An Identity on the Internet

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.

Advances in Digital Identity

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

 Jan Alexander Program Manager Microsoft Corporation BB43.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

Digital Certificate Installation & User Guide For Class-2 Certificates.

2 3 Who are you? What are you allowed to do? How should your experience be personalized? How do I get apps that are provably securable and manageable?

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

11 steve plank (“planky”) identity architect microsoft uk.

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

The Laws of Identity and Cardspace Charles Young Solidsoft.

Mario Szpuszta Solutions Architect Microsoft Austria, Vienna.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

An Introduction to Information Card Barry Dorrans Charteris plc

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Phishing Rising to the challenge Amy Marasco Microsoft.

Session 11: Security with ASP.NET

Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity Mike Jones, Microsoft and Dale Olds, Novell.

A Claims Based Identity System Steve Plank Identity Architect Microsoft UK.

A detailed look at the Microsoft Windows Infrastructure at UWE including Active Directory (AD), MIIS, Exchange, SMS, IIS, SQL Server, Terminal Services.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

Windows CardSpace Martin Parry Developer Evangelist Microsoft

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Workshop IV Current Developments in Digital Trust.

Web Services Security Patterns Alex Mackman CM Group Ltd

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

Introduction to.NET FX 3.0 (+ sneak preview of.NET FX 3.5) Martin Parry Developer & Platform Group Microsoft Ltd

steve plank “planky” microsoft connecting your private and public clouds with adfs

Windows CardSpace™ Adlai Maschiach Senior Consultant

Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claims-based Identity Beyond Identity Silos 1st European Identity Conference 2007 Don Schmidt.

Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.

Identity Management Overview

SharePoint Authentication and Authorization

Access Policy - Federation March 23, 2016

Identity and Access Management

Secure Single Sign-On Across Security Domains

Stop Those Prying Eyes Getting to Your Data

Azure Active Directory - Business 2 Consumer

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Federation made simple

Achtergrond en implementatie van een identity metasystem

Data and Applications Security Developments and Directions

Chapter 8 Building the Transaction Database

Authentication.

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

PRESENTATION FOR WEB LOGIN

Adaptive Authentication

What Is Sharepoint? Mohsen Ashkboos

BY: SHIVI AGRAWAL ( ) CSE-(6)C

Laws for Secure Credentialing

Installation & User Guide

Single Sign On Glen Dorton 1/18/2019.

Windows Active Directory Environment

Process flow Kindly note: This presentation is automated – please do not click any of your mouse buttons or keyboard keys.

Building "One Size Fits All" Identity Systems Possible or Fantasy

RSA Digital Certificate Solutions RSA Solutions for PKI David Mateju RSA Sales Consultant

Martin Parry Developer Evangelist Microsoft

Presentation transcript:

An Identity on the Internet Steve Plank Identity Architect Microsoft UK

topics phishing, phraud identity layer Identity metasystem 7 laws human integration consistent experience across contexts Identity metasystem ip rp user identity selector

**************** web server www.identitytheft.com www.mybank.com.net.iwill.take.over.your.life.com/dodgy.php gullible@hotmail.com under the control of somebody else **************** bad person’s database

Application Error: IIS Custom Solution Credentials database FormsAuthentication.SetLoginCookie() Custom Solution www.newcorp.com Application Error: Cross-domain cookie. A cookie has been received from a security domain other than the one to which this web server is a member. This is a potential security breach. Please consult the application or web server administrator. Custom Solution www.megacorp.com

Identity no consistency DNS Naming Connectivity IP

User control and consent Minimal disclosure for a defined use Justifiable parties Directional identity Pluralism of operators and technologies Human integration Consistent experience across contexts

Human integration Consistent experience across contexts Planky’s Card Card Collection

Locally installed software: not under somebody else’s control Identity Provider First name Last name Email ....... Steve Plank planky@a.com ...... Bob Smith Bsmith@a.com Locally installed software: not under somebody else’s control Identity Selector 1:1 relationship between cards and identity providers Subject

Intentionally left blank First name Last name Email ....... Steve Plank planky@a.com ...... Bob Smith Bsmith@a.com Identity Provider digital signature Metadata: URI of the Identity Provider Claims you can get from the IP givenname: lastname: email: user-id: etc: Intentionally left blank

Identity Provider cryptographic binding between the card and the IP digital signature

OR There will be many Identity Providers each running its own technology stack OR Pluralism of operators and technologies Human integration Consistent experience across contexts

Web Site Web Service HTML WS-* WS-* Identity Metasystem WS-* HTML Identity Provider Relying Party Web Site Web Service <sp:IssuedToken ...> ... <sp:RequestSecurityTokenTemplate> <wst:Claims wst:Dialect=”http://schemas.microsoft.com/ws/2005/05/identity”> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/givenname”/> URI=”http://.../ws/2005/05/identity/claims/surname” URI=”http://.../ws/2005/05/identity/claims/email”/> URI=”http://.../ws/2005/05/identity/claims/privatepersonalidentifier” </wst:Claims> </sp:RequestSecurityTokenTemplate> </sp:IssuedToken> HTML WS-* WS-* Identity Metasystem Microsoft Identity MetaSystem <object type="application/x-informationcard" name="_xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /> </object> WS-* HTML Subject

Identity Selector’s Built-in Identity Provider Relying Party Identity Selector’s Built-in Identity Provider 2 degrees of store protection: System Key Password Key Identity Metasystem Personal Cards: fixed schema Subject

what claims another party makes about me personal cards what claims i make about myself fixed schema (protect the users from themselves!) managed cards what claims another party makes about me flexible schema

elvis presley only 1 of them is real probably

SECURITY TOKEN SAML Token XrML License X.509 Certificate Kerberos ticket . ...others Steve Plank Over 18 Over 21 Under 65 image

security token service give it something SECURITY TOKEN Steve Plank Over 18 Over 21 Under 65 image DIFFERENT SECURITY TOKEN Username Password Biometric Signature Certificate

[ ] [ ] e s click login button get policy authenticate RST policy: identity provider relying party e [ ] [ ] s click login button get policy authenticate RST RSTR policy: authn reqs token types ... policy: uri of ip required claims optional claims token type identity.provider.com requires username and password to validate this request. Enter the information below subject

[ ] [ ] identity provider relying party token decryption [ ] [ ] token decryption *givenname: Steve *surname: Plank *emailaddress: planky@plankytronixx.com *privatepersonalidentitifer: planky123 Do you want to send this card to: ip.sisa.com ip.sisa.com token authentication real token display token subject

topics phishing, phraud identity layer Identity metasystem 7 laws human integration consistent experience across contexts Identity metasystem ip rp user identity selector