Identity 2.0: The Identity Metasystem Vision Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
Identity 2.0:
The IdentityMetasystem Vision
Mario SzpusztaSolutions ArchitectMicrosoft Austria, Vienna
Agenda
Digital identity crisisReal world as metaphorThe Identity Metasystem as model
Agreement on a modelCommon, consistent User ExperienceClaims-based securityFederation & claims-transformation
Summary
Agenda
Digital identity crisisReal world as metaphorThe Identity Metasystem as model
Agreement on a modelCommon, consistent User ExperienceClaims-based securityFederation & claims-transformation
Summary
Agenda
Digital identity crisisReal world as metaphorThe Identity Metasystem as model
Agreement on a modelCommon, consistent User ExperienceClaims-based securityFederation & claims-transformation
Summary
Identity Vision Statement
The goals of the identity metasystem are to connect individual identity systems, allowing seamless
interoperation between them, to provide applications with a technology-independent representation of
identities, and to provide a better, more consistent user experience with all of them!
http://msdn2.microsoft.com/en-us/library/ms996422.aspx
The Laws of Identity
User control and consentMinimal disclosure for a defined useJustifiable partiesDirectional identityPluralism of operators and technologiesHuman integrationConsistent experience across contexts
Understanding the Requirements
Consistent User Experience
Clear definition of rolesTechnology-independent protocols
Federation andclaims-transformation
Claims-based Security
Roles, Responsibilities, Protocols
App-licatio
n
Security
TokenServic
e
Identity
Selector
WS-PolicyWS-MetadataExch.
Information cardsOpenID, LID, Yadis…
WS-Trust
SAMLKerberos
X.509etc.
WS-SecurityWS-SecureConversation
Relying
Party
Identity
Provider
Subject
Auth“N“happens
here
Auth“Z“happens
here
Microsoft Technologies in the Model
App-licatio
n
Security
TokenServic
e
Identity
Selector
WS-* WS-*
AD Cert.AD
AD LDS
ILM
ADFS
AD LDS
ADFS
AD Cert.
WCFWCF
WCF WCF
CardSpace
Other Technologies in the Model
App-licatio
n
Security
TokenServic
e
Identity
Selector
WS-* WS-*
WCFWCF
Kevin Millers SelectorBandit ProjectEclipse Higgins
Verisign PIPEclipse HigginsBandit
J2EE
XmldapEclipse HigginsRuby ForgeInfoCard PHP
J2EE, PHP, Python, Ruby…
Understanding the Requirements
Consistent User Experience
Clear definition of rolesTechnology-independent protocols
Federation andclaims-transformation
Claims-based Security
Consistent User Experience
Digital Identity Selector„Digital Wallet“You carry „digital cards“ with youEach card belongs to 1 identity provider
IP One
IP Two
IP Three
What is CardSpace?
CardSpace is an identity selectorPart of .NET Framework 3.0Uses WCF for its WS-* standardsUser’s digital identities = information cards
CardSpace is an STSSelf-issued cardsCreates SAML v1.0 tokensRequires no 3rd party identity provider
User is in control ofwhich IP is used which claims exposed
Understanding the Requirements
Consistent User Experience
Clear definition of rolesTechnology-independent protocols
Federation andclaims-transformation
Claims-based Security
Claims-based IdentityDigital identity that parallels the real world
ClaimsStatements about subjectIdentify subject……or only describe attributes…or both
Digital IdentitySet of claimsAsserted by authority / subject
RP requests claims via Policy
Web app: <object/> tagService: WS-Policy, WS-MEX
Claims in .NET 3.0
ClaimType is the claim URI as a stringRight can be one of two things
IdentityPossessProperty
Resource is the value of the claim
namespace System.IdentityModel.Claims { public class Claim { public Claim(string claimType, object resource, string right); public string ClaimType { get; } public string Right { get; } public object Resource { get; } // ... }}
ClaimSet – Claims and their Issuers
DefaultClaimSetWindowsClaimSetX509CertificateClaimSet
namespace System.IdentityModel.Claims { public abstract class ClaimSet : IEnumerable<Claim>, IEnumerable { public abstract ClaimSet Issuer { get; } public virtual bool ContainsClaim(Claim claim); public abstract IEnumerable<Claim> FindClaims( string claimType, string right); public abstract int Count { get; } public abstract Claim this[int index] { get; } public abstract IEnumerator<Claim> GetEnumerator();
// ... }}
Claims-based Security in Web Apps
Scenario: relying part IS web siteBrowser-integration necessaryRequested claims embedded in HTMLIdentity Selector let‘s user select Card/IP
Approach: embed <object/> for card-request
IE 7.0Firefox and Safari supported
Example based on CardSpace
SAML
User’s PC Website
Identity Provider
Token Policy
Cards Store
Browser
STS
Identities Store
GET login pageRead policies
Pass policies to CardSpaceFilter card collection & show cardspace UI
User picks a card
Cardspace sends a RST
The IP authenticates RST…
If successful, builds& signs the requested token
The IP sends back the token in a RSTR
CardSpace gives the token to the app& exits
SAML
The Browser POSTs the token to the website
The website authenticatesthe token
Sample Web Login Page<!-- ... --><button onclick="javascript:return infocardlogin.submit();"> Sign in with your Information Card</button>
<form name="infocardlogin" target="_self" method="post"><object type="application/x-informationcard" name="xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"> <param name="issuer" value="http://schemas..../identity/issuer/self"> <param name="requiredClaims" value="http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"></object></form><!-- ... -->
Claims-basedsecurity in Web Applications
Mario SzpusztaSolutions ArchitectMicrosoft Austria, Vienna
demo
WCF Services and Claims
WCF is metasystem-readySupports necessary WS-* standardsUnderstands many tokens (SAML, Kerberos...)
