Tech Ed North America 2010 11/22/2018 4:52 PM SESSION CODE: SIA201 Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation David Chappell Principal Chappell & Associates Claims-Based Identity: An Introduction to AD FS 2.0, Windows Identity Foundation, and CardSpace 2.0 © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Introducing Claims-Based Identity 11/22/2018 4:52 PM Agenda Introducing Claims-Based Identity Using Claims-Based Identity: Scenarios Microsoft Technologies for Claims-Based Identity: A Closer Look © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Introducing Claims-Based Identity Tech Ed North America 2010 11/22/2018 4:52 PM Introducing Claims-Based Identity © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Claims-Based Identity The core Microsoft technologies Active Directory Federation Services (AD FS) 2.0 The newest version of AD FS Windows Identity Foundation (WIF) 1.0 Pronounced “Dub-I-F” CardSpace 2.0 The newest version of CardSpace

What is Identity? An identity is a set of information about some entity, such as a user Most applications work with identity Identity information drives important aspects of an application’s behavior, such as: Determining what a user is allowed to do Controlling how the application interacts with the user

Defining the Problem Working with identity is too hard Applications must use different identity technologies in different situations: Active Directory (Kerberos) inside a Windows domain Username/password on the Internet WS-Federation and the Security Assertion Markup Language (SAML) between organizations Why not define one approach that applications can use in all of these cases? Claims-based identity allows this It can make life simpler for developers

Tokens and Claims Representing identity on the wire A token is a set of bytes that expresses information about an identity This information consists of one or more claims Each claim contains some information about the entity to which this token applies Token Signature Example Claims Claim 1 Claim 2 . . . Claim n Claim 3 Name Group Indicates who created this token and guards against changes Age

Identity Providers and STSs An identity provider (or issuer) is an authority that makes claims about an entity Example identity providers today: On your company’s network: Your employer On the Internet: Windows Live ID An identity provider can implement a security token service (STS) It’s software that issues tokens Requests for tokens are made via WS-Trust Many token formats can be used The SAML format is popular

Getting a Token Illustrating an identity provider and an STS 2) Get information Security Token Service (STS) Account/ Attribute Store 1) Authenticate user and request token 3) Create and return token Token Browser or Client User

Acquiring and Using a Token 4) Use claims in token Identity Provider Application 3) Verify token’s signature and check whether this STS is trusted STS Identity Library 1) Authenticate user and get token Token 2) Submit token Token List of Trusted STSs Browser or Client User

Why Claims Are an Improvement In today’s world, an application typically gets only simple identity information Such as a user’s name To get more, the application must query: A remote database, e.g., a directory service A local database With claims-based identity, each application can ask for exactly the claims that it needs The STS puts these in the token it creates

How Applications Can Use Claims Some examples A claim can identify a user A claim can convey group or role membership A claim can convey personalization information Such as the user’s display name A claim can grant or deny the right to do something Such as access particular information or invoke specific methods A claim can constrain the right to do something Such as indicating the user’s purchasing limit

Supporting Multiple Identities Using an identity selector: An option 5) Use claims in token Identity Providers STS Application STS Identity Library 3) Authenticate user and get token for selected identity Token 1) Access application and learn token requirements 4) Submit token Token Browser or Client Identity Selector 2) (Optionally) select an identity that matches those requirements User

Claims-Based Identity for Windows 5) Use claims in token Identity Providers AD FS 2.0 Application STS STS Windows Identity Foundation 3) Authenticate user and get token for selected identity Token 1) Access application and learn token requirements 4) Submit token Token Browser or Client CardSpace 2.0 2) (Optionally) select an identity that matches those requirements User

Using Claims-Based Identity: Scenarios Tech Ed North America 2010 11/22/2018 4:52 PM Using Claims-Based Identity: Scenarios © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

An Enterprise Scenario 8) Use claims in token Active Directory Domain Services AD FS 2.0 Application STS 5) Find claims required by application and create token WIF 6) Receive token Token 4) Present Kerberos ticket and request token for selected identity 1) Login to domain and get Kerberos ticket 7) Submit token Token 2) Access application and learn token requirements Browser or Client CardSpace 2.0 3) (Optionally) select an identity that matches those requirements User

Allowing Internet Access 5) Use claims in token Active Directory Domain Services AD FS 2.0 Application STS WIF Token 4) Submit token 3) Authenticate user and get token for selected identity Token 1) Access application and learn token requirements Internet Browser or Client CardSpace 2.0 2) (Optionally) select an identity that matches those requirements User

Using an External Identity Provider Identity Providers 5) Use claims in token Windows Live ID Other Application WIF STS STS 4) Submit token Token 1) Access application and learn token requirements 3) Authenticate user and get token for selected identity Token Internet Browser or Client CardSpace 2.0 2) (Optionally) select an identity that matches those requirements User

Identity Across Organizations Describing the problem A user in one Windows forest must access an application in another Windows forest A user in a non-Windows world must access an application in a Windows forest (or vice-versa)

Identity Across Organizations Possible solutions One option: duplicate accounts Requires separate login, extra administration A better approach: identity federation One organizations accepts identities provided by the other No duplicate accounts Single sign-on for users

