Top Banner
Advances in Digital Identity Steve Plank Identity Architect
29

Advances in Digital Identity Steve Plank Identity Architect.

Mar 29, 2015

Download

Documents

Theodore Matson
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Advances in Digital Identity Steve Plank Identity Architect.

Advances in Digital Identity

Steve PlankIdentity Architect

Page 2: Advances in Digital Identity Steve Plank Identity Architect.

Connectivity

Naming

IP

DNS

Identityno consistency

Page 3: Advances in Digital Identity Steve Plank Identity Architect.

taught users

typeusernames &passwords

web page

Page 4: Advances in Digital Identity Steve Plank Identity Architect.

what is identity?

Page 5: Advances in Digital Identity Steve Plank Identity Architect.

attributes:givenNamesnpreferredName plankydateOfBirth 170685!over18 trueover21 trueover65 falseimage

steveplank

Page 6: Advances in Digital Identity Steve Plank Identity Architect.

self asserted

verifiable

what claims i make about myself

what claims another party makes about me

Page 7: Advances in Digital Identity Steve Plank Identity Architect.

elvis presley

only 1 of them is real

probably

Page 8: Advances in Digital Identity Steve Plank Identity Architect.

trust

make these claims

Page 9: Advances in Digital Identity Steve Plank Identity Architect.

SECURITY TOKEN

steveplankover 18over 21under 65image

Page 10: Advances in Digital Identity Steve Plank Identity Architect.

security token service

give it somethingSECURITY TOKEN

StevePlankOver 18Over 21Under 65image

DIFFERENTSECURITYTOKEN

UsernamePassword

BiometricSignature

Certificate

“Secret”

Page 11: Advances in Digital Identity Steve Plank Identity Architect.

identity metasystem

Page 12: Advances in Digital Identity Steve Plank Identity Architect.

participants

relying party (website)identity provider

subject

Page 13: Advances in Digital Identity Steve Plank Identity Architect.

WS-*

securitytoken

service

SAML

WS-*

SAML

securitytoken

serviceWS-*

x509

identity provider

x509

identityprovider

subject

relying party relying party

identity selector

Page 14: Advances in Digital Identity Steve Plank Identity Architect.

identity selector

Page 15: Advances in Digital Identity Steve Plank Identity Architect.

human integration

consistent experience across contexts

Page 16: Advances in Digital Identity Steve Plank Identity Architect.
Page 17: Advances in Digital Identity Steve Plank Identity Architect.

• contains claims about my identity that I assert

• not corroborated• stored locally• signed and encrypted to prevent

replay attacks

• provided by banks, stores, government, clubs, etc

• locally stored cards contain metadata only!

• data stored by identity provider and obtained only when card submitted

cards

self-issued managed

Page 18: Advances in Digital Identity Steve Plank Identity Architect.

object tag

login with self issued card

relying party (website)

user

login

Page 19: Advances in Digital Identity Steve Plank Identity Architect.

select self issued card

relying party (website)

user

Planky

Page 20: Advances in Digital Identity Steve Plank Identity Architect.

create token from card

relying party (website)

Planky

FN: SteveLN: PlankEmail: splankCO: UK

user

Page 21: Advances in Digital Identity Steve Plank Identity Architect.

sign, encrypt & send token

relying party (website)

Planky

user

Page 22: Advances in Digital Identity Steve Plank Identity Architect.

object tag

login with managed card

relying party (website)

user

login

identity provider

Page 23: Advances in Digital Identity Steve Plank Identity Architect.

select managed card

relying party (website)

userWoodgroveBank

identity provider

Page 24: Advances in Digital Identity Steve Plank Identity Architect.

WoodgroveBank

request security token

relying party (website)identity provider

user

authN:X509, kerb, SC, U/pwd…

Page 25: Advances in Digital Identity Steve Plank Identity Architect.

WoodgroveBank

request security token response

relying party (website)identity provider

user

sign, encryptsend

Page 26: Advances in Digital Identity Steve Plank Identity Architect.

<body>  <form id="form1" method="post" action="login.aspx">  <div>    <button type="submit"> Click here to sign in with your Information Card </button>    <object type="application/x-informationcard" name="xmlToken">      <param name="tokenType"

value="urn:oasis:names:tc:SAML:1.0:assertion" />      <param name="issuer

value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" />      <param name="requiredClaims" value="        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname       

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ privatepersonalidentifier /> </object>  </div>  </frm></body>

Page 27: Advances in Digital Identity Steve Plank Identity Architect.

relying party (website)

token decrypter

claims extractor

first name

last name

email

phone

user database

123456789

456

xmlToken(signed &encrypted)

xmlToken(plaintext)

ppid

inde

x in

to D

B

Page 28: Advances in Digital Identity Steve Plank Identity Architect.

demo

Page 29: Advances in Digital Identity Steve Plank Identity Architect.

review• identity layer

• phishing, phraud

• human integration

• consistent experience across contexts

• ip

• rp

• user

• identity selector

Presentation style mercilessly stolen off Lawrence Lessig, BBC News 24 and Dick Hardt