Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary
Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary
Windows CardSpace
issues queries trusts
Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary
The goals of the identity metasystem are to connect individual identity systems, allowing seamless interoperation between them, to provide applications with a technology-independent representation of identities, and to provide a better, more consistent user experience with all of them!
User control and consent Minimal disclosure for a defined use Justifiable parties Directional identity Pluralism of operators and technologies Human integration Consistent experience across contexts
WS-Policy WS-MetadataExch. Information cards OpenID, LID, Yadis… WS-Trust SAML Kerberos X.509 etc. WS-Security WS-SecureConversation Auth“N“ happens here Auth“Z“ happens here
Digital Identity Selector „Digital Wallet“ You carry „digital cards“ with you Each card belongs to 1 identity provider IP OneIP Two IP Three
CardSpace is an identity selector Part of.NET Framework 3.0 Uses WCF for its WS-* standards User’s digital identities = information cards CardSpace is an STS Self-issued cards Creates SAML v1.0 tokens Requires no 3rd party identity provider User is in control of which IP is used which claims exposed
Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
Claims Statements about subject Identify subject… …or only describe attributes …or both Digital Identity Set of claims Asserted by authority / subject RP requests claims via Policy Web app: tag Service: WS-Policy, WS-MEX
ClaimType is the claim URI as a string Right can be one of two things Identity PossessProperty Resource is the value of the claim namespace System.IdentityModel.Claims { public class Claim { public Claim(string claimType, object resource, string right); public string ClaimType { get; } public string Right { get; } public object Resource { get; } //... }
DefaultClaimSet WindowsClaimSet X509CertificateClaimSet namespace System.IdentityModel.Claims { public abstract class ClaimSet : IEnumerable, IEnumerable { public abstract ClaimSet Issuer { get; } public virtual bool ContainsClaim(Claim claim); public abstract IEnumerable FindClaims( string claimType, string right); public abstract int Count { get; } public abstract Claim this[int index] { get; } public abstract IEnumerator GetEnumerator(); //... }
Scenario: relying part IS web site Browser-integration necessary Requested claims embedded in HTML Identity Selector let‘s user select Card/IP Approach: embed for card-request IE 7.0 Firefox and Safari supported
SAML User’s PCWebsite Identity Provider Token Policy Cards Store Browser STS Identities Store GET login page Read policies Pass policies to CardSpace Filter card collection & show cardspace UI User picks a card Cardspace sends a RST The IP authenticates RST… If successful, builds & signs the requested token The IP sends back the token in a RSTR CardSpace gives the token to the app & exits SAML The Browser POSTs the token to the website The website authenticates the token
Sign in with your Information Card Sign in with your Information Card <param name="tokenType" <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"> value="urn:oasis:names:tc:SAML:1.0:assertion"> <param name="issuer" <param name="issuer" value=" value=" <param name="requiredClaims" <param name="requiredClaims" value=" value="
Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
WCF is metasystem-ready Supports necessary WS-* standards Understands many tokens (SAML, Kerberos...) Client integration and CardSpace System.IdentityModel System.ServiceModel.Identity Identity selector triggered based on WS-Policy
<message issuedTokenType=" " negotiateServiceCredential="false">
Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
Relying party does not manage identity IP authenticates / proves identity Relying party determines truth based on IP with closest relationship to subject IP authentication of subject Consensus of multiple IPs Federation bridges silos!! relies on
Company A Company B Requestor IP/STS ID store IP/STS Target Service WS-Policy WS-Trust WS-Policy WS-Trust
Company A Company B Requestor IP/STS ID store Issues Name Date of Birth Passport Nr. Passport Valid … Transforms from „Date of Birth“ To „Age >= 21?“ FormatFormat X.509 Cert SAML token Asks for Age >= 21 Target Service IP/STS TrustTrust Partner Claim Local Actionable Claim ContentContent Role Access Right
Mario Szpuszta Solutions Architect Microsoft Austria, Vienna
Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary
Identity Metasystem Solves many of today’s issues (e.g. phishing) Based on interoperable standards Many supporting vendors (IBM, Novell, OSIS Community, Pamela, Eclipse project etc.) Windows CardSpace Client-integration into metasystem Identity selector and self-issuing STS WCF is meta-system ready by design Full support: ADFS vNext incl..NET Fx Extensions
Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed Includes all the protocols underlying CardSpace Issued September
Community site, samples, news MSDN Forum 84&SiteID=1 MSDN Home Page Blogs
Firefox – Bandit DigitalMe Project Windows, Linux, Apple, Fedora project.org/index.php/DigitalMe Firefox – Windows only (Kevin Miller) Apple Identity Selectors Java Identity Selectors xmldap
Ruby RP projects Java RP projects release/ _higgins.php C and PHP projects Python and PHP projects project.org/trac/wiki/PythonInfoCard
Verisign PIP Bandigt IP Framework project.org/BanditIdP/index.jsp Higgings Frameworks
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.