Identity Federation (1) Organization X Organization Y Active Directory Domain Services AD FS 2.0 STS STS 3) Get token for selected identity Token 5) Use claims in token 4) Submit token Token Application Browser or Client WIF 1) Access application and learn token requirements CardSpace 2.0 2) (Optionally) select an identity that matches those requirements Trusted STSs: Organization Y Organization X User

Identity Federation (2) Organization X 2) Access Organization Y STS and learn token requirements Organization Y Active Directory Domain Services AD FS 2.0 5) Request token for application Token for STS Y STS 6) Issue token for application Token STS 4) Get token for Organization Y STS Token for STS Y Trusted STSs: Organization X 8) Use claims in token 7) Submit token Token Application Browser or Client 1) Access application and learn token requirements WIF CardSpace 2.0 3) (Optionally) select an identity that matches those requirements Trusted STSs: Organization Y User

Active Directory Domain Services Delegation Active Directory Domain Services AD FS 2.0 5) Check policy for user, application X, and application Y STS 6) If policy allows, issue token for application Y Token for Y 1) Get token for application X Token for X 4) Request token for application Y Token for X 8) Use claims in token 7) Submit token Token for Y Browser or Client Application X Application Y 2) Submit token Token for X 3) Access application and learn token requirements WIF WIF User

Microsoft Technologies for Claims-Based Identity: A Closer Look Tech Ed North America 2010 11/22/2018 4:52 PM Microsoft Technologies for Claims-Based Identity: A Closer Look © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Changes in AD FS 2.0 From the previous release AD FS 1.1 supports only passive clients (i.e., browsers) using WS-Federation And it doesn’t provide an STS AD FS 2.0: Supports both active and passive clients Provides an STS Supports both WS-Federation and the SAML 2.0 protocol Improves management of trust relationships By automating some exchanges

Windows Identity Foundation A summary The goal: Make it easier for developers to create claims-aware applications WIF provides: Support for verifying a token’s signature and extracting its claims Classes for working with claims Visual Studio project types An STS for development and testing Support for creating a custom STS More

CardSpace 2.0 Selecting identities CardSpace provides a standard user interface for choosing an identity Using the metaphor of cards Choosing a card selects an identity (i.e., a token)

Information Cards Behind each card a user sees is an information card It’s an XML file that represents a relationship with an identity provider It contains what’s needed to request a token for a particular identity Information cards don’t contain: Claims for the identity Whatever is required to authenticate to the identity provider’s STS

Information Cards An illustration Identity Providers Browser or Client STS STS STS CardSpace 2.0 Information Card 4 Information Card 3 Information Card 2 Information Card 1 User

Creating Industry Agreement The Information Card Foundation is a multi-vendor group dedicated to making this technology successful Its board members include Google, Microsoft, Novell, Oracle, and PayPal A Web site can display a standard icon to indicate that it accepts card-based logins:

Changes in CardSpace 2.0 From the first CardSpace release CardSpace 2.0 is available separately from the .NET Framework It’s smaller and faster CardSpace 2.0 contains optimizations for applications that users visit repeatedly A Web site can display the card you last used to log in the site The CardSpace screen needn’t appear The self-issued identity provider has been dropped

Shipping Status Today WIF: Released November 2009 AD FS 2.0: Released May 2010 CardSpace 2.0: Currently in beta, release postponed It’s a fast-moving technology area

Conclusions Changing how applications (and people) work with identity is not a small thing Widespread adoption of claims-based identity will take time Yet all of the pieces required to make claims-based identity real on Windows are here: AD FS 2.0 Windows Identity Framework CardSpace 2.0 (on the way)

References Claims-Based Identity for Windows: An Introduction to Active Directory Federation Services 2.0, Windows CardSpace 2.0, and Windows Identity Foundation, David Chappell http://www.davidchappell.com/writing/white_papers/Claims-Based_Identity_for_Windows_v2.pdf

About the Speaker David Chappell is Principal of Chappell & Associates (www.davidchappell.com) in San Francisco, California. Through his speaking, writing, and consulting, he helps people around the world understand, use, and make better decisions about new technology. David has been the keynote speaker for events and conferences on five continents, and his seminars have been attended by tens of thousands of IT decision makers, architects, and developers in more than forty countries. His books have been published in a dozen languages and used regularly in courses at MIT, ETH Zurich, and other universities. In his consulting practice, he has helped clients such as Hewlett-Packard, IBM, Microsoft, Stanford University, and Target Corporation adopt new technologies, market new products, train their sales staffs, and create business plans. Earlier in his career, David wrote networking software, chaired a U.S. national standards working group, and played keyboards with the Peabody-award-winning Children’s Radio Theater. He holds a B.S. in Economics and an M.S. in Computer Science, both from the University of Wisconsin-Madison.

Tech Ed North America 2010 11/22/2018 4:52 PM Related Content SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview  SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Track Resources Learn more about our solutions: Try our products: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

Resources Learning Required Slide www.microsoft.com/teched Tech Ed North America 2010 11/22/2018 4:52 PM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Complete an evaluation on CommNet and enter to win! Tech Ed North America 2010 11/22/2018 4:52 PM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration   You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

Tech Ed North America 2010 11/22/2018 4:52 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tech Ed North America 2010 11/22/2018 4:52 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.