Mario Szpuszta Solutions Architect Microsoft Austria, Vienna.

Identity 2.0:

The IdentityMetasystem Vision

Mario SzpusztaSolutions ArchitectMicrosoft Austria, Vienna

Agenda

Digital identity crisisReal world as metaphorThe Identity Metasystem as model

Agreement on a modelCommon, consistent User ExperienceClaims-based securityFederation & claims-transformation

Summary

Digital Identities Today – Identity Silos

Connectivity

Naming

Identity

IP

DNS

??? Identity ???

Digital Identities Today – Major Problem

www.antiphishing.org

Identity is more than just User & Password

Agenda

Digital identity crisisReal world as metaphorThe Identity Metasystem as model

Agreement on a modelCommon, consistent User ExperienceClaims-based securityFederation & claims-transformation

Summary

Identity – „You“ and „Claims“

Roles in the Real WorldWindows CardSpace

Roles in the Real WorldWindows CardSpace

Trust-Chains & Claims Transformation

issues

queries

trusts trusts

Agenda

Digital identity crisisReal world as metaphorThe Identity Metasystem as model

Agreement on a modelCommon, consistent User ExperienceClaims-based securityFederation & claims-transformation

Summary

Identity Vision Statement

The goals of the identity metasystem are to connect individual identity systems, allowing seamless

interoperation between them, to provide applications with a technology-independent representation of

identities, and to provide a better, more consistent user experience with all of them!

http://msdn2.microsoft.com/en-us/library/ms996422.aspx

The Laws of Identity

User control and consentMinimal disclosure for a defined useJustifiable partiesDirectional identityPluralism of operators and technologiesHuman integrationConsistent experience across contexts

Understanding the Requirements

Consistent User Experience

Clear definition of rolesTechnology-independent protocols

Federation andclaims-transformation

Claims-based Security

Roles, Responsibilities, Protocols

App-licatio

n

Security

TokenServic

e

Identity

Selector

WS-PolicyWS-MetadataExch.

Information cardsOpenID, LID, Yadis…

WS-Trust

SAMLKerberos

X.509etc.

WS-SecurityWS-SecureConversation

Relying

Party

Identity

Provider

Subject

Auth“N“happens

here

Auth“Z“happens

here

Microsoft Technologies in the Model

App-licatio

n

Security

TokenServic

e

Identity

Selector

WS-* WS-*

AD Cert.AD

AD LDS

ILM

ADFS

AD LDS

ADFS

AD Cert.

WCFWCF

WCF WCF

CardSpace

Other Technologies in the Model

App-licatio

n

Security

TokenServic

e

Identity

Selector

WS-* WS-*

WCFWCF

Kevin Millers SelectorBandit ProjectEclipse Higgins

Verisign PIPEclipse HigginsBandit

J2EE

XmldapEclipse HigginsRuby ForgeInfoCard PHP

J2EE, PHP, Python, Ruby…

Understanding the Requirements

Consistent User Experience

Clear definition of rolesTechnology-independent protocols

Federation andclaims-transformation

Claims-based Security

Consistent User Experience

Digital Identity Selector„Digital Wallet“You carry „digital cards“ with youEach card belongs to 1 identity provider

IP One

IP Two

IP Three

What is CardSpace?

CardSpace is an identity selectorPart of .NET Framework 3.0Uses WCF for its WS-* standardsUser’s digital identities = information cards

CardSpace is an STSSelf-issued cardsCreates SAML v1.0 tokensRequires no 3rd party identity provider

User is in control ofwhich IP is used which claims exposed

Self-Issued Cards

Mario SzpusztaSolutions ArchitectMicrosoft Austria, Vienna

demo

Understanding the Requirements

Consistent User Experience

Clear definition of rolesTechnology-independent protocols

Federation andclaims-transformation

Claims-based Security

Claims-based IdentityDigital identity that parallels the real world

ClaimsStatements about subjectIdentify subject……or only describe attributes…or both

Digital IdentitySet of claimsAsserted by authority / subject

RP requests claims via Policy

Web app: <object/> tagService: WS-Policy, WS-MEX

Claims in .NET 3.0

ClaimType is the claim URI as a stringRight can be one of two things

IdentityPossessProperty

Resource is the value of the claim

namespace System.IdentityModel.Claims { public class Claim { public Claim(string claimType, object resource, string right); public string ClaimType { get; } public string Right { get; } public object Resource { get; } // ... }}

ClaimSet – Claims and their Issuers

DefaultClaimSetWindowsClaimSetX509CertificateClaimSet

namespace System.IdentityModel.Claims { public abstract class ClaimSet : IEnumerable<Claim>, IEnumerable { public abstract ClaimSet Issuer { get; } public virtual bool ContainsClaim(Claim claim); public abstract IEnumerable<Claim> FindClaims( string claimType, string right); public abstract int Count { get; } public abstract Claim this[int index] { get; } public abstract IEnumerator<Claim> GetEnumerator();

// ... }}

Claims-based Security in Web Apps

Scenario: relying part IS web siteBrowser-integration necessaryRequested claims embedded in HTMLIdentity Selector let‘s user select Card/IP

