mario szpuszta solutions architect microsoft austria vienna n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Identity 2.0: The Identity Metasystem Vision PowerPoint Presentation
Download Presentation
Identity 2.0: The Identity Metasystem Vision

Loading in 2 Seconds...

play fullscreen
1 / 46

Identity 2.0: The Identity Metasystem Vision - PowerPoint PPT Presentation


  • 180 Views
  • Uploaded on

Mario Szpuszta Solutions Architect Microsoft Austria, Vienna. Identity 2.0: The Identity Metasystem Vision. Agenda. Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Identity 2.0: The Identity Metasystem Vision


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Mario Szpuszta Solutions Architect Microsoft Austria, Vienna Identity 2.0:The IdentityMetasystem Vision

    2. Agenda • Digital identity crisis • Real world as metaphor • The Identity Metasystem as model • Agreement on a model • Common, consistent User Experience • Claims-based security • Federation & claims-transformation • Summary

    3. Digital Identities Today – Identity Silos Identity ??? Identity ??? Naming DNS Connectivity IP

    4. Digital Identities Today – Major Problem www.antiphishing.org

    5. Identity is more than just User & Password

    6. Agenda • Digital identity crisis • Real world as metaphor • The Identity Metasystem as model • Agreement on a model • Common, consistent User Experience • Claims-based security • Federation & claims-transformation • Summary

    7. Identity – „You“ and „Claims“

    8. Roles in the Real World Windows CardSpace

    9. Roles in the Real World Windows CardSpace

    10. Trust-Chains & Claims Transformation trusts trusts issues queries

    11. Agenda • Digital identity crisis • Real world as metaphor • The Identity Metasystem as model • Agreement on a model • Common, consistent User Experience • Claims-based security • Federation & claims-transformation • Summary

    12. The goals of the identity metasystem are to connect individual identity systems, allowing seamless interoperation between them, to provide applications with a technology-independent representation of identities, and to provide a better, more consistent user experience with all of them! http://msdn2.microsoft.com/en-us/library/ms996422.aspx Identity Vision Statement

    13. The Laws of Identity • User control and consent • Minimal disclosure for a defined use • Justifiable parties • Directional identity • Pluralism of operators and technologies • Human integration • Consistent experience across contexts

    14. Understanding theRequirements Clear definitionofroles Technology-independentprotocols Consistent User Experience Claims-based Security Federationandclaims-transformation

    15. Roles, Responsibilities, Protocols SecurityTokenService Identity Provider App-lication Relying Party WS-PolicyWS-MetadataExch. SAMLKerberosX.509 etc. Auth“Z“ happenshere Auth“N“ happenshere IdentitySelector Subject WS-Trust WS-SecurityWS-SecureConversation Information cardsOpenID, LID, Yadis…

    16. Microsoft Technologies in the Model AD Cert. AD Cert. AD LDS AD SecurityTokenService App-lication AD LDS ADFS ADFS WCF WCF WS-* WS-* WCF WCF IdentitySelector ILM CardSpace

    17. Other Technologies in the Model SecurityTokenService App-lication Xmldap Eclipse Higgins Ruby Forge InfoCard PHP Verisign PIP Eclipse Higgins Bandit J2EE J2EE, PHP, Python, Ruby… WS-* WS-* WCF WCF IdentitySelector Kevin Millers Selector Bandit Project Eclipse Higgins

    18. Understanding theRequirements Clear definitionofroles Technology-independentprotocols Consistent User Experience Claims-based Security Federationandclaims-transformation

    19. Consistent User Experience • Digital Identity Selector • „Digital Wallet“ • Youcarry „digital cards“ withyou • Eachcardbelongsto1identityprovider IP Three IP One IP Two

    20. What is CardSpace? • CardSpace is an identity selector • Part of .NET Framework 3.0 • Uses WCF for its WS-* standards • User’s digital identities = information cards • CardSpace is an STS • Self-issued cards • Creates SAML v1.0 tokens • Requires no 3rd party identity provider • User is in control ofwhich IP is used  which claims exposed

    21. Self-Issued Cards demo Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

    22. Understanding theRequirements Clear definitionofroles Technology-independentprotocols Consistent User Experience Claims-based Security Federationandclaims-transformation

    23. Claims-based IdentityDigital identity that parallels the real world • Claims • Statements about subject • Identify subject… • …or only describe attributes • …or both • Digital Identity • Set of claims • Asserted by authority / subject • RP requests claims via Policy • Web app: <object/> tag • Service: WS-Policy, WS-MEX

    24. ClaimType is the claim URI as a string Right can be one of two things Identity PossessProperty Resource is the value of the claim Claims in .NET 3.0 namespaceSystem.IdentityModel.Claims { publicclassClaim { public Claim(stringclaimType, objectresource, string right); publicstringClaimType { get; } publicstring Right { get; } publicobject Resource { get; } // ... } }

    25. ClaimSet – Claims and their Issuers namespaceSystem.IdentityModel.Claims { publicabstractclassClaimSet : IEnumerable<Claim>, IEnumerable { publicabstractClaimSet Issuer { get; } publicvirtualboolContainsClaim(Claimclaim); publicabstractIEnumerable<Claim> FindClaims( stringclaimType, string right); publicabstractint Count { get; } publicabstractClaimthis[int index] { get; } publicabstractIEnumerator<Claim> GetEnumerator(); // ... } } • DefaultClaimSet • WindowsClaimSet • X509CertificateClaimSet

