1 / 12

a dvances in digital identity

a dvances in digital identity. steve plank (“planky”) identity architect microsoft uk. agenda. what is a digital identity? if the identity service has my password, why does my application still have a user account? identities and profiles

nuwa
Download Presentation

a dvances in digital identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. advances in digital identity steve plank (“planky”) identity architect microsoft uk

  2. agenda • what is a digital identity? • if the identity service has my password, why does my application still have a user account? • identities and profiles • how do I factor authentication and authorization in to separate services for my applications? • a single source of identities, or many sources? What’s best? • how to federate with: • other organisaitons • the “cloud”

  3. what is “identity”? trust fabric a set of claims made by one subject about another subject self-asserted identity ebay amazon google hotmail yahoo ... ... • static claims: • date of birth • gender • dynamic claims: • address • job title • derived claims: • over 18 = true • health professional = true authenticity marks (digital signatures) claims

  4. anonymous, pseudonymous, real, verified • you can’t assert your own identity – even to yourself • claims not assertions • verification processes: • military • government • finance elvis@hotmail.com ****************

  5. conventional access control • read policy for submitOrder() submitOrder() requires [name,password] cred application client 2. call submitOrder() including [planky, ****]

  6. claims-based access control:authentication service submitOrder() requires {role} from sts_authentication • read policy for submitOrder() application • read policy for request security token • request security • token passing [planky, ****] {role} requires [name,password] cred security token service sts_authentication

  7. claims-based access control:authentication service “submit order” requires {role} from sts_authentication • call “submit order” with security token {role=purchaser}signed sts_authentication application {role=purchaser}signed sts_authentication 4. request security token response security token service sts_authentication mapping: (planky,****)  {role = purchaser}

  8. claims-based access controldelegated authentication and authorization • read policy forsubmitOrder() submitOrder() requires {submit order} from sts_authorization client • read policy for request security token application • request security token passing [planky’s kerb ticket] {role} requires[kerb ticket] or [name/pwd] cred • read policy for request security token {submit order} requires {role} claim from sts_authentication security token service sts_authentication “identity claimsprovider” security token service sts_authorization “authorization claimsprovider”

  9. claims-based access controldelegated authentication and authorization call submitOrder() submitOrder() requires {submit order} claim from sts_authorization {submit order = true}signed sts_authorization client {submit order = true}signed sts_authorization application {role=purchaser}signed sts_authentication submitOrder() requires {role} claim from sts_authentication {role=purchaser}signed sts_authentication security token service sts_authentication security token service sts_authorization mapping: planky {role = purchaser} mapping: {role = purchaser}  {submit order = true}

  10. “the laws of identity” • user control and consenm • minimal disclosure for a defined use • justifiable parties • directional identity • pluralism of operators and technologies • human integration • consistent experience across contexts

  11. “Off Premise” Microsoft Dynamics CRM Online Windows Live ID .NET Services Access Control Microsoft Federation Gateway “On Premise” My Organisation Your Organisation Microsoft Services Connector “Geneva Server” SAML WS-Fed WS-Trust Website AD “Geneva” Framework S+S App

  12. review • what is a digital identity? • if the identity service has my password, why does my application still have a user account? • identities and profiles • how do I factor authentication and authorization in to separate services for my applications? • a single source of identities, or many sources? What’s best? • how to federate with: • other organisaitons • the “cloud”

More Related