Client integration and CardSpaceSystem.IdentityModelSystem.ServiceModel.IdentityIdentity selector triggered based on WS-Policy
WCF Service Configuration
<wsFederationHttpBinding><binding name="TestFederationBinding" bypassProxyOnLocal="true"> <security> <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <claimTypeRequirements> <add claimType="claim-uri" isOptional="false" /> </claimTypeRequirements> <issuer address="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" /> </message> </security></binding></wsFederationHttpBinding>
Claims-basedsecurity in WCF Services
Mario SzpusztaSolutions ArchitectMicrosoft Austria, Vienna
demo
Understanding the Requirements
Consistent User Experience
Clear definition of rolesTechnology-independent protocols
Federation andclaims-transformation
Claims-based Security
Federation and Trust-Chains
Relying party does not manage identity
IP authenticates / proves identityRelying party determines truth based on
IP with closest relationship to subjectIP authentication of subjectConsensus of multiple IPs
Federation bridges silos!!relies on
Federation Scenario - Example
Company A Company B
Requestor
IP/STS
IDstore
IP/STS
Target Servic
e
WS-Policy
WS-Trust
WS-Policy
WS-Trust
WS-TrustWS-Trust
Claims-Transformation & Federation
Company A Company B
Requestor
IP/STS
IDstore
Issues• Name• Date of Birth• Passport Nr.• Passport Valid• …
Transforms from
„Date of Birth“
To„Age >=
21?“
Format X.509 Cert SAML token
Asks for• Age >= 21
Target Servic
e
IP/STSTrust PartnerClaim
Local Actionable Claim
Content
Role Access Right
Agenda
Digital identity crisisReal world as metaphorThe Identity Metasystem as model
Agreement on a modelCommon, consistent User ExperienceClaims-based securityFederation & claims-transformation
Summary
Identity MetasystemSolves many of today’s issues (e.g. phishing)Based on interoperable standardsMany supporting vendors (IBM, Novell, OSIS Community, Pamela, Eclipse project etc.)
Windows CardSpaceClient-integration into metasystemIdentity selector and self-issuing STS
WCF is meta-system ready by designFull support: ADFS vNext incl. .NET Fx Extensions
Summary
Microsoft Open Specification Promise (OSP)
Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed
Includes all the protocols underlying CardSpace
Issued September 2006http://www.microsoft.com/interop/osp
Resources and Links
Community site, samples, newshttp://cardspace.nefx3.com
MSDN Forumhttp://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=784&SiteID=1
MSDN Home Pagehttp://msdn.microsoft.com/identity
Blogshttp://identityblog.comhttp://blogs.msdn.com/cardhttp://self-issued.info/ http://identity-des.com/ http://blogs.msdn.com/vbertocci www.leastprivilege.com
Open Source Identity Selectors (some)
Firefox – Bandit DigitalMe ProjectWindows, Linux, Apple, Fedorahttp://www.bandit-project.org/index.php/DigitalMe
Firefox – Windows only (Kevin Miller)http://www.codeplex.com/IdentitySelector
Apple Identity Selectorshttp://www.hccp.org/safari-plug-in.html
Java Identity Selectorsxmldap http://xmldap.org/
Open Source Relying Parties (some)
Ruby RP projectshttp://rubyforge.org/projects/informationcard/ http://www.codeplex.com/informationcardruby
Java RP projectshttp://www.eclipse.org/org/press-release/20080221_higgins.php http://sourceforge.net/projects/informationcard/ http://www.codeplex.com/informationcardjava
C and PHP projectshttps://infocard-demo.labs.pingidentity.com/
Python and PHP projectshttp://code.bandit-project.org/trac/wiki/PythonInfoCard http://code.google.com/p/py-self-issued-rp/ http://www.codeplex.com/InformationCardPHP
Open Source Identity Providers (some)
Verisign PIPhttps://pip.verisignlabs.com/
Bandigt IP Frameworkhttps://cards.bandit-project.org/BanditIdP/index.jsp
Higgings Frameworkshttp://www.eclipse.org/higgins/
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.