A Claims Based Identity System Steve Plank Identity Architect Microsoft UK.

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.

Advances in Digital Identity

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

 Jan Alexander Program Manager Microsoft Corporation BB43.

 Rich Randall Development Lead Microsoft Corporation BB44.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

2 3 Who are you? What are you allowed to do? How should your experience be personalized? How do I get apps that are provably securable and manageable?

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

11 steve plank (“planky”) identity architect microsoft uk.

Grid Security. Typical Grid Scenario Users Resources.

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

WS-Security TC Christopher Kaler Kelvin Lawrence.

10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…

The Laws of Identity and Cardspace Charles Young Solidsoft.

Mario Szpuszta Solutions Architect Microsoft Austria, Vienna.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved.

Troubleshooting Federation, AD FS 2.0, and More…

Configuring Active Directory Certificate Services Lesson 13.

An Introduction to Information Card Barry Dorrans Charteris plc

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Phishing Rising to the challenge Amy Marasco Microsoft.

Session 11: Security with ASP.NET

Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity Mike Jones, Microsoft and Dale Olds, Novell.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Troubleshooting Federation, AD FS 2.0, and More…

A detailed look at the Microsoft Windows Infrastructure at UWE including Active Directory (AD), MIIS, Exchange, SMS, IIS, SQL Server, Terminal Services.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Windows CardSpace Martin Parry Developer Evangelist Microsoft

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.

Web Services Security Patterns Alex Mackman CM Group Ltd

Introduction to.NET FX 3.0 (+ sneak preview of.NET FX 3.5) Martin Parry Developer & Platform Group Microsoft Ltd

Claims-based security with Windows Identity Foundation.

steve plank “planky” microsoft connecting your private and public clouds with adfs

LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.

Windows CardSpace™ Adlai Maschiach Senior Consultant

Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claims-based Identity Beyond Identity Silos 1st European Identity Conference 2007 Don Schmidt.

Identity Management Overview

Access Policy - Federation March 23, 2016

Identity and Access Management

Secure Single Sign-On Across Security Domains

Azure Active Directory - Business 2 Consumer

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Federation made simple

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Laws for Secure Credentialing

An Identity on the Internet

Process flow Kindly note: This presentation is automated – please do not click any of your mouse buttons or keyboard keys.

Building "One Size Fits All" Identity Systems Possible or Fantasy

RSA Digital Certificate Solutions RSA Solutions for PKI David Mateju RSA Sales Consultant

Martin Parry Developer Evangelist Microsoft

Presentation transcript:

A Claims Based Identity System Steve Plank Identity Architect Microsoft UK

topics phishing, phraud identity layer 7 laws human integration consistent experience across contexts Identity metasystem ip rp user identity selector non-disclosure tokens

bad person’s database web server under the control of somebody else ****************

IIS Credentials database FormsAuthentication.SetLoginCookie() Application Error: Cross-domain cookie. A cookie has been received from a security domain other than the one to which this web server is a member. This is a potential security breach. Please consult the application or web server administrator. Custom Solution

Connectivity Naming IP DNS Identity no consistency

user control and consent minimal disclosure for a defined use justifiable parties directional identity pluralism of operators and technologies human integration consistent experience across contexts

Human integration Consistent experience across contexts Planky’s Card Card Collection

Identity Provider First nameLast name Identity Selector Subject 1:1 relationship between cards and identity providers Locally installed software: not under somebody else’s control

Metadata: URI of the Identity Provider Claims you can get from the IP givenname: lastname: user-id: etc: Identity Provider First nameLast name digital signature

Identity Provider digital signature cryptographic binding between the card and the IP

Pluralism of operators and technologies Human integration Consistent experience across contexts There will be many Identity Providers each running its own technology stack OR

Relying Party Identity Provider Subject Identity Metasystem Microsoft Identity MetaSystem WS-* HTML WS-* Web Service WS-* Web Site HTML <wst:Claims wst:Dialect=” <ic:Claim URI=” givenname ”/> <ic:Claim URI=” surname ” <ic:Claim URI=” ”/> <ic:Claim URI=” privatepersonalidentifier ”... <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value=" givenname surname address privatepersonalidentifier " />

Relying Party Identity Selector’s Built-in Identity Provider Subject Identity Metasystem 2 degrees of store protection: System Key Password Key Personal Cards : fixed schema

personal cards managed cards what claims i make about myself what claims another party makes about me fixed schema (protect the users from themselves!) flexible schema

elvis presley only 1 of them is real probably

SECURITY TOKEN Steve Plank Over 18 Over 21 Under 65 image SAML Token XrML License X.509 Certificate Kerberos ticket....others

security token service give it something SECURITY TOKEN Steve Plank Over 18 Over 21 Under 65 image DIFFERENT SECURITY TOKEN Username Password Biometric Signature Certificate web service: STS MEX (Metadata Exchange) endpoint policy how to get tokens token service endpoint responds to RST (Request Security Token) delivers tokens (wrapped in RSTR (RST Response))

relying party identity provider subject click login button policy: uri of ip required claims optional claims token type get policy authenticate RST identity.provider.com requires username and password to validate this request. Enter the information below policy: authn reqs token types... RSTR [ ] s e

relying party identity provider subject real token display token *givenname: Steve *surname: Plank * address: *privatepersonalidentitifer: planky123 Do you want to send this card to: ip.sisa.com ip.sisa.com [ ] token authentication token decryption

... but the IP could tell lies! subject real token display token real token might be opaque how to inform the subject?

Non-disclosure tokens Steve Plank DOB: 17-Jun-59 Authenticity Signature stefan brands credentica u-prove acquired 6th march 2008 privacy

review phishing, phraud identity layer 7 laws human integration consistent experience across contexts Identity metasystem ip rp user identity selector non-disclosure tokens