Approach: embed <object/> for card-request

IE 7.0Firefox and Safari supported

Example based on CardSpace

SAML

User’s PC Website

Identity Provider

Token Policy

Cards Store

Browser

STS

Identities Store

GET login pageRead policies

Pass policies to CardSpaceFilter card collection & show cardspace UI

User picks a card

Cardspace sends a RST

The IP authenticates RST…

If successful, builds& signs the requested token

The IP sends back the token in a RSTR

CardSpace gives the token to the app& exits

SAML

The Browser POSTs the token to the website

The website authenticatesthe token

Sample Web Login Page<!-- ... --><button onclick="javascript:return infocardlogin.submit();"> Sign in with your Information Card</button>

<form name="infocardlogin" target="_self" method="post"><object type="application/x-informationcard" name="xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"> <param name="issuer" value="http://schemas..../identity/issuer/self"> <param name="requiredClaims" value="http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"></object></form><!-- ... -->

Claims-basedsecurity in Web Applications

Mario SzpusztaSolutions ArchitectMicrosoft Austria, Vienna

demo

WCF Services and Claims

WCF is metasystem-readySupports necessary WS-* standardsUnderstands many tokens (SAML, Kerberos...)

Client integration and CardSpaceSystem.IdentityModelSystem.ServiceModel.IdentityIdentity selector triggered based on WS-Policy

WCF Service Configuration

<wsFederationHttpBinding><binding name="TestFederationBinding" bypassProxyOnLocal="true"> <security> <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <claimTypeRequirements> <add claimType="claim-uri" isOptional="false" /> </claimTypeRequirements> <issuer address="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" /> </message> </security></binding></wsFederationHttpBinding>

Claims-basedsecurity in WCF Services

Mario SzpusztaSolutions ArchitectMicrosoft Austria, Vienna

demo

Understanding the Requirements

Consistent User Experience

Clear definition of rolesTechnology-independent protocols

Federation andclaims-transformation

Claims-based Security

Federation and Trust-Chains

Relying party does not manage identity

IP authenticates / proves identityRelying party determines truth based on

IP with closest relationship to subjectIP authentication of subjectConsensus of multiple IPs

Federation bridges silos!!relies on

Federation Scenario - Example

Company A Company B

Requestor

IP/STS

IDstore

IP/STS

Target Servic

e

WS-Policy

WS-Trust

WS-Policy

WS-Trust

WS-TrustWS-Trust

Claims-Transformation & Federation

Company A Company B

Requestor

IP/STS

IDstore

Issues• Name• Date of Birth• Passport Nr.• Passport Valid• …

Transforms from

„Date of Birth“

To„Age >=

21?“

Format X.509 Cert SAML token

Asks for• Age >= 21

Target Servic

e

IP/STSTrust PartnerClaim

Local Actionable Claim

Content

Role Access Right

A look at an simple STS

Mario SzpusztaSolutions ArchitectMicrosoft Austria, Vienna

demo

Agenda

Digital identity crisisReal world as metaphorThe Identity Metasystem as model

Agreement on a modelCommon, consistent User ExperienceClaims-based securityFederation & claims-transformation

Summary

Identity MetasystemSolves many of today’s issues (e.g. phishing)Based on interoperable standardsMany supporting vendors (IBM, Novell, OSIS Community, Pamela, Eclipse project etc.)

Windows CardSpaceClient-integration into metasystemIdentity selector and self-issuing STS

WCF is meta-system ready by designFull support: ADFS vNext incl. .NET Fx Extensions

Summary

Microsoft Open Specification Promise (OSP)

Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed

Includes all the protocols underlying CardSpace

Issued September 2006http://www.microsoft.com/interop/osp

Resources and Links

Community site, samples, newshttp://cardspace.nefx3.com

MSDN Forumhttp://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=784&SiteID=1

MSDN Home Pagehttp://msdn.microsoft.com/identity

Blogshttp://identityblog.comhttp://blogs.msdn.com/cardhttp://self-issued.info/ http://identity-des.com/ http://blogs.msdn.com/vbertocci www.leastprivilege.com

Open Source Identity Selectors (some)

Firefox – Bandit DigitalMe ProjectWindows, Linux, Apple, Fedorahttp://www.bandit-project.org/index.php/DigitalMe

Firefox – Windows only (Kevin Miller)http://www.codeplex.com/IdentitySelector

Apple Identity Selectorshttp://www.hccp.org/safari-plug-in.html

Java Identity Selectorsxmldap http://xmldap.org/

Open Source Relying Parties (some)

Ruby RP projectshttp://rubyforge.org/projects/informationcard/ http://www.codeplex.com/informationcardruby

Java RP projectshttp://www.eclipse.org/org/press-release/20080221_higgins.php http://sourceforge.net/projects/informationcard/ http://www.codeplex.com/informationcardjava

C and PHP projectshttps://infocard-demo.labs.pingidentity.com/

Python and PHP projectshttp://code.bandit-project.org/trac/wiki/PythonInfoCard http://code.google.com/p/py-self-issued-rp/ http://www.codeplex.com/InformationCardPHP

Open Source Identity Providers (some)

Verisign PIPhttps://pip.verisignlabs.com/

Bandigt IP Frameworkhttps://cards.bandit-project.org/BanditIdP/index.jsp

Higgings Frameworkshttp://www.eclipse.org/higgins/

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.