services Connector Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Federate Active Directory to Microsoft Federation Gateway • Free download, quick and easy setup • For customers who just need access to Gateway, not point to point trusts • Supports Windows CardSpace Live ID Cloud Applications and Developer Services Microsoft Federation Gateway Consumers Managed Domains Microsoft Services Connector “Geneva” Server Third Party STS Active Directory Active Directory User Database
Your Application Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Using claims-based access, all these identities can be made available to your application Live ID YOUR Application “Geneva” Framework Microsoft Federation Gateway Consumers Managed Domains Microsoft Services Connector “Geneva” Server Third Party STS Active Directory Active Directory User Database
Your Application Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Claims-based access means applications can be written once, hosted anywhere • Identity source is configuration choice, not baked into application logic • Future proof your application against moving to/from cloud Live ID Microsoft Federation Gateway Consumers Managed Domains Microsoft Services Connector YOUR Application Active Directory Active Directory “Geneva” Framework
Your Application Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Claims-based access means applications can be written once, hosted anywhere • Identity source is configuration choice, not baked into application logic • Future proof your application against moving to/from cloud Live ID Microsoft Federation Gateway Consumers Managed Domains “Geneva” Server Third Party STS YOUR Application Active Directory User Database “Geneva” Framework
Using Claims for Access Control Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Claims are for more than just login • .Net Access Control Service: STS issues claims for access control • Factor access control logic from your app into collection of rules • Management portal, API for creating, managing collections of rules Live ID .Net Access Control Service Microsoft Federation Gateway Consumers Managed Domains Microsoft Services Connector “Geneva” Server YOUR Application Active Directory Active Directory “Geneva” Framework
demo Putting It All Together: Identity Software and Services Scenario Vittorio Bertocci Architect Evangelist Developer and Platform Evangelism
Flexible and Granular Trust Policy Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Select the services you want • Select the claims providers you want • Take advantage of Gateway to simplify management Microsoft Federation Gateway YOUR Application HealthVault .Net Access Control Service Third Party Framework (Identity Backbone Pilot) Third Party STS “Geneva” Server YOUR Application User Database Selected OpenID Provider Active Directory “Geneva” Framework
Choice of Protocol and Framework Microsoft Services Identity Backbone Microsoft Services Identity Backbone • Lightweight SSO available when full capability of claims not required • Live Framework: WebAuth • OpenID Live ID Microsoft Federation Gateway Consumers Managed Domains Any STS YOUR Web App YOUR Web App YOUR Web App using OpenID Active Directory “Geneva” Framework Live Framework
Microsoft Identity Software + Services • Rich set of options supporting every identity scenario • Architecture is same whether on-premises with “Geneva” Server or using services in cloud • Enterprises can federate with online backbone in same way they federate to other enterprises • Microsoft Services Gateway (MSC) gives enterprises option of accepting Live ID consumer and managed identities • Enterprises can start off with MSC and then upgrade to Geneva Server for direct federation • They can also opt to use our gateway to simplify identity management with other organizations wanting to do same • Programming model used by developers remains same: one identity model that puts users of software and services in control of their identities.
Identity Software + ServicesIdentity Metasystem and Claims Based Model Claims Provider Application (In cloud or on-premises) RELATIONSHIP Live ID Microsoft Federation Gateway .Net Access Control Service Third Party Services Require claims Services “Geneva” Framework Live Framework Third Party Servers “Geneva” Server Microsoft Services Connector Return claims Software Third Party Frameworks Active Directory Return claims Get claims Require claims Identity Selector (where appropriate) Windows CardSpace “Geneva” Third Party Identity Selectors
Roadmap Now H2 CY 2008 H1 CY 2009 H2 CY 2009 Software • “Geneva”Server • Beta 1 • Beta 2 • RTM • Beta • Microsoft Service Connector • CTP • RTM • “Geneva” Framework, CardSpace • Beta 1 • Beta 2 • RTM • Live Framework • In Production Services • OpenID RTM • Live Identity Services • OpenID Beta • Microsoft Federation Gateway • In Production • .Net Access Control Service • CTP • Refresh • Beta 1
Identity @ PDC • Software • (BB42) Identity: "Geneva" Server and Framework Overview • (BB43) Identity: "Geneva" Deep Dive • (BB44) Identity: Windows CardSpace "Geneva" Under the Hood • Services • (BB22) Identity: Live Identity Services Drilldown • (BB29) Identity: Connecting Active Directory to Microsoft Services • (BB28) .NET Services: Access Control Service Drilldown • (BB55) .NET Services: Access Control In the Cloud Services
What To Do Next • Decide what claims you need • Identifiers, characteristics, etc • Program to the claims model • Using framework of your choice • Choose where to get claims from • Software: “Geneva” Server, third party • Services: Microsoft Federation Gateway, Live ID, .Net Access Control Service, third party • Or build your own Security Token Service • What if my customer hasn’t deployed an STS yet? • Simple. Embed a Geneva claims provider right into your app and leverage that.
Conclusion 1. Who are you? <federatedAuthentication enabled="true"> <wsFederation issuer="https://sts1.contoso.com/FederationPassive/" realm = “http://web1.contoso.com/MyApp” passiveRedirectEnabled = "true"/> </federatedAuthentication> 2. What can you do? IClaimsIdentity caller = Thread.CurrentPrincipal.Identity as IClaimsIdentity; string Role = (from c in caller.Claims where c.ClaimType == MyClaimTypes.Role select c.Value).Single();
Evals & Recordings Please fill out your evaluation for this session at: This session will be available as a recording at: www.microsoftpdc.com
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Q&A Please use the microphones provided