 Jan Alexander Program Manager Microsoft Corporation BB43

“Geneva” Framework Live Framework Windows CardSpace “Geneva” Active Directory “Geneva” Server Microsoft Services Connector Software Services Claims-Based Access Standards Based Enhances Developer Productivity Flexibility via Choice Live Identity Services Microsoft Federation Gateway.Net Access Control Service.Net Access Control Service

Live Framework Standards Based Enhances Developer Productivity Live Identity Services Microsoft Federation Gateway.Net Access Control Service.Net Access Control Service Microsoft Services Connector Windows CardSpace “Geneva” “Geneva” Framework Active Directory “Geneva” Server Software Services Claims-Based Access Flexibility via Choice

Claims Requestor Client (Web Browser, WCF Smart Client, SSP-based application) Claims Requestor Client (Web Browser, WCF Smart Client, SSP-based application) Claims Producer Security Token Service (Geneva Server, Custom STS) Claims Producer Security Token Service (Geneva Server, Custom STS) Claims Consumer Relying Party (ASP.NET, WCF service, SSP- based service) Claims Consumer Relying Party (ASP.NET, WCF service, SSP- based service) 1. Trust established 2. Authenticate and get claims in a token 3. Send the issued token with claims to authenticate with the service

IClaimsPrincipal IClaimsIdentity Sample Fill Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject

STS (Geneva Server) Bob Relying Party (ASP.NET + Geneva FX) Identity: Contoso\Bob Going to: Relying Party SAML(Shoe Size = 41) Claims Transformation Policy for Relying Party Name = Contoso\Bob -> ShoeSize = 41 Claims Transformation Policy for Relying Party Name = Contoso\Bob -> ShoeSize = 41 SAML(Shoe Size = 41) Authorization Policy secret.aspx -> Shoe Size = 41 Authorization Policy secret.aspx -> Shoe Size = 41 HTTP GET /secret.aspx Secret content

IIS + ASP.NET Only Shoe Size 41 secret.aspx Everyone default.aspx URL Authorization Module Authorization Policy default.aspx -> * secret.aspx -> janalex Authorization Policy default.aspx -> * secret.aspx -> janalex Windows Authentication Module Windows Authentication Module Client Kerberos Infrastructure Application Code

IIS + ASP.NET Only Shoe Size 41 secret.aspx Everyone default.aspx Claims Authorization Manager Authorization Policy default.aspx -> Everyone secret.aspx -> Claim Type = “Name“ Claim Value = “janalex” Authorization Policy default.aspx -> Everyone secret.aspx -> Claim Type = “Name“ Claim Value = “janalex” Windows Authentication Module Windows Authentication Module Client Claims Authentication Module Claims Authentication Module Kerberos Claims Authorization Module Claims Authorization Module URL Authorization Module Authorization Policy default.aspx -> * secret.aspx -> janalex Authorization Policy default.aspx -> * secret.aspx -> janalex Infrastructure Geneva Framework Application Code

Hosting Layer (WCF or ASP.NET) Hosting Layer (WCF or ASP.NET) Geneva FX integration layer Geneva FX integration layer Token Handling Issuer Name Registry Token Serialization Token Validation Claims Extraction XML/Binary Security Token Claims Identity Issuer’s Token Issuer’s Name Claims Authentication Manager Security Session Management Claims Authorization Manager Claims Principal Session Token Claims Principal True/False Application Code Claims Principal Request Token Resolver Token Reference Security Token

IIS + ASP.NET Only Shoe Size 41 secret.aspx Everyone default.aspx Authorization Policy default.aspx -> Everyone secret.aspx -> ShoeSize = 41 Authorization Policy default.aspx -> Everyone secret.aspx -> ShoeSize = 41 Windows Authentication Module Windows Authentication Module Client Claims Authentication Module Claims Authentication Module Claims Authentication Manager Claims Transformation Policy Name = REDMOND\janalex -> ShoeSize = 41 Claims Transformation Policy Name = REDMOND\janalex -> ShoeSize = 41 Authorization Policy default.aspx -> Everyone secret.aspx -> Name = REDMOND\janalex Authorization Policy default.aspx -> Everyone secret.aspx -> Name = REDMOND\janalex Kerberos Claims Authorization Manager Claims Authorization Module Claims Authorization Module Infrastructure Geneva Framework Application Code

Home Realm Discovery Service Home Realm Discovery Service Client Card Space Card Space MMC: Policy UX MMC: Policy UX Relying Party Geneva Server Runtime Policy Management Service Policy Management Service WMI Provider Config File Config File Geneva FX API Information Card Issuance Service Information Card Issuance Service Protocol Hosting (WS-Trust, Metadata, WS-Federation) Protocol Hosting (WS-Trust, Metadata, WS-Federation) Issuance Engine MMC: Service UX MMC: Service UX {FileIO} {SQL} {LDAP} AD/ADAM User Attribute AuthN Store AD/ADAM User Attribute AuthN Store SQL Policy Store SQL Policy Store {WS-Fed Passive } {WS-Fed Passive } {WS-Trust WS-MEX} {WS-Trust WS-MEX} {Information Card Issuance} {Information Card Issuance} {WS-Fed Metadata} {WS-Fed Metadata} {Policy Management} {Policy Management} {WMI} Identity Store Interface Policy Store Interface LDAP Store Geneva FX API {WS-Fed Passive } {WS-Fed Passive } {WS-Fed Metadata} {WS-Fed Metadata} Geneva FX API SQL Store

IIS + ASP.NET Only Shoe Size 41 secret.aspx Everyone default.aspx Authorization Policy default.aspx -> Everyone secret.aspx -> Shoe Size = 41 Authorization Policy default.aspx -> Everyone secret.aspx -> Shoe Size = 41 Windows Authentication Module Windows Authentication Module Client Claims Authentication Module Claims Authentication Module Claims Authentication Manager Claims Transformation Policy Name = REDMOND\janalex -> ShoeSize = 41 Claims Transformation Policy Name = REDMOND\janalex -> ShoeSize = 41 Geneva Server STS Federated Authentication Module Issuer Name Registry Establish Trust Claims Authentication Policy Issuer = STS -> Can say Shoe Size Claims Authentication Policy Issuer = STS -> Can say Shoe Size Kerberos SAML Token Claims Authorization Manager Claims Authorization Module Claims Authorization Module

Windows Live ID User Relying Party Fabrikam STS WLID STS Trust Established Windows Live ID Fabrikam Fabrikam User

IClaimsPrincipal IClaimsIdentity Sample Fill Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject Claim ClaimType = “Name” Value = “Bob” Issuer = “WLID” Subject Delegate IClaimsIdentity Sample Fill Claim ClaimType = “Name” Value = “Server1” Issuer = “MS STS” Subject Claim ClaimType = “Name” Value = “Server1” Issuer = “MS STS” Subject Delegate

STS (Geneva Server) Bob WFE (ASP.NET) Backend (WCF) HTTP/HTMLSOAP Issue Token { Bob} Issue Token { WFE, ActAs(Bob)} { Bob }{ Bob delegate WFE }

foreach (IClaimsIdentity identity in subject.Identities) { if ((from c in identity.Claims where c.ClaimType == ClaimTypes.Name && c.Value == "REDMOND\janalex" select c).Count() > 0) { return true; } [AccessCheck(Resource="page1.aspx", Operation="GET")]

Beta 1 October 2008 Beta 1 October 2008 Beta 2 1st Half 2009 Beta 2 1st Half 2009 RTM 2nd Half 2009 RTM 2nd Half 2009

Please fill out your evaluation for this session at: This session will be available as a recording at:

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.