Click here to load reader
Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
Dec 21, 2015
- Slide 1
- Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
- Slide 2
- Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary
- Slide 3
- Slide 4
- www.antiphishing.org
- Slide 5
- Slide 6
- Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary
- Slide 7
- Slide 8
- Windows CardSpace
- Slide 9
- Slide 10
- Slide 11
- issues queries trusts
- Slide 12
- Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary
- Slide 13
- The goals of the identity metasystem are to connect individual identity systems, allowing seamless interoperation between them, to provide applications with a technology-independent representation of identities, and to provide a better, more consistent user experience with all of them! http://msdn2.microsoft.com/en-us/library/ms996422.aspx
- Slide 14
- User control and consent Minimal disclosure for a defined use Justifiable parties Directional identity Pluralism of operators and technologies Human integration Consistent experience across contexts
- Slide 15
- Slide 16
- WS-Policy WS-MetadataExch. Information cards OpenID, LID, Yadis WS-Trust SAML Kerberos X.509 etc. WS-Security WS-SecureConversation AuthN happens here AuthZ happens here
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Digital Identity Selector Digital Wallet You carry digital cards with you Each card belongs to 1 identity provider IP OneIP Two IP Three
- Slide 21
- CardSpace is an identity selector Part of.NET Framework 3.0 Uses WCF for its WS-* standards Users digital identities = information cards CardSpace is an STS Self-issued cards Creates SAML v1.0 tokens Requires no 3rd party identity provider User is in control of which IP is used which claims exposed
- Slide 22
- Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
- Slide 23
- Slide 24
- Claims Statements about subject Identify subject or only describe attributes or both Digital Identity Set of claims Asserted by authority / subject RP requests claims via Policy Web app: tag Service: WS-Policy, WS-MEX
- Slide 25
- ClaimType is the claim URI as a string Right can be one of two things Identity PossessProperty Resource is the value of the claim namespace System.IdentityModel.Claims { public class Claim { public Claim(string claimType, object resource, string right); public string ClaimType { get; } public string Right { get; } public object Resource { get; } //... }
- Slide 26
- DefaultClaimSet WindowsClaimSet X509CertificateClaimSet namespace System.IdentityModel.Claims { public abstract class ClaimSet : IEnumerable, IEnumerable { public abstract ClaimSet Issuer { get; } public virtual bool ContainsClaim(Claim claim); public abstract IEnumerable FindClaims( string claimType, string right); public abstract int Count { get; } public abstract Claim this[int index] { get; } public abstract IEnumerator GetEnumerator(); //... }
- Slide 27
- Scenario: relying part IS web site Browser-integration necessary Requested claims embedded in HTML Identity Selector lets user select Card/IP Approach: embed for card-request IE 7.0 Firefox and Safari supported
- Slide 28
- SAML Users PCWebsite Identity Provider Token Policy Cards Store Browser STS Identities Store GET login page Read policies Pass policies to CardSpace Filter card collection & show cardspace UI User picks a card Cardspace sends a RST The IP authenticates RST If successful, builds & signs the requested token The IP sends back the token in a RSTR CardSpace gives the token to the app & exits SAML The Browser POSTs the token to the website The website authenticates the token
- Slide 29 value="urn:oasis:names:tc:SAML:1.0:assertion">
- Sign in with your Information Card Sign in with your Information Card "> " title="">
- Slide 33
- Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
- Slide 34
- Slide 35
- Relying party does not manage identity IP authenticates / proves identity Relying party determines truth based on IP with closest relationship to subject IP authentication of subject Consensus of multiple IPs Federation bridges silos!! relies on
- Slide 36
- Company A Company B Requestor IP/STS ID store IP/STS Target Service WS-Policy WS-Trust WS-Policy WS-Trust
- Slide 37
- Company A Company B Requestor IP/STS ID store Issues Name Date of Birth Passport Nr. Passport Valid Transforms from Date of Birth To Age >= 21? FormatFormat X.509 Cert SAML token Asks for Age >= 21 Target Service IP/STS TrustTrust Partner Claim Local Actionable Claim ContentContent Role Access Right
- Slide 38
- Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
- Slide 39
- Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary
- Slide 40
- Identity Metasystem Solves many of todays issues (e.g. phishing) Based on interoperable standards Many supporting vendors (IBM, Novell, OSIS Community, Pamela, Eclipse project etc.) Windows CardSpace Client-integration into metasystem Identity selector and self-issuing STS WCF is meta-system ready by design Full support: ADFS vNext incl..NET Fx Extensions
- Slide 41
- Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed Includes all the protocols underlying CardSpace Issued September 2006 http://www.microsoft.com/interop/osp
- Slide 42
- Community site, samples, news http://cardspace.nefx3.com MSDN Forum http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=7 84&SiteID=1 MSDN Home Page http://msdn.microsoft.com/identity Blogs http://identityblog.com http://blogs.msdn.com/card http://self-issued.info/ http://identity-des.com/ http://blogs.msdn.com/vbertocci www.leastprivilege.com
- Slide 43
- Firefox Bandit DigitalMe Project Windows, Linux, Apple, Fedora http://www.bandit- project.org/index.php/DigitalMe Firefox Windows only (Kevin Miller) http://www.codeplex.com/IdentitySelector Apple Identity Selectors http://www.hccp.org/safari-plug-in.html Java Identity Selectors xmldap http://xmldap.org/http://xmldap.org/
- Slide 44
- Ruby RP projects http://rubyforge.org/projects/informationcard/ http://www.codeplex.com/informationcardruby Java RP projects http://www.eclipse.org/org/press- release/20080221_higgins.php http://sourceforge.net/projects/informationcard/ http://www.codeplex.com/informationcardjava C and PHP projects https://infocard-demo.labs.pingidentity.com/ Python and PHP projects http://code.bandit- project.org/trac/wiki/PythonInfoCard http://code.google.com/p/py-self-issued-rp/ http://www.codeplex.com/InformationCardPHP
- Slide 45
- Verisign PIP https://pip.verisignlabs.com/ Bandigt IP Framework https://cards.bandit- project.org/BanditIdP/index.jsp Higgings Frameworks http://www.eclipse.org/higgins/
- Slide 46
- 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Related Documents