    26. Claims-based Security in Web Apps • Scenario: relyingpart IS web site • Browser-integrationnecessary • Requestedclaimsembedded in HTML • Identity Selectorlet‘suserselect Card/IP • Approach: embed <object/> forcard-request • IE 7.0 • Firefoxand • Safari supported

    27. Examplebased on CardSpace Identity Provider The IP authenticates RST… If successful, builds & signs the requested token Identities Store The website authenticates the token STS User’s PC Website User picks a card The IP sends back the token in a RSTR GET login page Browser Read policies The Browser POSTs the token to the website Cardspace sends a RST CardSpace gives the token to the app & exits Token Policy Filter card collection & show cardspace UI Pass policies to CardSpace Cards Store SAML SAML

    28. Sample Web Login Page <!-- ... --> <buttononclick="javascript:returninfocardlogin.submit();"> Sign in with your Information Card </button> <formname="infocardlogin"target="_self"method="post"> <objecttype="application/x-informationcard"name="xmlToken"> <paramname="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"> <paramname="issuer" value="http://schemas..../identity/issuer/self"> <paramname="requiredClaims" value="http://.../claims/givenname, http://.../claims/surname,http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"> </object> </form> <!-- ... -->

    29. Claims-basedsecurity in Web Applications demo Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

    30. WCF Services and Claims • WCF is metasystem-ready • Supports necessary WS-* standards • Understands many tokens (SAML, Kerberos...) • Client integration and CardSpace • System.IdentityModel • System.ServiceModel.Identity • Identity selector triggered based on WS-Policy

    31. WCF Service Configuration <wsFederationHttpBinding> <bindingname="TestFederationBinding" bypassProxyOnLocal="true"> <security> <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <claimTypeRequirements> <addclaimType="claim-uri" isOptional="false" /> </claimTypeRequirements> <issueraddress="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" /> </message> </security> </binding> </wsFederationHttpBinding>

    32. Claims-basedsecurity in WCF Services demo Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

    33. Understanding theRequirements Clear definitionofroles Technology-independentprotocols Consistent User Experience Claims-based Security Federationandclaims-transformation

    34. Federation and Trust-Chains • Relying party does not manage identity • IP authenticates / proves identity • Relying party determines truth based on • IP with closest relationship to subject • IP authentication of subject • Consensus of multiple IPs • Federation bridges silos!! relies on

    35. Federation Scenario - Example Company A Company B IP/STS IP/STS IDstore WS-Policy WS-Trust WS-Policy WS-Trust Target Service WS-Trust WS-Trust Requestor

    36. Claims-Transformation & Federation Company A Company B Content Trust Format Local Actionable Claim Partner Claim • Issues • Name • Date ofBirth • Passport Nr. • Passport Valid • … IP/STS IP/STS Transforms from „Date ofBirth“ To „Age >= 21?“ Access Right Role IDstore SAML token X.509 Cert • Asksfor • Age >= 21 Target Service Requestor

    37. A look at an simple STS demo Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

    38. Agenda • Digital identity crisis • Real world as metaphor • The Identity Metasystem as model • Agreement on a model • Common, consistent User Experience • Claims-based security • Federation & claims-transformation • Summary

    39. Summary • Identity Metasystem • Solves many of today’s issues (e.g. phishing) • Based on interoperable standards • Many supporting vendors (IBM, Novell, OSIS Community, Pamela, Eclipse project etc.) • Windows CardSpace • Client-integration into metasystem • Identity selector and self-issuing STS • WCF is meta-system ready by design • Full support: ADFS vNext incl. .NET Fx Extensions

    40. Microsoft Open Specification Promise (OSP) • Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed • Includes all the protocols underlying CardSpace • Issued September 2006 • http://www.microsoft.com/interop/osp

    41. Resources and Links • Community site, samples, news • http://cardspace.nefx3.com • MSDN Forum • http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=784&SiteID=1 • MSDN Home Page • http://msdn.microsoft.com/identity • Blogs • http://identityblog.com • http://blogs.msdn.com/card • http://self-issued.info/ • http://identity-des.com/ • http://blogs.msdn.com/vbertocci • www.leastprivilege.com

    42. Open Source Identity Selectors (some) • Firefox – Bandit DigitalMe Project • Windows, Linux, Apple, Fedora • http://www.bandit-project.org/index.php/DigitalMe • Firefox – Windows only (Kevin Miller) • http://www.codeplex.com/IdentitySelector • Apple Identity Selectors • http://www.hccp.org/safari-plug-in.html • Java Identity Selectors • xmldap http://xmldap.org/

    43. Open Source Relying Parties (some) • Ruby RP projects • http://rubyforge.org/projects/informationcard/ • http://www.codeplex.com/informationcardruby • Java RP projects • http://www.eclipse.org/org/press-release/20080221_higgins.php • http://sourceforge.net/projects/informationcard/ • http://www.codeplex.com/informationcardjava • C and PHP projects • https://infocard-demo.labs.pingidentity.com/ • Python and PHP projects • http://code.bandit-project.org/trac/wiki/PythonInfoCard • http://code.google.com/p/py-self-issued-rp/ • http://www.codeplex.com/InformationCardPHP

    44. Open Source Identity Providers (some) • Verisign PIP • https://pip.verisignlabs.com/ • Bandigt IP Framework • https://cards.bandit-project.org/BanditIdP/index.jsp • Higgings Frameworks • http://www.eclipse.org/higgins/

    45. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.